Closed L015H4CK closed 1 year ago
I found my error.
The path of the Set-WmiInstance
command in the encrypted PowerShell code was not escaped correctly while encoding it on my Kali machine. Best to encode powershell commands on windows directly to avoid mistakes like that to happen... It was \.\root\cimv2:Win32_AuditCode
instead of \\.\root\cimv2:Win32_AuditCode
(only one \
at the start) because I guess I missed escaping it (\r
and \c
have to escaped when encoding on Kali as well.).
Hello everyone,
I have spent the last two days trying to figure out why the stepFourteen_credDump.ps1 from APT29 does not work for me. The commands are executed as expected but the output of the spawned powershell is never written to the "Win32_AuditCode" WMI Class or an instance of it.
What I know so far:
Get-CimClass | Select-String "Win32_AuditCode"
)$EncodedText
is alwaysnull
($EncodedText = Get-WmiObject -Class Win32_AuditCode -NameSpace "root\cimv2" | Select -ExpandProperty Result
)Get-WmiObject -Class Win32_AuditCode
manually (part of the above command) returns nothing, i.e. no instance of the WMI Class "Win32_AuditCode" existsWhat I do not know:
Thanks for any tips or ideas in advance.
Additional info: