Caldera uses an outdated version of Mimikatz which no longer works on Windows 10

[trallgorm]

Hey there, me again. Preliminary discussion in #46

Short story is get_creds no longer works on the latest Windows 10 version because the update broke Mimikatz. More information here: EmpireProject/Empire#1147

I've tried changing the following line:
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')

to

$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String]))

In both invoke-reflectivepe-ps1 and invoke-mimi-ps1.
This fixed the immediate issue but showed that Mimikatz is outdated as well as the same error as described here happens:

gentilkiwi/mimikatz#146

I'm not sure how to go about swapping out the mimikatz binary to the new version, I tried just replacing the mimi64-exe file but that didn't work. Please advise.

Thanks!

[unkempthenry]

Before swapping out the mimikatz binary it will need to be encoded with https://github.com/mitre/caldera/blob/master/scripts/encode.py .

Sorry, for the trouble. We should make sure our docs discuss how to use encode.py, or get rid of it. It's intended to be more of a convenience in case you're trying to run caldera on a system with AV turned on without needing to whitelist the folder (it may be more trouble than it's worth).

Assuming, updating mimikatz allows caldera to work on 1803 we can close this once:

• Docs updated to discuss encode.py
• Update included mimikatz binary to latest release

[trallgorm]

Hey there, I tried it by running python encode.py -i mimikatz.exe -o mimi64-exe and encode.py -i mimikatz.dll -o mimi64-dll. There is a third sys file which i did not encode but placed it in the same directory. When running the step though caldera threw this:

https://pastebin.com/eSCB0Wyu

Any idea on what I did wrong?

[trallgorm]

@hf-mitre Any progress on this?

[unkempthenry]

Hi @trallgorm sorry for the delay.
I believe 0b2c9e0 should fix this. I've modified things to use the latest version of Invoke-Mimikatz from Empire.

[Cyb3r-Monk]

Hi @hf-mitre

I've updated caldera but when it runs mimikatz, it show the following error and can't get the credentials.

mimikatz(powershell) # sekurlsa::logonPasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list

I can run latest mimikatz.exe on the same computer (just the exe, I don't use the Invoke-Mimikatz) without problem and get the credentials.
windows version: 10.0.17134.165 (1803). Is there anyting to do except updating the caldera?

Thanks!

[unkempthenry]

Hi @Mergene ,

Is that the extent of the error message? Is there anything else after those two lines?

I tested this with Server 2016. I'll need to try to reproduce this on 10.

[Cyb3r-Monk]

Hi @hf-mitre ,

All of the mesage : https://pastebin.com/P4tbw8Kz
I've just tested it with Server 2016 and it works. the problem is with Windows 10 as it seems. AV is disabled on the machine btw.

[unkempthenry]

Ah, looks like the fix didn't quite make it into Empire when I pulled EmpireProject/Empire#1193 .

I'm guessing using the Invoke-Mimikatz script in this Empire PR will fix this EmpireProject/Empire#1194 . I'll try to take a look at it, try it out and update CALDERA.

If you want to test it out yourself you can try updating it on your local version of CALDERA ( https://caldera.readthedocs.io/en/latest/encoding_external_files.html ).

[Cyb3r-Monk]

Downloaded the script from https://github.com/EmpireProject/Empire/blob/7a39a55f127b1aeb951b3d9d80c6dc64500cacb5/data/module_source/credentials/Invoke-Mimikatz.ps1 and encoded it. It worked!

Thanks!

[unkempthenry]

This should finally be fixed in 3bc1637