PowerLineTemplate Crashes

[echobb8]

When running the following command on Windows 10 x64, PowerLineTemplate crashes and "stops working":

PowerLine.exe Invoke-Mimikatz "Invoke-Mimikatz -Command \"\"sekurlsa::minidump lsass_dump_name.dmp\"\"sekurlsa::logonPasswords\"\""

[echobb8]

Ignore my previous comment. I wasn't running with sufficient privileges. That said, once I had sufficient privileges, this is the output of that command (see attachment). m.txt

[fullmetalcache]

Looks like you might be missing some back ticks and escaping in there. I'd suggest copying it from the UserConf.xml file for now.

Silly question, but did you run Out-Minidump first to dump the lsass process?

[echobb8]

Silly question, but did you run Out-Minidump first to dump the lsass process?

Yes, I did run this first.

Here's the output using the command from UserConf.xml:

mtest.txt

[echobb8]

Here's a screenshot of my cmd output.

[echobb8]

A little more info...

If I run the latter command with the default .dmp name, I see mimikatz loads properly.

If I run this same command, but change the name to the correct dmp file (lsass_760.dmp in my case), the result is blank.

[echobb8]

I took the same lsass dump file and ran it against standalone mimikatz and everything worked just fine, so not sure, but something isn't working right...

[fullmetalcache]

Are you on 32bit or 64bit Windows?

[echobb8]

Windows 10 x64

[fullmetalcache]

Ok cool, good to know. I hadn't tested it on Windows 10. I just tried and Mimikatz crashes if I run the command to dump from the file.

If I run just the Invoke-Mimikatz command, it runs but fails with the message below:

mimikatz(powershell) # sekurlsa::logonpasswords ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

I wonder if the PowerShell version hasn't been updated for Windows 10? When you said stand-alone mimikatz, do you mean the binary version?

Thanks again for all the feedback. This is great!

[echobb8]

PowerShell version is 5.1 on my lab here.

That error usually indicates you don't have sufficient permissions to access the lsass.exe process. I had to launch a cmd instance as SYSTEM via PSEXEC to get it to stop throwing that error.

That said, Mimikatz should work with at least local admin privileges if I recall correctly.

[echobb8]

Oh, and yes, I was referring to the binary version of Mimikatz

[echobb8]

Any update on Windows 10 performance?

[echobb8]

@fullmetalcache any update for Windows 10?