Wednesday, September 9, 2015

Simple Example Of Encoded Mimikatz - UPX Packed, Base64 Encoded.

This image has Mimikatz embedded inside it. It can be used to smuggle files past network based executable monitoring tools.  Tools that search for and detonate executable content off the wire.

Here's how it works...

The file is appended to a traditional PNG file. Mimikatz begins at offset 0x247f.

As an exercise, you can write a PowerShell script that will download, unpack and execute the file.

The Hash of the image should be


You could, oh, I don't know... Set this as your Wallpaper for safekeeping.

Update: PowerShell Script

Update 2: Full UnPacked Based64 Encoded Mimikatz at Offset 0xc8ec

SHA256: 402a67413f745cdf397130acb0cff05302e4c88bc3b64bfd432bcc8dbc829947



No comments:

Post a Comment