This short article presents the update of the script created based on the excellent Black Hills article: “naive” or configured to be lax Anti-Virus often relies on signatures, which can be easily circumvented like demonstrated in the initial article.
During a recent internal pentest, our auditor retested this technique on a recent version of Windows Defender configured too permissively and managed to bypass it to run their modified version of the offensive script.
The issue
The initial script was released in January 2017. When the pentester tried to run the modified PowerShell code from Invoke-Mimikatz, an error like this was returned:
Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."
A quick search identified an easy fix to Invoke-Mimikatz: https://github.com/mitre/caldera/issues/38#issuecomment-396055260
Furthermore, the initial Black Hills script replaces the strings detected by Defender with other fixed strings. The consultant therefore modified the script to generate a random sequence of characters each time the script was executed.
The script
The following script is a simple update of the original script in order to respond to the problems encountered by the pentester during his intrusion test.
🛡️ DSecBypass supports you with your internal penetration tests. Do not hesitate to contact us for additional information and/or a personalized quote 📝.
