Problem with APT29 stepFourteen_credDump.ps1

[L015H4CK]

Hello everyone,

I have spent the last two days trying to figure out why the stepFourteen_credDump.ps1 from APT29 does not work for me. The commands are executed as expected but the output of the spawned powershell is never written to the "Win32_AuditCode" WMI Class or an instance of it.

What I know so far:

• The new WMI Class "Win32_AuditCode" gets created successfully (checked with Get-CimClass | Select-String "Win32_AuditCode")
• The encoded command gets executed by a newly spawned powershell process and the output looks good (looks like the expected mimikatz output with the correct usernames and clear-text passwords)
• The variable $EncodedText is always null ($EncodedText = Get-WmiObject -Class Win32_AuditCode -NameSpace "root\cimv2" | Select -ExpandProperty Result)
• Executing Get-WmiObject -Class Win32_AuditCode manually (part of the above command) returns nothing, i.e. no instance of the WMI Class "Win32_AuditCode" exists
• This results in an exception calling "FromBase64String" because the $EncodedText is empty/null

What I do not know:

• Why is no instance of the WMI Class "Win32_AuditCode" created?
• How is the output of the spawned powershell given to the "Result" field of the WMI Class/Instance(?)?

Thanks for any tips or ideas in advance.

Additional info:

• Tested on Windows 10 Pro
• The UseLogonCredential in the WDigest Registry settings is enabled
• m.exe is downloaded from the (CALDERA) server
• Tested with CALDERA but also executing the commands manually

[L015H4CK]

I found my error.

The path of the Set-WmiInstance command in the encrypted PowerShell code was not escaped correctly while encoding it on my Kali machine. Best to encode powershell commands on windows directly to avoid mistakes like that to happen... It was \.\root\cimv2:Win32_AuditCode instead of \\.\root\cimv2:Win32_AuditCode (only one \ at the start) because I guess I missed escaping it (\r and \c have to escaped when encoding on Kali as well.).