search

redcanaryco / invoke-atomicredteam

Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the [atomics folder](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics) of Red Canary's Atomic Red Team project.
MIT License
818 stars 194 forks source link

The PowerShell framework should be updated to escape double quotes before it wraps the command. #23

Closed chuckixia closed 3 years ago

chuckixia commented 4 years ago

There is a problem running https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.yaml on MacOS Catalina. The file is not dropped in /tmp and the output looks incorrect.

Testing the bash command in islation yields the correct result, so it appears to be caused by the wrapping framework.

Invoke-AtomicTest T1059 -TestNumbers 1                                                                                                                                                                                            PathToAtomicsFolder = /Users/Chuck/AtomicRedTeam/atomics                                                                                                                                                                                                                                                                          Executing test: T1059-1 Command-Line Interface                                                                                                                                                                                                                            curl: try 'curl --help' or 'curl --manual' for more information

the curl line (which appears that options aren't passed correctly) disappears with the following output when it returns to prompt:

PS /Users/Chuck/github/atomic-red-team> Invoke-AtomicTest T1059 -TestNumbers 1                                                                                                                                                                                            PathToAtomicsFolder = /Users/Chuck/AtomicRedTeam/atomics                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Executing test: T1059-1 Command-Line Interface                                                                                                                                                                                                                            Done executing test: T1059-1 Command-Line Interface                                                                                                                                                                                                                       PS /Users/Chuck/github/atomic-red-team>