{"url":"https://medium.com/@luisgerardomoret_69654/modifying-mimikatz-to-evade-defender-2026-dc701000289d","title":"Modifying Mimikatz to evade Defender in 2026","domain":"medium.com","imageUrl":"https://images.pexels.com/photos/4973899/pexels-photo-4973899.jpeg?auto=compress&cs=tinysrgb&h=650&w=940","pexelsSearchTerm":"Windows Defender security","category":"Tech","language":"en","slug":"659b6b95","id":"659b6b95-8a29-447c-b598-007441cb2dbe","description":"Article shows how to compile a modified Mimikatz binary that evades Windows Defender detection in 2026.","summary":"## TL;DR\n- Article shows how to compile a modified Mimikatz binary that evades Windows Defender detection in 2026.\n- Uses S3cur3Th1sSh1t's bash script to download Mimikatz source, obfuscate strings, then build in Visual Studio.\n- Helps red teamers test defenses by creating undetected credential-dumping tools.\n\n## The story at a glance\nLainkusanagi (Luis Gerardo Moret) wrote this paywalled Medium post to guide compiling Mimikatz with evasion tweaks against current Windows Defender. It starts with running a bash script by S3cur3Th1sSh1t for string obfuscation and source prep, followed by transfer to a Windows VM for Visual Studio compilation. The article appeared in April 2026 amid ongoing red team discussions on Reddit and X.[[1]](https://medium.com/@luisgerardomoret_69654/modifying-mimikatz-to-evade-defender-2026-dc701000289d)[[2]](https://s3cur3th1ssh1t.github.io/Building-a-custom-Mimikatz-binary/)\n\n## Key points\n- Run bash script by **S3cur3Th1sSh1t** (likely a Mimikatz obfuscator from his 2020 gist) to clone gentilkiwi/mimikatz repo and replace strings like \"mimikatz\", \"gentilkiwi\", \"kiwi\" with neutrals (e.g., \"windows\", \"MSOffice\").\n- Script creates \"windows\" folder; transfer it to Windows VM with Visual Studio installed, ideally with Documents folder excluded from Defender scans.\n- Open solution in Visual Studio, make further changes if needed (e.g., custom netapi32.lib for DLL function imports like I_NetServerReqChallenge), then compile x64 Release version.\n- Resulting executable reportedly evades Defender real-time protection, tested via tools like DefenderCheck for signature splits.\n- Builds on older techniques: string/prefix renames (kuhl_ to random), file renames, icon swap, but adapted for 2026 Defender updates.[[2]](https://s3cur3th1ssh1t.github.io/Building-a-custom-Mimikatz-binary/)\n\n## Details and context\nThe bash script automates basic obfuscation from S3cur3Th1sSh1t's playbook—sed replacements across source files for keywords, module names (sekurlsa::logonpasswords stays functional via case tweaks), and prefixes. This drops initial VirusTotal hits from 25/67 but focuses on Defender bypass.[[2]](https://s3cur3th1ssh1t.github.io/Building-a-custom-Mimikatz-binary/)\n\nFor netapi32 evasion, create a .def file listing flagged exports (@59, @65, @62 ordinals), build a min.lib, and drop it in lib/x64 before compile—removes Defender's static sig on those LSASS-related calls.\n\nAuthor's other posts (e.g., GodPotato mods, Sliver BOF) use similar VM exceptions and scripts, noting EXEs may still flag but DLLs/BOFs work for C2 implants. No full 2026 testing details visible; effectiveness assumes no cloud/behavioral blocks.\n\n## Key quotes\nNone available from paywalled article; intro visible: \"Hello everyone, in this article I'll show how to compile and modify Mimikatz to evade Windows Defender.\"[[1]](https://medium.com/@luisgerardomoret_69654/modifying-mimikatz-to-evade-defender-2026-dc701000289d)\n\n## Why it matters\nDefender updates make stock Mimikatz useless for post-exploitation, pushing red teams/blue teams to evolve evasion tactics like source mods. Security testers gain a practical 2026 bypass for credential dumps (e.g., sekurlsa::logonpasswords), while defenders learn to hunt obfuscated builds via YARA or behavior (LSASS access). Watch Microsoft patch notes and Mimikatz trunk updates for counter-obfuscation.","hashtags":["#cybersecurity","#redteam","#mimikatz","#evasion","#defender","#pentesting"],"sources":[{"url":"https://medium.com/@luisgerardomoret_69654/modifying-mimikatz-to-evade-defender-2026-dc701000289d","title":"Original article"},{"url":"https://s3cur3th1ssh1t.github.io/Building-a-custom-Mimikatz-binary/","title":""}],"viewCount":2,"publishedAt":"2026-04-18T12:59:51.102Z","createdAt":"2026-04-18T12:59:51.102Z","articlePublishedAt":"2026-04-16T14:47:45.406Z"}