Execute Mimikatz with different technique.
This PoC illustrate different technique to successfully excute Mimikatz with process injection:
- Embed Mimikatz as C# class, Mimikatz is converted to shellcode and converted to 3 digits format
- Each syscall is obfuscated
- Use C# Console.WriteLine to masquerade our intention
BEFORE COMPILING, IF ONE CHANGE SOURCE CODE, REMEMBER TO CHANGE: int idx = 0x4aa73; the idx represent the index where Mimikatz begins Compile as .dll use https://github.com/mobdk/compilecs Compile as .exe change DllMain to Main and: csc.exe /platform:x64 /target:exe /unsafe winboost.cs
Works on Windows 10 64bit build 20H2
Execution:
Start one new cmd like this:
cmd version
from another run rundll32 winboost.dll,DllMain
ZwGetNextProcess is used to find process cmd.exe with argument version, ZwGetNextThread is used after the right PID is found.