Lately a new feature was shown in Mimikatz 2.1.1 that is able to remove process protection (usable in AV unload)
I have run the above test against fully patched Windows 10 x64 build 10.0.15063 , but unfortunately mimidrv.sys gets flagged immediately by AV (even if you get the mimikatz.exe bypassed) and you need a signed driver to load on x64 ..
I have obfuscated mimikatz via the following procedure ->
https://astr0baby.wordpress.com/2017/03/28/mimikatz-2-1-1-powershell-generator/
My old, ancient way still works. Here is a short demo of a successful unload of a protected process (MsMpEng.exe) Windows Defender ….
Here are the default mimikatz drivers builds and failures against MS Defender on Windows 10 x64 examples where I have failed to unload the protected process via mimikatz
Fail 1
Fail 2
P.S. !NO SAMPLES !
P.S.S Cheers to Chris, nice chat today about stuff over coffee in the Beta Geminorum ;)
