search

redcanaryco / invoke-atomicredteam

Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the [atomics folder](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics) of Red Canary's Atomic Red Team project.
MIT License
815 stars 193 forks source link

Invoke-ExecuteCommand: Issue with backslashes being escaped #91

Closed danf42 closed 1 year ago

danf42 commented 2 years ago

The backslash at the end of the find command that contain -exec is incorrectly being escaped.

For example, the command for atomic-test T1552.004-3 is find #{search_path} -name id_rsa -exec cp --parents {} #{output_folder} \;. After it is escaped the command becomes find / -name id_rsa -exec cp --parents {} /tmp/art-staging \\;. An extra backslash is added causing the following error when executed find: missing argument to -exec.

Found this escaping scheme is causing issues for other tests, T1552.004-4 and T1217

Updating the command to remove the backslash escaping does resolve the errors with the find commands From:

$finalCommand = $finalCommand -replace "[\\`"]", "`\$&"

To:

$finalCommand = $finalCommand -replace "[`"]", "`\$&"

It looks like that fix was proposed in PR #24 but later was enhanced to the current code submitted in PR #33

Saw that the escape logic was removed from the command_prompt executor block. Attempted to remove the line from the bash/sh logic bloc, but it broke atomic-test T1083-4

clr2of8 commented 1 year ago

Thank you for the PR to fix!