search

redcanaryco / invoke-atomicredteam

Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the [atomics folder](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics) of Red Canary's Atomic Red Team project.
MIT License
818 stars 194 forks source link

Invoke-AtomicTest -GetPrereqs: always check for elevation status #31

Closed cnotin closed 4 years ago

cnotin commented 4 years ago

Invoke-AtomicTest -GetPrereqs will warn you if elevation is required but not provided (see last line):

user> Invoke-AtomicTest T1003 -TestNumbers 5 -GetPrereqs
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

GetPrereq's for: T1003-5 Dump LSASS.exe Memory using ProcDump
Attempting to satisfy prereq: ProcDump tool from Sysinternals must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1003\bin\procdump.exe)
Prereq already met: ProcDump tool from Sysinternals must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1003\bin\procdump.exe)
Elevation required but not provided

However it fails to do so for other tests that also require it:

user> Invoke-AtomicTest T1003 -TestNumbers 4 -GetPrereqs
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

GetPrereq's for: T1003-4 Registry dump of SAM, creds, and secrets
No Preqs Defined

The reason is that this last test doesn't have any prerequisites so the -GetPrereqs function returns immediately, whereas the check for elevation status is at its end. Therefore, I suggest moving the elevation check at the beginning of -GetPrereqs code to ensure we always have the warning.

Here is the result with the patch:

PS C:\Users\user> Invoke-AtomicTest T1003 -TestNumbers 4 -GetPrereqs
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

GetPrereq's for: T1003-4 Registry dump of SAM, creds, and secrets
Elevation required but not provided
No Preqs Defined
PS C:\Users\user> Invoke-AtomicTest T1003 -TestNumbers 5 -GetPrereqs
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

GetPrereq's for: T1003-5 Dump LSASS.exe Memory using ProcDump
Elevation required but not provided
Attempting to satisfy prereq: ProcDump tool from Sysinternals must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1003\bin\procdump.exe)
Prereq already met: ProcDump tool from Sysinternals must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1003\bin\procdump.exe)
mgraeber-rc commented 4 years ago

This change makes sense. Thanks for fix and all the context you supplied in the PR!

cnotin commented 4 years ago

Glad you liked it :)