Barkly vs Malware
Rick Correa
Jan 2017

Using PowerShell to Bypass Antivirus: Mimikatz and "Mimidogz"

Black Hills researcher shows how even the simplest disguises can be enough to bypass AV.

Updated 12/7/17: Mimikatz author Benjamin Delpy let us know a landing page hosting the video in this post incorrectly identified Mimikatz as malware that Barkly blocked. This is obviously not true. Mimikatz is a penetration testing tool. Barkly blocks a specific use of Mimikatz as outlined in the post below.

There's an interesting post by Carrie Roberts over at the Black Hills infosec blog that highlights the potency of PowerShell-based attack tools, specifically a variation of the credential-gatherering tool Mimikatz.

As she points out, it's a great reminder of how easy it is to evade antivirus signatures simply by making slight, superficial changes, and why you really can't rely solely on antivirus for protection.

Below you'll find more details on the experiment she ran, plus a quick test of my own it inspired me to run.

Bypassing antivirus with a PowerShell script version of Mimikatz

In her post, Carrie explains how she starts her experiment by attempting to run the PowerShell script "Invoke-Mimikatz," sourced from the open source project PowerSploit. The script provides the same functionality of Mimikatz without relying on an executable, which understandably has folks worried.

Mimikatz has been around a while and is beloved in the penetration testing community. It's unfortunately been abused by attackers quite often, too (incident response company Crowdstrike has noted it's been found in nearly all of their investigations, including last summer's DNC hack). It is originally written as an executable and companion DLLs, and most AVs are pretty good at detecting it.

What is Mimikatz?

A tool that's been called the "swiss-army knife of Windows credential gathering". It bundles together several post-exploitation tasks that can allow testers and attackers to gain a stronger foothold and spread around a compromised network. One of its primary functions is dumping credentials, including plaintext passwords, from Windows Local Security Account database (LSASS).     

As the blog post details, simply switching the functionality from an executable to PowerShell is enough to prevent several AVs from detecting it (only 19 out of 54 catch it).

Mimikatz PowerShell AV detection ratio.png

Source: Black Hills Information Security

Then, to bring the detection ratio down even further, she demonstrates all she needs to do is make small, superficial changes to the script that don't impact its functionality. Ex: changing "Invoke-Mimikatz" to "Invoke-Mimidogz" ;-)

With every tweak she makes, the number of antivirus solutions that detect the script as malicious goes down. 

Fairly quickly she ends up with a version of Mimikatz that runs with zero AV detection, all from simply renaming the script "Dogz", removing comments, changing a few words around. 

Mimidogz AV detection ratio.png

Source: Black Hills Information Security


A killer case for blocking malware based on behavior instead of file attributes

What I love about this experiment is how clearly it makes the case for moving beyond looking at file attributes as the sole indicators of whether a file is malicious.

This is just one example of how easy it is for attackers to get around that approach to protection, and it's validation of the approach we're taking here at Barkly to provide additional runtime protection that fills that gap. 

Since Barkly looks at system behaviors rather than individual file attributes, it isn’t fooled by changes to source code, the hash, filenames, restructuring code, or dressing a "katz" to look like a "dogz". To prove that out, I decided to replicate and test the Mimidogz script against Barkly to see if we stopped it (spoiler alert: we do!)

Wistia video thumbnail - Barkly Blocks Mimikatz

Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?

Any other details or context?



In this case, it can be Mimikatz, Mimidogz, MimiNarwhalz, doesn't matter. When it tries to interact with the system in a malicious way, we stop it.  

Thanks to Carrie and the Black HIlls team for another interesting post on what we think is a really great blog. To learn more about our approach to runtime malware defense, see how Barkly works here.

Rick Correa

Rick Correa

Rick is a Principal Malware Researcher at Barkly. He has over 13 years experience working in computer security research and development including malware analysis, embedded systems, and wired/wireless networking.


Close the gaps in your security

See how Barkly’s Runtime Malware Defense blocks attacks other solutions miss.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.