2018-09-07 23:28:17 -04:00
# Invoke-AtomicRedTeam
2018-09-02 08:32:17 -06:00
2019-02-06 11:52:40 -07:00
## Setup
2018-09-07 23:28:17 -04:00
2019-02-06 11:52:40 -07:00
### Install Atomic Red Team
2018-09-04 09:52:15 -06:00
2019-08-30 22:05:14 -06:00
* Be sure to get permission and necessary approval before conducting test's. Unauthorized testing is a bad decision
and can potentially be a resume-generating event.
* Set up a test machine that would be similar to the build in your environment. Be sure you have your collection/EDR
solution in place, and that the endpoint is checking in and active. It is best to have AV turned off.
We made installing Atomic Red Team extremely easy.
2019-09-12 15:02:29 -06:00
Once the environment is ready, run PowerShell as an adminstrator and run the following PowerShell one liner:
2019-02-14 14:13:13 -07:00
2019-09-12 15:02:29 -06:00
`IEX (New-Object Net.WebClient).DownloadString('http://psInstall.AtomicRedTeam.com'); Install-AtomicRedTeam -verbose`
2019-02-14 14:13:13 -07:00
2019-05-10 13:38:02 -06:00
[Source ](install-atomicredteam.ps1 )
2019-02-14 14:13:13 -07:00
2019-03-26 14:13:05 -06:00
By default, it will download and Install Atomic Red Team to `c:\AtomicRedTeam`
2019-02-14 14:13:13 -07:00
2019-05-10 13:38:02 -06:00
Running the [Install script ](install-atomicredteam.ps1 ) locally provides three parameters:
2019-02-14 14:13:13 -07:00
InstallPath
2019-03-26 14:13:05 -06:00
- Where ART is to be Installed
2019-02-14 14:13:13 -07:00
2019-09-12 15:02:29 -06:00
`Install-AtomicRedTeam -InstallPath c:\tools\`
2019-02-14 14:13:13 -07:00
DownloadPath
- Where ART is to be downloaded
2019-09-12 15:02:29 -06:00
`Install-AtomicRedTeam -DownloadPath c:\tools\`
2019-02-14 14:13:13 -07:00
2018-09-02 08:32:17 -06:00
2019-02-06 11:52:40 -07:00
### Manual
2018-09-07 23:28:17 -04:00
2019-02-06 11:52:40 -07:00
`set-executionpolicy Unrestricted`
[PowerShell-Yaml ](https://github.com/cloudbase/powershell-yaml ) is required to parse Atomic yaml files:
2018-09-07 23:28:17 -04:00
2019-02-06 11:52:40 -07:00
`Install-Module -Name powershell-yaml`
2019-09-12 15:02:29 -06:00
`import-module .\Invoke-AtomicRedTeam\Invoke-AtomicRedTeam.psm1`
2019-02-06 11:52:40 -07:00
## Getting Started
2019-02-14 14:13:13 -07:00
#### Execute All Tests
Execute all Atomic tests:
2019-08-30 22:05:14 -06:00
``` powershell
Invoke-AtomicTest All
```
2019-09-12 15:02:29 -06:00
This assumes your atomics folder is in the default location of `..\..\atomics`
2019-02-14 14:13:13 -07:00
#### Execute All Tests - Specific Directory
Specify a path to atomics folder, example C:\AtomicRedTeam\atomics
2019-08-30 22:05:14 -06:00
``` powershell
Invoke-AtomicTest All -PathToAtomicsFolder C: \ AtomicRedTeam \ atomics
```
2019-02-14 14:13:13 -07:00
2019-09-06 11:28:13 -06:00
#### Display Test Details without Executing the Test
Show the attack commands:
2019-08-30 22:05:14 -06:00
``` powershell
Invoke-AtomicTest All -ShowDetails -InformationAction Continue
```
2019-09-06 11:28:13 -06:00
Show the Prereq commands:
``` powershell
Invoke-AtomicTest All -CheckPrereqs -ShowDetails -InformationAction Continue
```
Show the Cleanup commands:
``` powershell
Invoke-AtomicTest All -Cleanup -ShowDetails -InformationAction Continue
```
2019-08-30 22:05:14 -06:00
Using the `ShowDetails` switch causes the test details to be printed to the screen and allows for easy copy and paste execution.
