Remote wmi receives access denied after using make_token

Question

Remote wmi receives access denied after using make_token

Octoberfest7 opened this issue 2 years ago · 2 comments

I have experienced an issue using the wmi_query as well as the tasklist BOF in which trying to use either BOF on a remote machine with a token created using make_token returns Access Denied.

In a beacon running as the user DA ( a Domain Admin in the network) I am successfully able to use the wmi_query and tasklist BOFs remotely.

In a beacon running as SYSTEM, I use make_token with DA's creds. I am successfully able to use the created token, as demonstrated by doing a ls \dev-dc\c$ as well as using shell wmic ...

I am unable however to use wmi_query or tasklist remotely, receiving an Access Denied error. I'm running CobaltStrike version 4.7.2 and have confirmed this using the latest branch of CS-Situational-Awareness-BOF

Answer 1 · 2023-05-05T19:36:35.000Z

Tracked this down and got it fixed, thanks for the report!

Answer 2 · 2023-05-05T21:39:59.000Z

Great, thanks so much for your work!