Skip to content

mobdk/Epsilon

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
Epsilon.cs
Epsilon.cs
 
 
NoDelay.log
NoDelay.log
 
 
README.md
README.md
 
 
WithDelay.log
WithDelay.log
 
 

Repository files navigation

Epsilon

In this PoC I am addressing the timer issue that exist in Defender.

This PoC successfully execute Mimikatz with no change to the orginal code, Mimikatz is converted to shellcode and embedded in source code, it uses the following syscalls:

ZwOpenProcess
ZwAllocateVirtualMemory
ZwProtectVirtualMemory
ZwWriteVirtualMemory
"delay 15 seconds"
ZwOpenThread
ZwQueueApcThread
ZwResumeThread
ZwClose

If one insert a timer delay with value 15 seconds, anything below does not work, it breaks the engine detection logic and Mimikatz execute successfully. The delay can be inserted anywhere, between ZwOpenProcess and ZwClose.

Testing Defender try use extension .bin, .log, .edb or .db, this can be usefull if ASR rules exist. Fx. Epsilon.log (renamed from .dll)

Compile Epsilon.cs with csc.exe and insert .dll entrypoint as described here: https://github.com/mobdk/compilecs

Two precompiled version exist:

WithDelay.log execute with rundll32 WithDelay.log,#1
NoDelay.log execute with rundll32 NoDelay.log,#1

About

In this PoC I am addressing the timer issue that exist in Defender

Resources

Readme
Activity

Stars

4 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages