A Mimikatz Post-Mortem

Wherein mimikatz is wearing a too-small mimikatz costume when it is apprehended by law enforcement.

Investigators Ask Pressing Questions

What modifications will get an official release of mimikatz past Defender in late 2021? What about Defender for Endpoint?

The Trial

The test cases were:

1. mimikatz.exe => upx
2. mimikatz.exe => donut => C++ wrapper => gcc
3. mimikatz.exe => donut => C++ wrapper => gcc => upx

upx is a binary "packer" that has been around for a long time. It reduces the size of an executable, thereby changing lots of bytes in the process.

donut can be used to generate position-indepedent code from various input types, including portable executable format (PE).

I made costume_world to ease the process of generating test cases. Each resulting executable was downloaded via curl in PowerShell and initially dropped to a Defender-excluded folder before being moved to a non-excluded folder.

The Verdict

Regular Defender

• Any use of upx to pack an executable resulted in Defender catching it on disk as "Trojan:Win32/Wacatac.B!ml" (test cases 1 and 3).
• Using donut was enough to allow the executable to touch disk, run, and dump logon passwords (test case 2).
• Again, though donut was sufficient on its own, using donut followed by upx resulted in the "Wacatac" signature (test case 3).

Defender for Endpoint

mimikatz was always caught.

• Even when run from a Defender-excluded folder, test case 1 was detected on execution as "HackTool:Win32/Mimikatz.D".
• Test cases 2 and 3 were detected on disk as "VirTool:Win32/Wovdnut.gen!B".

Poking at UPX

For the test cases, regular Defender caught mimikatz on disk or did not catch it at all, and upx was the common element when it was caught.

Regular Defender thought a upx-packed C++ hello world was "Trojan:Win32/Wacatac.B!ml" as well, so it's safe to say the signature has to do with upx rather than mimikatz. But I wondered just how much upx changed its input binary.

As seen with strings, a upx-packed hello world executable still contained "Hello World". So does a upx-packed mimikatz still contain the string "mimikatz"? Yes.

On the other hand, Defender for Endpoint didn't care about a upx-packed C++ hello world executable.

A Predictable End to a Banal Courtroom Procedural

• Regular Defender will key off the use of upx.
• Defender for Endpoint probably unpacks upx-packed binaries in a virtual environment before making a determination.
  • See "Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator"
• upx's algorithm doesn't sufficiently obfuscate strings, and is easily (intentionally, efficiently) reversible, so it doesn't appear to be reliably useful for evading AV/EDR, even when combined with other methods.
• Using donut without obfuscating the loader seems to be playing with fire.