openaev icon indicating copy to clipboard operation
openaev copied to clipboard
Published 1 month ago verified publisher icon OpenAEV-Platform

Cleanup command & Command are not played with the valid executor by the implant

Open SamuelHassine opened this issue 1 year ago • 5 comments

Description

  1. Try to play the Atomic Red team: "Create local account with admin privileges" on a clear endpoint (creating the user "art-test")

=> Command of cleanup failed because prerequisites cleanup is empty:

SUCCESS {"action":"prerequisite cleanup","stdout":"","stderr":"out-file : FileStream was asked to open a device that was not a file. For support for devices like 'com1:' or 'lpt1:', \r\ncall CreateFile, then use the FileStream constructors that take an OS handle as an IntPtr.\r\nAt line:1 char:1\r\n+ net localgroup administrators art-test /delete >nul 2>&1\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : OpenError: (:) [Out-File], NotSupportedException\r\n    + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand\r\n \r\nout-file : FileStream was asked to open a device that was not a file. For support for devices like 'com1:' or 'lpt1:', \r\ncall CreateFile, then use the FileStream constructors that take an OS handle as an IntPtr.\r\nAt line:2 char:1\r\n+ net user art-test /delete >nul 2>&1\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : OpenError: (:) [Out-File], NotSupportedException\r\n    + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand\r\n \r\n","exit_code":0}
  1. Then, try to re-play the inject:
SUCCESS {"action":"implant execution","stdout":"The command completed successfully.\r\n\r\n","stderr":"The account already exists.\r\n\r\nMore help is available by typing NET HELPMSG 2224.\r\n\r\nSystem error 1378 has occurred.\r\n\r\nThe specified account name is already a member of the group.\r\n\r\n","exit_code":0}

SamuelHassine avatar Oct 17 '24 10:10 SamuelHassine

Hi @SamuelHassine, I executed some injects with clean up commands and it works. For your particular payload from Atomic Red Team, I executed the cleanup command myself on the Windows Platform with Powershell, I have the same error but if I remove the end of the line with ">nul 2>&1", it works. If I execute the command in a classic Windows cmd line, it works. image

I looked at the code of the implant, it doesn't use/choose the executor of the inject for Windows (cmd, powershell,...) but always powershell only. @EllynBsc @jborozco it seems to be a feature to take into account this.

damgouj avatar Oct 18 '24 08:10 damgouj

Hi @damgouj since the agent doesn't take into account the configuration cmd/powershell of the payload (see screenshot), it is a bug.

Image

jborozco avatar Oct 18 '24 13:10 jborozco

Ok thanks @jborozco, just to explain, the subject is complex so it will take some time to resolve it.

damgouj avatar Oct 21 '24 07:10 damgouj

@damgouj Also for this issue can we put in place a unit test that would help us verify that cleanup command are always working ?

jborozco avatar Oct 21 '24 16:10 jborozco

@jborozco Sorry but we can't do a unit test for this issue because to do this, we need the all platform installed with assets, specific atomic testing, agent, implant,...

damgouj avatar Oct 22 '24 13:10 damgouj