Unloading AV from Windows 10

Lately a new feature was shown in Mimikatz 2.1.1 that is able to remove process protection (usable in AV unload)

I have run the above test against fully patched Windows 10 x64 build 10.0.15063 , but unfortunately mimidrv.sys gets flagged immediately by AV (even if you get the mimikatz.exe bypassed) and you need a signed driver to load on x64 ..

I have obfuscated mimikatz via the following procedure ->

https://astr0baby.wordpress.com/2017/03/28/mimikatz-2-1-1-powershell-generator/

My old, ancient way still works. Here is a short demo of a successful unload of a protected process (MsMpEng.exe) Windows Defender ….

Here are the default mimikatz drivers builds and failures against MS Defender on Windows 10 x64 examples where I have failed to unload the protected process via mimikatz

Fail 1

Fail 2

P.S.    !NO SAMPLES !

P.S.S Cheers to Chris, nice chat today about stuff over coffee in the Beta Geminorum  ;)

 

Advertisement

About astr0baby

Please run Adblock or similar... we have been told to do so since Carl Sagan wrote the Contact .
This entry was posted in Uncategorized. Bookmark the permalink.

4 Responses to Unloading AV from Windows 10

  1. Rob Brown says:

    Nice. Did you ever release Viktor as open source? I’m looking for a way to load mimidrv.sys undetected.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.