7

常见工具特征去除

 3 years ago
source link: https://www.ascotbe.com/2021/07/09/FrequentToolCharacteristics/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

mimikatz改造

替换关键字脚本

#!/bin/sh
git clone --depth=1 https://github.com.cnpmjs.org/gentilkiwi/mimikatz.git mimikatz

## BASIC Strings ##

mimi=$(cat /dev/urandom | tr -dc "a-zA-Z" | fold -w 8 | head -n 1)
mv windows/mimikatz windows/$mimi
find windows/ -type f -print0 | xargs -0 sed -i "s/mimikatz/$mimi/g"
MIMI=$(cat /dev/urandom | tr -dc "A-Z" | fold -w 8 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/MIMIKATZ/$MIMI/g"
Mimi=$(cat /dev/urandom | tr -dc "a-zA-Z" | fold -w 8 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/Mimikatz/$Mimi/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 5 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/DELPY/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 8 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/Benjamin/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 23 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/[email protected]/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 15 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/creativecommons/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 10 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/gentilkiwi/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z" | fold -w 4 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/KIWI/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z" | fold -w 4 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/Kiwi/$string/g"
kiwi=$(cat /dev/urandom | tr -dc "a-zA-Z" | fold -w 4 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/kiwi/$kiwi/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 13 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/A La Vie, A L/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 24 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/[email protected]/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 8 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/benjamin/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 14 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/Benjamin DELPY/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 5 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/oe.eo/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 14 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/pingcastle.com/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 16 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/mysmartlogon.com/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 15 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/Vincent LE TOUX/$string/g"

## Basic Function Names ##

find windows/ -type f -print0 | xargs -0 sed -i "s/logonPasswords/loGoNpASSwoRdS/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/dpapi/dPApi/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/sekurlsa/seKuRlSa/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/sekurLSA/seKuRlSa/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/ngc/nGc/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/lsadump/lsADumP/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/crypto/cRyPTO/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/kerberos/kErberoS/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/token/tOKEn/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/misc/mIsC/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/minesweeper/mInesWeEpEr/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/vault/vAULt/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/privilege/PRIViLeGe/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/process/ProCeSs/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/busylight/bUsYlIght/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/sr98/sR98/g"


## Sub-function Names ##

# Sekurlsa #

find windows/ -type f -print0 | xargs -0 sed -i "s/msv/mSv/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/wdigest/wDiGeST/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/tspkg/tsPkG/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/livessp/liVeSsP/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/cloudap/clOuDAp/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/ssp/sSp/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/logonpasswords/loGonPaSSworDs/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/minidump/mIniDumP/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/bootkey/bOOtKey/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/pth/ptH/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/krbtgt/krbTgT/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/backupkeys/backUpKeyS/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/tickets/ticKets/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/ekeys/eKeYs/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/credman/crEdMan/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/tickets/ticKets/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/ekeys/eKeYs/g"

# Crypto #

find windows/ -type f -print0 | xargs -0 sed -i "s/providers/prOviDers/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/certificates/certIfiCatEs/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/scauth/sCaUth/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/extract/exTraCt/g"

# dpapi #

find windows/ -type f -print0 | xargs -0 sed -i "s/masterkey/masTerKeY/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/credhist/crEdHiSt/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/cloudapkd/clOudApKd/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/cloudapreg/clOuDapReg/g"

# kerberos #

find windows/ -type f -print0 | xargs -0 sed -i "s/golden/golDen/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/ptt/pTt/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/clist/cLiSt/g"

# lsadump #

find windows/ -type f -print0 | xargs -0 sed -i "s/secrets/seCrEts/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/sam/saM/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/dcshadow/dCShAdoW/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/dcsync/dCsYnC/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/setntlm/seTnTlM/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/netsync/neTSynC/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/cache/caCHe/g"

# misc #

find windows/ -type f -print0 | xargs -0 sed -i "s/regedit/reGeDit/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/skeleton/sKeLeToN/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/easyntlmchall/easYnTlmChaLl/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/ncroutemon/nCroUTeMoN/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/taskmgr/taSkMgR/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/aadcookie/aAdcOoKiE/g"

# vault #

find windows/ -type f -print0 | xargs -0 sed -i "s/cred/crEd/g"

# token #

find windows/ -type f -print0 | xargs -0 sed -i "s/elevate/eleVatE/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/revert/reVeRt/g"


## Replace file names ##

find windows/ -type f -name "*mimikatz*" | while read FILE ; do
	newfile="$(echo ${FILE} |sed -e "s/mimikatz/$mimi/g")";
	mv "${FILE}" "${newfile}";
done
find windows/ -type f -name "*kiwi*" | while read FILE ; do
	newfile="$(echo ${FILE} |sed -e "s/kiwi/$kiwi/g")";
	mv "${FILE}" "${newfile}";
done
## ZIP File ##

zip -r mimi.zip ./windows

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK