[Bug] Dev Branch: Mimikatz tasks failing to find decoy modules, not running.

[s7331]

Feature Request or Bug Bug

Describe the feature request or bug On the dev branch I cannot run any mimikatz-related tasks successfully; I receive "Failed to find suitable decoy module." errors.

To Reproduce Steps to reproduce the behavior:

1. Create an HTTP (no ssl) listener on port 80 with CustomHttpProfile preset.
2. Create an GruntHTTP launcher (tested shellcode, binary, and PS). I have attempted both .Net 3.5 and .Net 4.0 grunts, same result.
3. Launch Grunt, ensure high integrity, ensure simple commands like "WhoAmI" work as expected.
4. Attempt to launch any mimikatz related tasks like "LogonPasswords", "Mimikatz token::elevate lsadump::sam" or "LsaSecrets" to verify that after a 30s-5min wait the task completes with the "Failed to find suitable decoy module." error.

Expected behavior I expected credentials/secrets/sam stuff to be returned.

Screenshots If applicable, add screenshots to help explain your problem.

Covenant Server Information:

• OS: Tested on both Linux and Windows 10 Pro 19042,
• Docker or Native: I've tested both.

Browser Information:

• Browser: Firefox 78 and Chrome 89

Target Information (System that implant is running on):

• OS: Windows 10 Pro 19042 and 17763

Additional context The master branch has no issues with this. I suspect this issue stems from the modifications made to SharpSploit.

[aancw]

I'm just helping to answer, after reading the source code, the cause for this issue is NullorEmpty Decoy Path https://github.com/cobbr/SharpSploit/blob/ec3e7999502c51e481915fd1f4b028d8c0ff3d5c/SharpSploit/Execution/ManualMap/Overload.cs#L133:

        public static string FindDecoyModule(long MinSize, bool LegitSigned = true)
        {
            string SystemDirectoryPath = Environment.GetEnvironmentVariable("WINDIR") + Path.DirectorySeparatorChar + "System32";
            List<string> files = new List<string>(Directory.GetFiles(SystemDirectoryPath, "*.dll"));
            foreach (ProcessModule Module in Process.GetCurrentProcess().Modules)
            {
                if (files.Any(s => s.Equals(Module.FileName, StringComparison.OrdinalIgnoreCase)))
                {
                    files.RemoveAt(files.FindIndex(x => x.Equals(Module.FileName, StringComparison.OrdinalIgnoreCase)));
                }
            }

https://github.com/cobbr/SharpSploit/pull/51#issuecomment-645997049

CMIIW

[cobbr]

I actually can't reproduce this, I wonder if it's specific to a certain Windows version?

[thelikes]

Also receiving the same. System info:

  ProductName                   :  Windows Server 2019 Standard
  EditionID                     :  ServerStandard
  ReleaseId                     :  1809
  Build                         :  17763.1518
  BuildBranch                   :  rs5_release
  CurrentMajorVersionNumber     :  10
  CurrentVersion                :  6.3

Any other info I can provide that would be helpful? (There are no errors in the terminal that is running cov)

[ghost]

I got the same problem using DCSync

OS Name:                   Microsoft Windows Server 2016 Standard
OS Version:                10.0.14393 N/A Build 14393
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Server
System Type:               x64-based PC

[juliourena]

Same Issue

Using Covenant Dev commit eb51840b1cb4d285393a3c661c1d72d08756ef4d

OS Name:                   Microsoft Windows 10 Enterprise
OS Version:                10.0.18363 N/A Build 18363
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Workstation
OS Build Type:             Multiprocessor Free

OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User

Works on this system with the same Covenant session:

OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19041 N/A Build 19041
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User

[jannlemm0913]

I've looked into this as I had the same problem. After adding some console output into SharpSploit's Overload.cs if-statements, I got the following result when running Mimikatz /command:"coffee" :

• A lot of DLLs are found that fit the size requirement (file size > payload size) in C:\Windows\System32
• None of them are found to be signed (Misc.Utilities.FileHasValidSignature(currentCandidate) is false)
• Therefore, an empty string is returned, and the Failed to find suitable decoy module error is returned.

The weird thing is, SysInternal's sigcheck.exe shows that the DLL (dui70.dll in this case) is signed. When checking the properties in Windows Explorer, no signing tab is visible. I did not find out why these differences occur.

As a temporary fix, I changed the default value of LegitSigned from true to false in Covenant/Data/ReferenceSourceLibraries/SharpSploit/SharpSploit/Execution/ManualMap/Overload.cs, line 23:

With this, a decoy module can be found:

The output in the Grunt window stems from these debugging changes:

The first suitable module is used and mimikatz successfully executes:

A better solution would in my opinion be to check all modules if they are signed, and if none is found, an unsigned should be used. Maybe the user could be prompted or has to use an additional parameter to allow the use of unsigned modules.
Hope this helps, even though the issue is a bit older! :)

[cobbr]

Pushed a temporary fix where Mimikatz does not required signed modules.

Thanks for the tip @jannlemm0913