Didier Stevens

Monday 30 March 2020

mimikatz Is My New EICAR

Filed under: Malware — Didier Stevens @ 0:00

I helped a friend creating picture files to be detected by anti-virus. They are not malicious: they don’t execute code neither trigger a vulnerability.

The EICAR test file is detected by many anti-virus programs, except when it is appended to arbitrary files (this is according to specs).

Starting with a one-pixel JPEG and PNG file, I append the EICAR test file. And with a JPEG file, I can also insert the EICAR file as a comment:

The detection scores on VirusTotal show that these files are not detected by many anti-virus programs:

  • JPEG + EICAR: 6/55
  • PNG + EICAR: 7/58
  • JPEG + EICAR comment: 2/57

That wasn’t good enough for my friend, she needed something with a higher detection score.

Since several years now, there is a Windows program that triggers many anti-virus programs: mimikatz.

When I try mimikatz with picture files, I get better detection scores than for the EICAR test file (as I expected):

  • JPEG + MIMIMATZ.EXE: 19/58
  • PNG + MIMIMATZ.EXE: 15/57
  • JPEG + MIMIMATZ.DLL: 12/57

 

And I have a picture file with even higher detection scores, but you’ll have to wait until April Fools day for the details 😉 .

3 Comments »

  1. […] mimikatz Is My New EICAR […]

    Pingback by Week 14 – 2020 – This Week In 4n6 — Sunday 5 April 2020 @ 1:54

  2. I wonder if there’s anything interesting about a file that starts with EICAR and then has mimikatz appended to it. Will some AV report it as EICAR and ignore the mimikatz ? Will some humans or scanners see “EICAR” and assume “must just be a test file, ignore it” ? Is there any danger there ?

    Comment by Bill Dietrich — Wednesday 6 May 2020 @ 11:58

  3. I don’t know of AVs that handle EICAR files differently than other detected files. If the default action is to deleted detected files, EICAR files will also be deleted.

    Comment by Didier Stevens — Thursday 7 May 2020 @ 19:28


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.