Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removing REM from T1112 - causing incorrect execution #2681

Merged
merged 2 commits into from
Feb 8, 2024
Merged

Removing REM from T1112 - causing incorrect execution #2681

merged 2 commits into from
Feb 8, 2024

Conversation

Jake151
Copy link
Contributor

@Jake151 Jake151 commented Feb 5, 2024
edited
Loading

Details:
During an execution run I noticed that atomics were failing due to PowerShell scripts not being enabled on the host system. I traced the issue back to T1112:95b25212-91a7-42ff-9613-124aca6845a8 and specifically the REM command that is used in place of a comment. I don't know the specifics as to why this command stops execution but it results in the subsequent deletion command not being executed.

This screenshot shows execution of the atomic with the REM command in place, note the EnableScripts registry value remains
Screenshot 2024-02-05 at 22 47 18

This screenshot shows execution of the same atomic with the REM command removed, note the removal of the registry value.
Screenshot 2024-02-05 at 22 48 11

Testing:
Tested on W10

Associated Issues:
None

@Jake151 Jake151 changed the title Removing REM from T1112 due to incorrect execution Removing REM from T1112 - causing incorrect execution Feb 5, 2024
clr2of8
clr2of8 approved these changes Feb 8, 2024
View reviewed changes
Copy link
Collaborator

@clr2of8 clr2of8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! The problem comes about because the execution frameworks combine all the commands into one line and comments don't know when to stop (essentially, everything after a comment becomes a comment)

@clr2of8 clr2of8 merged commit 694d2c0 into redcanaryco:master Feb 8, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clr2of8 clr2of8 clr2of8 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Jake151 @clr2of8