Wednesday, September 9, 2015

Simple Example Of Encoded Mimikatz - UPX Packed, Base64 Encoded.


This image has Mimikatz embedded inside it. It can be used to smuggle files past network based executable monitoring tools.  Tools that search for and detonate executable content off the wire.

Here's how it works...

The file is appended to a traditional PNG file. Mimikatz begins at offset 0x247f.

As an exercise, you can write a PowerShell script that will download, unpack and execute the file.

The Hash of the image should be

SHA1:6ad4894b31f8b85361fdaa18b6e5b8c3a3ec0b1a
SHA256:afc01576b3990217a98edc82488508134ba57986c73bc93381398703e5f8a19b










You could, oh, I don't know... Set this as your Wallpaper for safekeeping.

Update: PowerShell Script

Update 2: Full UnPacked Based64 Encoded Mimikatz at Offset 0xc8ec

SHA256: 402a67413f745cdf397130acb0cff05302e4c88bc3b64bfd432bcc8dbc829947



Cheers,

Casey
@subTee