Added T1562.010 Test for PowerShell v2 Downgrade #2670
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
clr2of8
requested changes
Jan 29, 2024
There was a problem hiding this comment.
Thank you for your contribution. You have selected the best Technique Number to put this, however we do already have a PowerShell Downgrade Attack atomic here. Can you include the removal of the other atomic from T1059.001 in this PR. Keeping your version here in T1562.010?
svc-github-aws-opensource
force-pushed
the
master
branch
from
f2691d5 to
45138fd
Compare
|
Thanks for the feedback! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Details:
Added new test that runs a cmdlet explicitly via PowerShell v2 as is sometimes seen in adversary TTPs[1].
Please note that v2 is no longer installed by default and can be difficult to install manually because Microsoft no longer supports it. To test detections the atomic could still be useful even without v2 installed, as the command line should be logged anyway.
Testing:
Tested on Windows 10 and Server 2019 with and without PowerShell v2 installed.
References:
[1] https://www.leeholmes.com/detecting-and-preventing-powershell-downgrade-attacks/