search

redcanaryco / invoke-atomicredteam

Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the [atomics folder](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics) of Red Canary's Atomic Red Team project.
MIT License
818 stars 194 forks source link

Suggestion: invoke cmd.exe/powershell.exe and run commands interactively instead of passing them on command line #36

Closed cnotin closed 1 year ago

cnotin commented 4 years ago

When Invoke-AtomicRedTeam need to execute a command with cmd.exe or powershell.exe, their binaries are called and the commands are passed on the command line, for example:

cmd.exe /C net user "domain admins"...
powershell.exe -c iex(new-object net.webclient).downloadstring('...

From a detection standpoint, some security solutions might detect it because they see a suspicious command on the command line of the cmd.exe/powershell.exe process whereas I consider it being an artifact of how the test is launched instead of what we want to detect. For example, it would not be the same if those commands where run in an interactive cmd/powershell console!

Here for example we want to detect user "domain admins" in the command line of net1.exe and the iex(new-object... PowerShell command itself.

Therefore, I suggest changing the way commands are passed to cmd.exe/powershell.exe. I don't have a very specific solution in mind, but I think something that would open these as consoles without any command line, then injecting commands for execution once open. Obviously we could inject keystrokes but that might trigger some products and that would be an undesired artifact too. What do you think? Maybe you have an idea?

xenoscr commented 2 years ago

@cnotin did you have a preference for how this would be done? I can think of two ways, for Windows based systems, that could accomplish this without doing more intrusive things, like process injection.

One would be to use something like SendKeys to simulate a user typing into a window. This would require that the cmd/powershell be running in a way that it can be given focus for the keystrokes to be entered. I have done this before to simulate "hands on keyboard" type activity. To bet output, I've also used keys to select and copy the console contents.

The second method would be to use named pipes to redirect input and output from the console associated with the cmd or powershell window. This would be similar to what some malware and offsec tools do now.

My worry with doing either of these would be that both methods are going to introduce additional procedures that could cloud or overshadow the Atomic test you are running. Happy to hear the thoughts of others.

cnotin commented 1 year ago

Thanks for replying to this open discussion! I didn't have a specific method except keystroke injections as I mentioned and you suggested too. Another solution would be to put the commands in .bat/.ps1 files, because with standard AVs it was better to go fileless, but with EDRs, the trend is the opposite and in some cases it's better to use a file than an explicit command line.

I agree that all of these execution methods may look bad and get detected by themselves, instead of the actual technique we want to emulate. But this caveat is already a problem sometimes as I described.

Happy to discuss more!

clr2of8 commented 1 year ago

I agree there isn't one solution that solves all of the problems. Closing this for now but will still have it in the history for reference. Thank you