Need help hiding mimikatz from Mcafee AV

Greeting Experts,
      I am in need of some help. I have been tasked in testing the internal security of my company’s network. I need to be able to hide the existent version of “mimikatz” from the AV running on our servers.  This is purely for post exploitation using metasploit on a vulnerable machine…. But I don’t have a lot of experience in the area of IDS/IPS & AV evasion…… Can someone direct me in the process of creating an .exe package that can be used w/o being detected…?
MikeSecurityAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
I think the likelihood of your program behind caught is very high. You may have to exclude the executable from being scanned.

For Cain (oxid.it), under exclusions in Symantec Endpoint Protection, I set the following exclusions:

1. Threat name
2. Program Files cain.exe and
3. Program Files cain\*
3. Document storage location cain.exe

So there was a lot to exclude to allow Cain to run normally. SEP left on its own would prevent Cain from running (and it is a legitimate program).
0
MikeSecurityAuthor Commented:
Thank you for your expert response to my questions.... and your idea would work but the idea is to evade the network security controls and find if there are any vulnerable holes that need to be addressed.
0
JohnBusiness Consultant (Owner)Commented:
You need to change your program in a way to avoid these checks. That would likely result in the program not doing its job.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

JohnBusiness Consultant (Owner)Commented:
Also, and somewhat oblique:  My home network is a workgroup and my Printer is separate on the network and accessible to any computer I wish to have access. I had to make exclusions in SEP for the network and the printer.
0
MikeSecurityAuthor Commented:
Found the following article, and thought this would be nice work around in a Power-shell script. WorkAround
0
JohnBusiness Consultant (Owner)Commented:
Let us know of that works. I could not see how the workaround would hide program signature.
0
MikeSecurityAuthor Commented:
the idea would be getting a copy of the lsass.exe file and then use it on another machine w/mimikatz and no AV installed
0
McKnifeCommented:
That would work, of course.
Let me give you good advice: in a securely maintained network, mimikatz should not be able to harvest anything, even if it is allowed to run.
Privileged accounts like domain admins should not be used on workstations where some user might have gained administrative rights (that is, if he hasn't been assigned those in the first place). So even if he got admin somehow, he should not be able to discover other accounts. Remember, mimikatz will only find what's in memory, so the attacked accounts would have had to be logged in since the last time the computer has started.

Though mimikatz is an cunning thing, I consider it only a reminder to do good work as an admin. It does not have to be a thread at all. Normally, mimikatz will be used to hunt for accounts that have high privileges in the network, not for other standard users. So the typical scenario for mimikatz is that someone sees if domain (admin) accounts are being used in the background (scheduled tasks, for example or services or support accounts) and get those. This would be a non-issue if the network administration did good work.
Please have a look at my article about a safe user support concept http://www.experts-exchange.com/articles/18180/A-concept-for-safe-user-support.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MikeSecurityAuthor Commented:
Thanks McKnife
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.