search

SecurityRiskAdvisors / VECTR

VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios
1.35k stars 159 forks source link

Variable Runtime Override does not override variables in Automatic Execution with Powershell executor #204

Open chryzsh opened 1 year ago

chryzsh commented 1 year ago

Describe the bug In automatic execution of test cases, when using the powershell executor, the Runtime Override of Variables does not apply. This only applies to the powershell executor, not inline powershell or cmd. That is because the powershell script that is generated includes the hardcoded values from the test case, and not the replaced variables, and thus won't be overridden by env vars when the automation binary calls "powershell.exe -file testcase.ps1". I guess a possible fix would be to override the variables with env vars in the string that is to be executed before its written to the ps1 file.

To Reproduce Steps to reproduce the behavior.

Preparation:

  1. Go to Assessments, select a Campaign and navigate to a Test Case.
  2. Click on Configure under Automation & Logging
  3. Verify that the test case has an automation configuration, or create one. I used "Create a new user in PowerShell" from Atomic Red Team.
  4. Save
  5. In the Test Case, click Build & Download. This will download a ZIP-file containg the binary to be executed
  6. Extract the zip file to a folder.

Execution:

  1. Open a powershell window and navigate to the folder containing the extracted content.
  2. Set the environment variable with either cmd type commands like set "VECTR_username=testuser or the powershell equivalent $env:VECTR_username="testuser"
  3. Execute the test case automation binary.
  4. Inspect the PS1 file which is written to test and confirm it does not contain the environment variable, but the original variable from the test case configuration.

Expected behavior I expected the command which is written to the PS1 file to contain the values replaced by environment variables I set in the Powershell console window I ran the test from.

Screenshots The first screenshot, shows how the test case is configured, with the preview window indicating how the test will be executed and what will be written to the PS1 file. This is correct. image

The second screenshot show how the environment variable VECTR_command_to_execute is set in the Powershell window, but is not written to the PS1 script when the automation binary is executed. image

Desktop (please complete the following information):

Additional context Confirmed by Galen at SRA in the official Discord

chryzsh commented 10 months ago

Hi. This issue is still hampering a lot of our automated campaign templates and we've had to hardcode quite a lot more than we would like to workaround it. Could we please get an estimate on a fix, or some possible workarounds? We previously reported a simliar issue with variables in automation that you fixed fairly quickly: https://github.com/SecurityRiskAdvisors/VECTR/issues/215