Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the [atomics folder](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics) of Red Canary's Atomic Red Team project.
MIT License
818
stars
194
forks
source link
Invoke-WebRequestVerifyHash: add explicit support for TLS 1.1 & 1.2 #30
Invoke-AtomicTest T1003 -TestNumbers 3 -GetPrereqs
PathToAtomicsFolder = C:\AtomicRedTeam\atomics
GetPrereq's for: T1003-3 Windows Credential Editor
Attempting to satisfy prereq: Windows Credential Editor must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1003\bin\wce.exe)
Exception calling "OpenRead" with "1" argument(s): "The underlying connection was closed: An
unexpected error occurred on a send."
At line:6 char:9
+ (New-Object System.Net.WebClient).OpenRead($url).copyto($ms)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : WebException
File hash mismatch, expected: 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933, actual: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
Failed to meet prereq: Windows Credential Editor must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1003\bin\wce.exe)
The error appears to be caused by a wrong hash but actually if we look closely it's due to "The underlying connection was closed: An unexpected error occurred on a send." which happens when TLS negotiation fails.
Many online examples set TLS 1.2 explicitly but that prevents future evolution so I used this StackOverflow answer to just add 1.1 and 1.2 and it works fine now!
Some .NET versions used even by modern PowerShell on Win10 do not enable by default TLS 1.2 (nor 1.1) which makes requests to strict servers fail. For example to this URL: https://github.com/redcanaryco/atomic-red-team/blob/14905c7a1618fe52bc0973ac575949ab4f9c2d67/atomics/T1003/T1003.yaml#L103
The error appears to be caused by a wrong hash but actually if we look closely it's due to "The underlying connection was closed: An unexpected error occurred on a send." which happens when TLS negotiation fails.
Many online examples set TLS 1.2 explicitly but that prevents future evolution so I used this StackOverflow answer to just add 1.1 and 1.2 and it works fine now!