search

redcanaryco / atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK.
MIT License
9.75k stars 2.8k forks source link

Problem: T1202.yaml - no 'dependency_executor_name' parameter #2848

Closed ilya-shmel closed 1 month ago

ilya-shmel commented 3 months ago

What did you do?

Invoke-AtomicTest T1202 -ShowDetailsBrief

What did you expect to happen?

A list of Atomic tests for the 1202 tech.

What happened instead?

Get-AtomicTechnique : [C:\AtomicRedTeam\atomics\T1202\T1202.yaml][Atomic test name: Indirect Command Execution - Script
runner.exe] 'atomic_tests[3].dependency_executor_name': '' must be one of the following: command_prompt, sh, bash, powe
rshell, manual, aws, az, gcloud, kubectl.
At C:\Users\Administrator\Documents\WindowsPowerShell\Modules\Invoke-AtomicRedTeam\2.1.0\Public\Invoke-AtomicTest.ps1:3
43 char:71
+ ... aml) { $AtomicTechniqueHash = Get-AtomicTechnique -Path $pathToYaml }
+                                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-AtomicTechnique

e.g. 💥

Your Environment

ilya-shmel commented 3 months ago

I've changead to dependency_executor_name: command_prompt

Result

Invoke-AtomicTest t1202 -ShowDetailsBrief
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

Get-AtomicTechnique : [C:\AtomicRedTeam\atomics\T1202\T1202.yaml][Atomic test name: Indirect Command Execution - Script
runner.exe] If 'atomic_tests[3].dependency_executor_name' is defined, there must be at least one dependency defined.
At C:\Users\Administrator\Documents\WindowsPowerShell\Modules\Invoke-AtomicRedTeam\2.1.0\Public\Invoke-AtomicTest.ps1:3
43 char:71
+ ... aml) { $AtomicTechniqueHash = Get-AtomicTechnique -Path $pathToYaml }
+                                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-AtomicTechnique

T1202-1 Indirect Command Execution - pcalua.exe
T1202-2 Indirect Command Execution - forfiles.exe
T1202-3 Indirect Command Execution - conhost.exe
T1202-4 Indirect Command Execution - Scriptrunner.exe

And I've set dependency_executor_name: powershell

Result

 Invoke-AtomicTest t1202 -ShowDetailsBrief
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

Get-AtomicTechnique : [C:\AtomicRedTeam\atomics\T1202\T1202.yaml][Atomic test name: Indirect Command Execution - Script
runner.exe] If 'atomic_tests[3].dependency_executor_name' is defined, there must be at least one dependency defined.
At C:\Users\Administrator\Documents\WindowsPowerShell\Modules\Invoke-AtomicRedTeam\2.1.0\Public\Invoke-AtomicTest.ps1:3
43 char:71
+ ... aml) { $AtomicTechniqueHash = Get-AtomicTechnique -Path $pathToYaml }
+                                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-AtomicTechnique

T1202-1 Indirect Command Execution - pcalua.exe
T1202-2 Indirect Command Execution - forfiles.exe
T1202-3 Indirect Command Execution - conhost.exe
T1202-4 Indirect Command Execution - Scriptrunner.exe
github-actions[bot] commented 2 months ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

ilya-shmel commented 2 months ago

Any thoughts?

github-actions[bot] commented 1 month ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] commented 1 month ago

This issue was closed because it has been stalled for 5 days with no activity.