Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem: Remote GetPreq Command Failure #2879

Open
jj-cmyk opened this issue Jul 25, 2024 · 4 comments
Open

Problem: Remote GetPreq Command Failure #2879

jj-cmyk opened this issue Jul 25, 2024 · 4 comments
Labels
Stale

Comments

@jj-cmyk
Copy link
Contributor

jj-cmyk commented Jul 25, 2024

What did you do?

Attempting to remotely run atomic tests specifically for the -GetPrereqs command which fails.

ℹ Please replace this with what you did.
Invoke-AtomicTest T1567.002-1 -Session $artws -GetPrereqs -TimeoutSeconds 180
Tried with other atomic tests for the GetPrereqs command

What did you expect to happen?

Expected pre-requisites to be successfully met on target host.

What happened instead?

Please see attachment.
(https://github.com/user-attachments/assets/062cb597-961f-4276-a3be-d43ac71eaccc)

Your Environment

Windows Server 2019
Tried with Elevated prompt
Tried various atomic tests that have pre-requisite
[1]: https://github.com/redcanaryco/atomic-red-team/tree/master/atomics "atomic tests"
[2]: https://github.com/redcanaryco/atomic-red-team/tree/master/execution-frameworks "execution frameworks"
@cyberbuff
Copy link
Collaborator

Hello @jj-cmyk . I ran this on a Win11Pro machine and this seems to work fine.

Can you provide me the versions of powershell-yaml and invoke-atomicredteam you are using ?
You can find those by running the following command

 Get-Module invoke-atomicredteam, powershell-yaml

@robertstrom
Copy link

robertstrom commented Aug 3, 2024
edited
Loading

One thing that I have found with elevated prompts is that they do not seem to inherit the PowerShell profile. If you put something like this into your profile

Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force
$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="C:\AtomicRedTeam\atomics"}

# Add this line to ensure that all future PowerShell sessions use TLSv1.2
# In some situations Atomic Red Team launches hidden PowerShell windows that will not use TLSv1.2 unless this command is run for every PowerShell session launched

[Net.ServicePointManager]::SecurityProtocol += [Net.SecurityProtocolType]::Tls12

I have found that if I open an elevated PowerShell prompt those settings do not appear to be imported. I have take to opening the elevate PowerShell prompt and then running

## That is . (period) space $PROFILE to invoke the execution of the profile

.  $PROFILE

After sourcing the profile I have found that the downloading of prereqisites is much more reliable ... locally. I have yet to run Atomic Red Team against a remote system so I do not know what requirements may exist when doing that.

@jj-cmyk
Copy link
Contributor Author

jj-cmyk commented Aug 5, 2024

Hi @cyberbuff please see the below output when running Get-Module invoke-atomicredteam, powershell-yaml
ModuleType Version Name ExportedCommands

Script 2.1.0 Invoke-AtomicRedTeam {Get-AtomicTechnique, Get-PreferredIPAddress, Get-Schedule, Invoke-AtomicRunner...}
Script 0.4.7 powershell-yaml {ConvertFrom-Yaml, ConvertTo-Yaml, cfy, cty}

@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 5, 2024

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

@github-actions github-actions bot added the Stale label Sep 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@robertstrom @cyberbuff @jj-cmyk