fullmetalcache
PowerLineTemplate Crashes
When running the following command on Windows 10 x64, PowerLineTemplate crashes and "stops working":
PowerLine.exe Invoke-Mimikatz "Invoke-Mimikatz -Command \""sekurlsa::minidump lsass_dump_name.dmp\" "sekurlsa::logonPasswords\"\""
Ignore my previous comment. I wasn't running with sufficient privileges. That said, once I had sufficient privileges, this is the output of that command (see attachment). m.txt
Looks like you might be missing some back ticks and escaping in there. I'd suggest copying it from the UserConf.xml file for now.
Silly question, but did you run Out-Minidump first to dump the lsass process?
Silly question, but did you run Out-Minidump first to dump the lsass process?
Yes, I did run this first.
Here's the output using the command from UserConf.xml:
A little more info...
If I run the latter command with the default .dmp name, I see mimikatz loads properly.
If I run this same command, but change the name to the correct dmp file (lsass_760.dmp in my case), the result is blank.
I took the same lsass dump file and ran it against standalone mimikatz and everything worked just fine, so not sure, but something isn't working right...
Ok cool, good to know. I hadn't tested it on Windows 10. I just tried and Mimikatz crashes if I run the command to dump from the file.
If I run just the Invoke-Mimikatz command, it runs but fails with the message below:
mimikatz(powershell) # sekurlsa::logonpasswords ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)
I wonder if the PowerShell version hasn't been updated for Windows 10? When you said stand-alone mimikatz, do you mean the binary version?
Thanks again for all the feedback. This is great!
PowerShell version is 5.1 on my lab here.
That error usually indicates you don't have sufficient permissions to access the lsass.exe process. I had to launch a cmd instance as SYSTEM via PSEXEC to get it to stop throwing that error.
That said, Mimikatz should work with at least local admin privileges if I recall correctly.