This release of LoadThatPE includes a demonstration of the tool's capabilities with a 64-bit encrypted version of the mimikatz PE. The loader decrypts the PE in memory, resolves its imports, relocates its sections, and executes it dynamically from its redefined entry point.
This release of LoadThatAssembly includes a demonstration of the loader’s capabilities with a 64-bit encrypted .NET assembly payload (“Rubeus”). The loader decrypts the assembly entirely in memory, validates its PE/CLR headers, initializes the .NET CLR (v4.0.30319), and invokes the assembly’s entry point while forwarding process arguments.
Yara rule edition is a special mimikatz to evade the bad SOC guys
Disclaimer: This release is purely for educational and research purposes. Use responsibly.