"Powerkatz (Staged)" Ability ends with "ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list"

[satk0]

Describe the bug
Running an operation with the "Powerkatz (Staged)" ability yields the following error, despite that the ability ends with a status "success":

  .#####.   mimikatz 2.2.0 (x64) #19041 Jun 16 2020 13:40:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(powershell) # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list

mimikatz(powershell) # exit
Bye!

"Alice 2.0" adversary is affected by this as it could not proceed further steps.

To Reproduce
Steps to reproduce the behavior:

1. Elevate the powershell prompt to "NT AUTHORITY\SYSTEM".
2. Run Caldera agent powershell script on an another machine.
3. Create an adversary with "Powerkatz (Staged)" ability and run a new operation with it on the agent.

Expected behavior
List extracted credentials.

Desktop (please complete the following information):
PC with Caldera:

• OS Name: Microsoft Windows Server 2022 Standard
• OS Version: 10.0.20348 N/A Build 20348
• Caldera Version: master (commit: 0f2fca5)

Agent:

• OS Name: Microsoft Windows 10 Pro
• OS Version: 10.0.19045 N/A Build 19045

Additional context
To resolve this issue, Mimikatz needs to be updated, check: https://prathameshbagul.medium.com/a-fix-for-error-kuhl-m-sekurlsa-acquirelsa-logon-list-6c599fb6ad39

[github-actions]

Looks like your first issue -- we aim to respond to issues as quickly as possible. In the meantime, check out our documentation here: http://caldera.readthedocs.io/

[uruwhy]

One thing to note is that the mimikatz version mentioned in the medium article will not work on Windows 11 systems. There have been updates to the mimikaz repo since 2022 to support some of the early Win11 versions, though those updates have not been included in a new release (latest release is from 2022)

[satk0]

Oh, I see, thanks for the answer 👍

[uruwhy]

I'll see if I can update the ability to use the most recent available version of Mimikatz, but I can't guarantee if the loader script itself will work as-is on Win11 systems.

[satk0]

@uruwhy Would be great. I could try it and let u know whether it worked.

[uruwhy]

Here is the current PR in the stockpile plugin repository (since the ability resides in stockpile): mitre/stockpile#595

I've tested it on Windows 11 22H2 x64 Pro, but feel free to play around with it yourself.

To test with the dev branch:

cd plugins/stockpile
git checkout master
git pull
git fetch origin issue-3245:issue-3245
git checkout issue-3245

# restart caldera server

[satk0]

Thanks a lot, I bumped ur PR. Will try this on my Windows 10 22H2 Pro

[satk0]

Run this today on Windows 10 22H2 Pro and it failed. Idk where I can check for detailed output. Cuz It is not shown on the interface:

[uruwhy]

@satk0
Couple sanity checks:

• I assume defender and any other AV/EDR is disabled on your test machine, but always good to double check since Defender likes to turn itself back on
• Can you run systeminfo or winver or some other command to get the specific build number? Let me know if it's something other than 19045.X
• Can you rerun the ability but change the command temporarily to the following? This will enable some debug messages from the script:

$VerbosePreference = "Continue";
Import-Module .\invoke-mimi.ps1;
Invoke-Mimikatz -DumpCreds

The more recent mimikatz updates explicitly reference Win 11 22H2 (build number 22621), but I'm thinking maybe they haven't handled the specific Win 10 22H2 build. I'll see if I can spin up a test VM myself and make sure it's not just an isolated issue.

[uruwhy]

Alright I spun up a Win10 22H2 pro VM and the ability worked fine for me. I'd have to see your debug output to get a better idea of what's going on in your environment

[satk0]

OOoh that's nice. I will do that rn asap, but first I need to find out how to enable this debug output

[satk0]

Oh I see, u already included that, amazing

[satk0]

• After rerunning with debug enabled, I got the following debug output:

VERBOSE: Loading module from path 'C:\Users\user\Desktop\invoke-mimi.ps1'.
VERBOSE: Dot-sourcing the script file 'C:\Users\user\Desktop\invoke-mimi.ps1'.
VERBOSE: PowerShell ProcessID: 7516
VERBOSE: Calling Invoke-MemoryLoadLibrary
VERBOSE: Getting basic PE information from the file
VERBOSE: Allocating memory for the PE and write its headers to memory
VERBOSE: Getting detailed PE information from the headers loaded in memory
VERBOSE: StartAddress: 2112350453760    EndAddress: 2112351952896
VERBOSE: Copy PE sections in to memory
VERBOSE: Update memory addresses based on where the PE was actually loaded in memory
VERBOSE: Import DLL's needed by the PE we are loading
VERBOSE: Done importing DLL imports
VERBOSE: Update memory protection flags

• Systeminfo output:

PS C:\Users\user\Desktop> systeminfo

Host Name:                 HOST
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19045 N/A Build 19045
OS Manufacturer:           Microsoft Corporation

• Defender is disabled + i didn't install anything else