Didier Stevens

Monday 30 March 2020

mimikatz Is My New EICAR

Filed under: Malware — Didier Stevens @ 0:00

I helped a friend creating picture files to be detected by anti-virus. They are not malicious: they don’t execute code neither trigger a vulnerability.

The EICAR test file is detected by many anti-virus programs, except when it is appended to arbitrary files (this is according to specs).

Starting with a one-pixel JPEG and PNG file, I append the EICAR test file. And with a JPEG file, I can also insert the EICAR file as a comment:

The detection scores on VirusTotal show that these files are not detected by many anti-virus programs:

  • JPEG + EICAR: 6/55
  • PNG + EICAR: 7/58
  • JPEG + EICAR comment: 2/57

That wasn’t good enough for my friend, she needed something with a higher detection score.

Since several years now, there is a Windows program that triggers many anti-virus programs: mimikatz.

When I try mimikatz with picture files, I get better detection scores than for the EICAR test file (as I expected):

  • JPEG + MIMIMATZ.EXE: 19/58
  • PNG + MIMIMATZ.EXE: 15/57
  • JPEG + MIMIMATZ.DLL: 12/57


And I have a picture file with even higher detection scores, but you’ll have to wait until April Fools day for the details 😉 .

Blog at WordPress.com.