search

redcanaryco / invoke-atomicredteam

Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the [atomics folder](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics) of Red Canary's Atomic Red Team project.
MIT License
818 stars 194 forks source link

Invoke Atomic RedTeam -GetPreReq Issue #46

Closed aldo1901 closed 2 years ago

aldo1901 commented 3 years ago

I know the initial recommendation is to use your own repo but for testing purposes I left it as is for simplicity. While testing T1546.010 I found something. I do not know if this "an" issue or a me thing. My current setup is running remotely via PSsession from Linux to Windows.

While using Invoke-AtomicTest T1546.010 -Session $sess -GetPrereqs I see that the reg and dll files get downloaded to the remote Windows box, but all of them have length of zero. As an example, if I run Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010.reg" -OutFile T1546.010.reg on the local Windows system, that pulls the right length.

The only way it seems I can pull the file remotely using the remote sessions method is using:

Invoke-Command -Session $sess -ScriptBlock {Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010.reg" -OutFile C:\Users\atomic\AppData\Local\Temp\AtomicRedTeam\T1546.010\src\T1546.010.reg}

Figured I would ask.

Thank You

clr2of8 commented 3 years ago

The default outfile for that test is "PathToAtomicsFolder\T1546.010\src\T1546.010.reg", and PathToAtomicsFolder is substituted with %temp% when executing on a remote machine. Can you check %temp%\T1546.010\src\T1546.010.reg for that file on the remote?

aldo1901 commented 3 years ago

Yep sorry. That is where I was saying the files get downloaded to with 0 KB. I'm executing these tests with systems side by side and that is how I noticed.

clr2of8 commented 3 years ago

OK thank you. I can have a look end of next week and see what's up.

aldo1901 commented 3 years ago

Awesome Thank You.

davehull-rc commented 3 years ago

I thought I'd try tackling this bug. Heh. I can repro it, kind of. I get the reg files written successfully, or I did initially. The dll writes to C:\Tools\ fail for me, I don't even get 0 length files there. What's frustrating me currently is when I run

Invoke-AtomicTest T1546.010 -Session $session -ShowDetails -GetPrereqs -Verbose

I'm no longer even getting the writes to $Env:temp.

I'm wondering if pwsh is doing some kind of caching. I'm going to keep experimenting.

davehull-rc commented 3 years ago

Digging on this a bit more. Here's what I found in my PowerShell/Operational log:

Error Message = The request was aborted: Could not create SSL/TLS secure channel.
Fully Qualified Error ID = WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

Context:
        Severity = Warning
        Host Name = ConsoleHost
        Host Version = 5.1.17134.858
        Host ID = f617290e-2229-4127-abda-de0d2c3b81d2
        Host Application = C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe & {New-Item -Type Directory C:\Tools -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010x86.dll" -OutFile C:\Tools\T1546.010x86.dll}
        Engine Version = 5.1.17134.858
        Runspace ID = 235d085d-59da-4409-9051-d893b98983c8
        Pipeline ID = 1
        Command Name = Invoke-WebRequest
        Command Type = Cmdlet
        Script Name = 
        Command Path = 
        Sequence Number = 30
        User = WIN10\davehull
        Connected User = 
        Shell ID = Microsoft.PowerShell

User Data:

This preceded it in the logs and this command was successful, this may be useful:

Creating Scriptblock text (1 of 1):
{[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory (split-path C:\WINDOWS\TEMP\AtomicRedTeam\T1546.010\src\T1546.010.reg) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010.reg" -OutFile "C:\WINDOWS\TEMP\AtomicRedTeam\T1546.010\src\T1546.010.reg"
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010-cleanup.reg" -OutFile "C:\WINDOWS\TEMP\AtomicRedTeam\T1546.010\src\T1546.010-cleanup.reg"}

ScriptBlock ID: c64d4ec5-8b09-4866-8d40-23dd32cb26c1
Path:

I'll look at the code and see where this is being called {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12, perhaps there's a fix related to that line of code.

blueteam0ps commented 3 years ago

@davehull-rc - Can we please update the https://github.com/redcanaryco/invoke-atomicredteam/wiki/Import-the-Module documentation and get users to add the following to the PowerShell Profile? This will fix the recurring issue with IEX and Invoke-WebRequest segements of the code.

clr2of8 commented 3 years ago

Could you try these registry settings and see if it resolves you issue? Since you are running the commands on a remote machine through a PS Session I think you would have to make these changes on the remote machine. As described here. This assumes you are having the issue because you are using .Net 4.0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
clr2of8 commented 2 years ago

This security protocol line was added to the atomic tests themselves so we haven't seen this issue in a while but I like the idea of adding it to the invoke framework too if needed in the future.