Modifying Mimikatz to evade Defender in 2026

Source: medium.com

TL;DR

• Article shows how to compile a modified Mimikatz binary that evades Windows Defender detection in 2026.
• Uses S3cur3Th1sSh1t's bash script to download Mimikatz source, obfuscate strings, then build in Visual Studio.
• Helps red teamers test defenses by creating undetected credential-dumping tools.

The story at a glance

Lainkusanagi (Luis Gerardo Moret) wrote this paywalled Medium post to guide compiling Mimikatz with evasion tweaks against current Windows Defender. It starts with running a bash script by S3cur3Th1sSh1t for string obfuscation and source prep, followed by transfer to a Windows VM for Visual Studio compilation. The article appeared in April 2026 amid ongoing red team discussions on Reddit and X.[[1]](https://medium.com/@luisgerardomoret_69654/modifying-mimikatz-to-evade-defender-2026-dc701000289d)[[2]](https://s3cur3th1ssh1t.github.io/Building-a-custom-Mimikatz-binary/)

Key points

• Run bash script by S3cur3Th1sSh1t (likely a Mimikatz obfuscator from his 2020 gist) to clone gentilkiwi/mimikatz repo and replace strings like "mimikatz", "gentilkiwi", "kiwi" with neutrals (e.g., "windows", "MSOffice").
• Script creates "windows" folder; transfer it to Windows VM with Visual Studio installed, ideally with Documents folder excluded from Defender scans.
• Open solution in Visual Studio, make further changes if needed (e.g., custom netapi32.lib for DLL function imports like I_NetServerReqChallenge), then compile x64 Release version.
• Resulting executable reportedly evades Defender real-time protection, tested via tools like DefenderCheck for signature splits.
• Builds on older techniques: string/prefix renames (kuhl_ to random), file renames, icon swap, but adapted for 2026 Defender updates.[[2]](https://s3cur3th1ssh1t.github.io/Building-a-custom-Mimikatz-binary/)

Details and context

The bash script automates basic obfuscation from S3cur3Th1sSh1t's playbook—sed replacements across source files for keywords, module names (sekurlsa::logonpasswords stays functional via case tweaks), and prefixes. This drops initial VirusTotal hits from 25/67 but focuses on Defender bypass.[[2]](https://s3cur3th1ssh1t.github.io/Building-a-custom-Mimikatz-binary/)

For netapi32 evasion, create a .def file listing flagged exports (@59, @65, @62 ordinals), build a min.lib, and drop it in lib/x64 before compile—removes Defender's static sig on those LSASS-related calls.

Author's other posts (e.g., GodPotato mods, Sliver BOF) use similar VM exceptions and scripts, noting EXEs may still flag but DLLs/BOFs work for C2 implants. No full 2026 testing details visible; effectiveness assumes no cloud/behavioral blocks.

Key quotes

None available from paywalled article; intro visible: "Hello everyone, in this article I'll show how to compile and modify Mimikatz to evade Windows Defender."[[1]](https://medium.com/@luisgerardomoret_69654/modifying-mimikatz-to-evade-defender-2026-dc701000289d)

Why it matters

Defender updates make stock Mimikatz useless for post-exploitation, pushing red teams/blue teams to evolve evasion tactics like source mods. Security testers gain a practical 2026 bypass for credential dumps (e.g., sekurlsa::logonpasswords), while defenders learn to hunt obfuscated builds via YARA or behavior (LSASS access). Watch Microsoft patch notes and Mimikatz trunk updates for counter-obfuscation.