"Powerkatz (Staged)" Ability ends with "ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list" #3245
Description
Describe the bug
Running an operation with the "Powerkatz (Staged)" ability yields the following error, despite that the ability ends with a status "success":
.#####. mimikatz 2.2.0 (x64) #19041 Jun 16 2020 13:40:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(powershell) # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list
mimikatz(powershell) # exit
Bye!"Alice 2.0" adversary is affected by this as it could not proceed further steps.
To Reproduce
Steps to reproduce the behavior:
- Elevate the powershell prompt to "NT AUTHORITY\SYSTEM".
- Run Caldera agent powershell script on an another machine.
- Create an adversary with "Powerkatz (Staged)" ability and run a new operation with it on the agent.
Expected behavior
List extracted credentials.
Desktop (please complete the following information):
PC with Caldera:
- OS Name: Microsoft Windows Server 2022 Standard
- OS Version: 10.0.20348 N/A Build 20348
- Caldera Version: master (commit: 0f2fca5)
Agent:
- OS Name: Microsoft Windows 10 Pro
- OS Version: 10.0.19045 N/A Build 19045
Additional context
To resolve this issue, Mimikatz needs to be updated, check: https://prathameshbagul.medium.com/a-fix-for-error-kuhl-m-sekurlsa-acquirelsa-logon-list-6c599fb6ad39