search

redcanaryco / invoke-atomicredteam

Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the [atomics folder](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics) of Red Canary's Atomic Red Team project.
MIT License
815 stars 193 forks source link

Test-Path : A positional parameter cannot be found that accepts argument 'Files\This'. #66

Closed julianwieg closed 3 years ago

julianwieg commented 3 years ago

Hello experts, yes my powershell game is weak. I get the following path errors and I am a bit stumped.

It looks like the whitespace between program files && Some Path Notification Tools causes the issue but I am not sure.

EDITS: sorry was trying to make the code block easy to read


PS H:\> Invoke-AtomicTest T1003.001 -CheckPrereqs
PathToAtomicsFolder = C:\Program Files\Some Path Notification Tools\atomics
CheckPrereq's for: T1003.001-1 Windows Credential Editor                                                                                 
Prerequisites met: T1003.001-1 Windows Credential Editor
Test-Path : A positional parameter cannot be found that accepts argument 'Files\Some'. At line:1 char:8 + & {if (Test-Path C:\Program Files\Some Path Notification Tools\ ...     + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    
+ CategoryInfo: InvalidArgument: (:) [Test-Path], ParameterBindingException + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.TestPathCommand 
CheckPrereq's for: T1003.001-2 Dump LSASS.exe Memory using ProcDump                                                                      
Prerequisites met: T1003.001-2 Dump LSASS.exe Memory using ProcDump 
Test-Path : A positional parameter cannot be found that accepts argument  ETC same error```
clr2of8 commented 3 years ago

Hi Julian, it does look like the execution framework doesn't handle spaces in the path at that location. I'll try to get that corrected in the next day or so. Thx for reporting.

julianwieg commented 3 years ago

fyi when running a test the path issue is also present

Done executing test: T1003.001-1 Windows Credential Editor 'C:\Program' is not recognized as an internal or external command, operable program or batch file. PS H:\>

clr2of8 commented 3 years ago

It looks like this is a problem with the individual atomics and not the Invoke-AtomicRedTeam framework itself. We just needs some double quotes around the paths in the atomic test yaml files. You could make those edits yourself and submit as a PR see here or submit an issue over on the Atomic Red Team Repo here Thanks!