Closed mwtilton closed 1 year ago
@mwtilton Thanks so much for the detailed report! We recently noticed the Invoke-AtomicRedTeam project changed its logging mechanism slightly which caused an issue with the ATTiRe logger.
Can you verify in your log file that in the "output" section near the bottom, content
is not a boolean value, this should always be some kind of String.
Additional target.user
and target.host
must be plain Strings and not objects. If there's a { 'json': 'object' }
inside either of those values instead of something like "testuser" it will cause import errors like you're seeing. This is typically the issue we've been seeing and correcting this should allow you to import your log file.
There's a PR open for the ATTiRe Import logger you could test. https://github.com/SecurityRiskAdvisors/invoke-atomic-attire-logger/pull/2/commits/4e982e1199bf34c3f2ac9706b80311339e4bbe72 We haven't completely tested it yet, but a fix like this will eventually be needed on the attire logger project to correct this.
Ah I saw that but only read it as a MIT
license issue for some reason; that is quite the PR from Redcanary. I will download the suggested logger .psm1
update and see if I have any luck there. Should be able to test by early next week.
It looks like the content
section was the problem.
"content": true,
target.user
/target.host
seem to have only string values in them
"target": {
"user": "desktop-jeka8ic\\user",
"host": "DESKTOP-JEKA8IC",
@mwtilton FYI - the last PR I mentioned had a slight bug in it. We've updated the powershell module in https://github.com/SecurityRiskAdvisors/invoke-atomic-attire-logger/ with changes to work with the latest version of Invoke-AtomicRedTeam. Give it a shot and let us know if it's working.
Going to close this since the bug was in another project.
@thebleucheese Looks like the latest .psm1
file works! Thanks!
Describe the bug
I am attempting to run RedCanary's
Atomic RedTeam Tests
(ART) and output them toATTiRE
format and import them intoVectr
for further analysis and collaboration.To Reproduce
Based on the instructions in this Repository: https://github.com/SecurityRiskAdvisors/invoke-atomic-attire-logger https://github.com/redcanaryco/invoke-atomicredteam/wiki/Execute-Atomic-Tests-(Local)
I run one of these:
(
$PSDefaultParameterValues
are pre-configured, but figured I should place here for reference)Invoke-AtomicTest All -ExecutionLogPath ((Get-Date -UFormat %s) + ".json") -Verbose
(Or I can explicitly set the module and Test)Invoke-AtomicTest T1053.003 -LoggingModule "Attire-ExecutionLogger" -ExecutionLogPath ((Get-Date -UFormat %s) + ".json")
Either one of these will output a
.json
file that contains what looks like validprocedures
Based on the screenshots in this Repository:
https://github.com/SecurityRiskAdvisors/ATTiRe I attempt to upload the results from one of these![attire1a.png](https://github.com/SecurityRiskAdvisors/ATTiRe/blob/main/media/attire1a.png?raw=true)
.json
files into acampaign
. (Please note it is not immediately obvious if these output files are supposed to be imported as anassessment
,campaign
or a specifictest case
only.) I presume based on the second screenshot that these are meant forcampaign
assessment log files.Steps to reproduce the behavior:
Campaign Dashboard
Assessment Actions
Import Log
UNSTRUCTURED LOG IMPORT NOT IMPLEMENTED IN THIS CODEPATH.
On the backend I see these errors:
I am not a java coder but looks like its either a validation of the file
schema version
or I am uploading this to the incorrectimport log
option.Expected behavior I expect to run the ART and import directly into the assessment.
Desktop Environment:
Windows 10
runningdocker compose up
ondocker 4.18.0
Firefox 112
8.8.0-ce
(latest release)