<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1018517621595528&amp;ev=PageView&amp;noscript=1">

Stopping PowerShell Attacks that Bypass Antivirus: Mimikatz and "Mimidogz"

bypassing-av-with-mimikatz.jpg

Black Hills researcher shows how even the simplest disguises can be enough to bypass AV.

There's an interesting post by Carrie Roberts over at the Black Hills infosec blog that highlights the dangers of PowerShell-based malware, specifically the credential-gatherer Mimikatz.

As she points out, it's a great reminder of how easy it is to evade antivirus signatures simply by making slight, superficial changes, and why you really can't rely solely on antivirus for protection.

Below you'll find more details on the experiment she ran, plus a quick test of my own it inspired me to run.

Bypassing antivirus with a PowerShell script version of Mimikatz

In her post, Carrie explains how she starts her experiment by attempting to run the PowerShell script "Invoke-Mimikatz," sourced from the open source project PowerSploit. The script provides the same functionality of Mimikatz without relying on an executable, which understandably has folks worried.

Mimikatz has been around a while and is quite prolific (incident response company Crowdstrike has noted it's been found in nearly all of their investigations, including last summer's DNC hack). It is originally written as an executable and companion DLLs, and most AVs are pretty good at detecting it.

What is Mimikatz?

A tool that's been called the "swiss-army knife of Windows credential gathering". It bundles together several "post-exploitation" tasks that can allow attackers to gain a stronger foothold and spread around a compromised network. One of its primary functions is dumping credentials, including plaintext passwords, from Windows Local Security Account database (LSASS).     


As the blog post details, simply switching the functionality from an executable to PowerShell is enough to prevent several AVs from detecting it (only 19 out of 54 catch it).

Mimikatz PowerShell AV detection ratio.png

Source: Black Hills Information Security


Then, to bring the detection ratio down even further, she demonstrates all she needs to do is make small, superficial changes to the script that don't impact its functionality. Ex: changing "Invoke-Mimikatz" to "Invoke-Mimidogz" ;-)

With every tweak she makes, the number of antivirus solutions that detect the script as malicious goes down. 

Fairly quickly she ends up with a version of Mimikatz that runs with zero AV detection, all from simply renaming the script "Dogz", removing comments, changing a few words around. 

Mimidogz AV detection ratio.png

Source: Black Hills Information Security

 

A killer case for blocking malware based on behavior instead of file attributes

What I love about this experiment is how clearly it makes the case for moving beyond looking at file attributes as the sole indicators of whether a file is malicious.

This is just one example of how easy it is for attackers to get around that approach to protection, and it's validation of the approach we're taking here at Barkly to provide additional runtime protection that fills that gap. 

Since Barkly looks at system behaviors rather than individual file attributes, it isn’t fooled by malware authors changing the source code, hash, filenames, restructuring code, or dressing a "katz" to look like a "dogz". To prove that out, I decided to replicate and test the Mimidogz script against Barkly to see if we stopped it (spoiler alert: we do!)

It can be Mimikatz, Mimidogz, MimiNarwhalz, doesn't matter. When it tries to interact with the system in a malicious way, we stop it.  

Thanks to Carrie and the Black HIlls team for another interesting post on what we think is a really great blog. To learn more about our new approach to runtime malware defense, see how Barkly works here.

Topics: Malware Research

Get Advanced Ransomware Protection

Proactively stop attacks before they encrypt your files or do any damage.

Block Ransomware

Stay Informed!

Get the latest security news delivered along with clear, actionable insights.
All in plain English.