From d500632c50eb0bd8ccdd6fbf05688b9f2707af50 Mon Sep 17 00:00:00 2001
From: Joshua Wright <jwright@hasborg.com>
Date: Mon, 6 May 2019 14:40:17 -0400
Subject: [PATCH] Disable Mimikatz token::elevate detection; I thought I was on
 to a cool detect, but sadly it's just Windows operating normally with
 excessive privileges.

---
 DeepBlue.ps1 | 41 +++++++++++++++++++++--------------------
 1 file changed, 21 insertions(+), 20 deletions(-)

diff --git a/DeepBlue.ps1 b/DeepBlue.ps1
index 2fb6234..724a39c 100644
--- a/DeepBlue.ps1
+++ b/DeepBlue.ps1
@@ -137,26 +137,27 @@ function Main {
                     #$adminlogons($username)+=($securitysid)
                 }
                 # This unique privilege list is used by Mimikatz 2.2.0
-                If ($privileges -Match "SeAssignPrimaryTokenPrivilege" `
-                        -And $privileges -Match "SeTcbPrivilege" `
-                        -And $privileges -Match "SeSecurityPrivilege" `
-                        -And $privileges -Match "SeTakeOwnershipPrivilege" `
-                        -And $privileges -Match "SeLoadDriverPrivilege" `
-                        -And $privileges -Match "SeBackupPrivilege" `
-                        -And $privileges -Match "SeRestorePrivilege" `
-                        -And $privileges -Match "SeDebugPrivilege" `
-                        -And $privileges -Match "SeAuditPrivilege" `
-                        -And $privileges -Match "SeSystemEnvironmentPrivilege" `
-                        -And $privileges -Match "SeImpersonatePrivilege" `
-                        -And $privileges -Match "SeDelegateSessionUserImpersonatePrivilege") {
-                    $obj.Message = "Mimikatz token::elevate Privilege Use" 
-                    $obj.Results = "Username: $username`n"
-                    $obj.Results += "Domain: $domain`n"
-                    $obj.Results += "User SID: $securityid`n"
-                    $pprivileges = $privileges -replace "`n",", " -replace "\s+"," "
-                    $obj.Results += "Privileges: $pprivileges"
-                    Write-Output($obj)
-                }
+                # Disabling due to false-positive with MS Exchange.
+#                If ($privileges -Match "SeAssignPrimaryTokenPrivilege" `
+#                        -And $privileges -Match "SeTcbPrivilege" `
+#                        -And $privileges -Match "SeSecurityPrivilege" `
+#                        -And $privileges -Match "SeTakeOwnershipPrivilege" `
+#                        -And $privileges -Match "SeLoadDriverPrivilege" `
+#                        -And $privileges -Match "SeBackupPrivilege" `
+#                        -And $privileges -Match "SeRestorePrivilege" `
+#                        -And $privileges -Match "SeDebugPrivilege" `
+#                        -And $privileges -Match "SeAuditPrivilege" `
+#                        -And $privileges -Match "SeSystemEnvironmentPrivilege" `
+#                        -And $privileges -Match "SeImpersonatePrivilege" `
+#                        -And $privileges -Match "SeDelegateSessionUserImpersonatePrivilege") {
+#                    $obj.Message = "Mimikatz token::elevate Privilege Use" 
+#                    $obj.Results = "Username: $username`n"
+#                    $obj.Results += "Domain: $domain`n"
+#                    $obj.Results += "User SID: $securityid`n"
+#                    $pprivileges = $privileges -replace "`n",", " -replace "\s+"," "
+#                    $obj.Results += "Privileges: $pprivileges"
+#                    Write-Output($obj)
+#                }
                 # This unique privilege list is used by Metasploit exploit/windows/smb/psexec (v5.0.4 tested)
 #               # Disabling due to false-positive with MS Exchange Server
 #                If ($privileges -Match "SeSecurityPrivilege" `