search

SecurityRiskAdvisors / VECTR

VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios
1.35k stars 159 forks source link

Artifact variables not converted into final ps1 script #179

Closed oscarintherocks closed 1 year ago

oscarintherocks commented 2 years ago

Describe the bug When you create a new test using artifacts and assigning a variable to them and then using this variable in the script configuration, if you click on preview you can see the converted value of the variable but after building the EXE file, the PS1 script generated inside the exe shows the variable name and not the converted value.

To Reproduce Steps to reproduce the behavior:

  1. Add 2 new artifacts (In my case I'm using https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1 as one artifact and https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll as the second one)
  2. Edit or create a new test case, and assign both artifacts (In my example I'll be using this one https://atomicredteam.io/privilege-escalation/T1134.004/#atomic-test-1---parent-pid-spoofing-using-powershell)
  3. Click on Configure in Automation & Logging
  4. Assign a Variable name to each artifact (in my example: calc_dll2 and ppid_spoof2)
  5. Modify the script to use both artifact variables (script detail under steps)
  6. Clic preview to verify the variable names are converted to their values
  7. Save test case
  8. Build and download test case
  9. Execute the test (it will fail because of the artifact variables) and look "ART - Parent PID Spoofing using PowerShell.ps1" file with the artifact variables not converted

Script configuration . ".\#{ppid_spoof2}" $ppid=Get-Process #{parent_process_name} | select -expand id PPID-Spoof -ppid $ppid -spawnto "#{spawnto_process_path}" -dllpath ".\#{calc_dll2}" Script preview mode . ".\PPID-Spoof.ps1" $ppid=Get-Process explorer | select -expand id PPID-Spoof -ppid $ppid -spawnto "C:\Program Files\Internet Explorer\iexplore.exe" -dllpath ".\calc.dll" Final ps1 file contents Standard variables are converted but not artifact variables . ".\#{ppid_spoof2}" $ppid=Get-Process explorer | select -expand id PPID-Spoof -ppid $ppid -spawnto "C:\Program Files\Internet Explorer\iexplore.exe" -dllpath ".\#{calc_dll2}"

Expected behavior I expect all variables are converted in final script as shown in preview

Desktop (please complete the following information):

apscott commented 2 years ago

Thanks for reporting this bug. I am able to reproduce it and we will work on a fix for a future release.

oscarintherocks commented 2 years ago

After some tests, this is only affecting Windows test cases creation but not Linux test cases where the artifact variable is converted as expected.

doodleincode commented 1 year ago

This was fixed in ce-8.5.1. Sorry for the delay in updating this issue.