security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added T1562.010 Test for PowerShell v2 Downgrade (#2670)

Browse Source 
* Added T1562.010 Test for PowerShell v2 Downgrade

* Remove PowerShell Downgrade Attack atomic from T1059.001.yaml
This commit is contained in:
zaicurity
2024-02-01 00:22:30 +01:00
committed by GitHub
parent 45138fdb07
commit dc264a80f4
2 changed files with 20 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1059.001/T1059.001.yaml
-19
View File
@@ -174,25 +174,6 @@ atomic_tests:
Remove-Item -path C:\Windows\Temp\art-marker.txt -Force -ErrorAction Ignore
Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore
name: powershell
- name: PowerShell Downgrade Attack
auto_generated_guid: 9148e7c4-9356-420e-a416-e896e9c0f73e
description: |
This test requires the manual installation of PowerShell V2.
Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
supported_platforms:
- windows
dependencies:
- description: |
PowerShell version 2 must be installed
prereq_command: |
if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit 0} else {exit 1}
get_prereq_command: |
Write-Host Automated installer not implemented yet, please install PowerShell v2 manually
executor:
command: |
powershell.exe -version 2 -Command Write-Host $PSVersion
name: powershell
- name: NTFS Alternate Data Stream Access
auto_generated_guid: 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680
description: |
atomics/T1562.010/T1562.010.yaml
+20
View File
@@ -79,3 +79,23 @@ atomic_tests:
command: |
echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
name: command_prompt
- name: PowerShell Version 2 Downgrade
description: Executes outdated PowerShell Version 2 which does not support security features like AMSI. By default the atomic will attempt to execute the cmdlet Invoke-Mimikatz whether it exists or not, as this cmdlet will be blocked by AMSI when active.
supported_platforms:
- windows
dependencies:
- description: Check if Version 2 is installed.
prereq_command: |
$v2_installed = PowerShell -version 2 -command '$PSVersionTable.PSVersion.Major'
if (-not $v2_installed) {exit 1} else {exit 0}
get_prereq_command: |
echo "Manually install PowerShell Version 2"
executor:
command: PowerShell -version 2 -command '#{v2_command}'
name: powershell
elevation_required: false
input_arguments:
v2_command:
description: Specify the command to execute with Version 2
type: string
default: Invoke-Mimikatz