2019-09-06 11:28:13 -06:00
Note: you may need to change the path where the test definitions are found with the `PathToAtomicsFolder` parameter.
2019-08-30 22:05:14 -06:00
#### Execute All Attacks for a Given Technique
2019-02-14 14:13:13 -07:00
2019-08-27 20:32:00 -06:00
``` powershell
Invoke-AtomicTest T1117
```
2019-08-30 12:16:53 -06:00
By default, test execution details are written to `Invoke-AtomicTest-ExecutionLog.csv` in the current directory.
#### Specify an Alternate Path for the Execution Log
``` powershell
Invoke-AtomicTest T1117 -ExecutionLogPath 'C:\Temp\mylog.csv'
```
By default, test execution details are written to `Invoke-AtomicTest-ExecutionLog.csv` in the current directory. Use the `-ExecutionLogPath` parameter to write to a different file. Nothing is logged in the execution log when only running pre-requisite checks with `-CheckPrereqs` or cleanup commands with `-Cleanup` . Use the `-NoExecutionLog` switch to not write execution details to disk.
2019-08-30 22:05:14 -06:00
#### Check that Prerequistes for a Given Technique are met
2019-08-30 09:42:44 -06:00
``` powershell
Invoke-AtomicTest T1117 -CheckPrereqs
```
2019-08-30 22:05:14 -06:00
For the "command_prompt" executor, if any of the prereq_command's return a non-zero exit code, the pre-requisites are not met. Example: **fltmc.exe filters | findstr #{sysmon_driver} **
2019-09-06 11:28:13 -06:00
2019-08-30 22:05:14 -06:00
For the "powershell" executor, the prereq_command's are run as a script block and the script must return 0 if the pre-requisites are met. Example: **if(Test-Path C:\Windows\System32\cmd.exe) { 0 } else { -1 } **
2019-09-06 11:28:13 -06:00
Pre-requisites will also be reported as not met if the test is defined with `elevation_required: true` but the current context is not elevated. You can still execute an attack even if the pre-requisites are not met but execution may fail.
2019-08-30 22:05:14 -06:00
#### Execute Specific Attacks (by Attack Number) for a Given Technique
2019-08-27 20:32:00 -06:00
``` powershell
Invoke-AtomicTest T1117 -TestNumbers 1 , 2
```
2019-08-30 22:05:14 -06:00
#### Execute Specific Attacks (by Attack Name) for a Given Technique
2018-09-07 23:28:17 -04:00
``` powershell
2019-08-27 20:32:00 -06:00
Invoke-AtomicTest T1117 -TestNames " Regsvr32 remote COM scriptlet execution " , " Regsvr32 local DLL execution "
2018-09-07 23:28:17 -04:00
```
2019-09-04 10:52:24 -06:00
#### Specify Input Parameters on the Command Line
``` powershell
2019-09-06 19:36:02 -06:00
$myArgs = @ { " file_name " = " c:\Temp\myfile.txt " ; " ads_filename " = " C:\Temp\ads-file.txt " }
Invoke-AtomicTest T1158 -TestNames " Create ADS command prompt " -InputArgs $myArgs
2019-09-04 10:52:24 -06:00
```
2019-09-06 11:28:13 -06:00
You can specify a subset of the input parameters via the command line. Any input parameters not explicitly defined will maintain their default values from the test definition yaml.
2019-09-04 10:52:24 -06:00
2019-08-30 09:42:44 -06:00
#### Run the Cleanup Commands For the Specified Test
``` powershell
Invoke-AtomicTest T1089 -TestNames " Uninstall Sysmon " -Cleanup
```
2018-09-07 23:28:17 -04:00
## Additional Examples
If you would like output when running tests using the following:
#### Informational Stream
``` powershell
2019-08-27 20:32:00 -06:00
Invoke-AtomicTest T1117 -InformationAction Continue
2018-09-07 23:28:17 -04:00
```
#### Verbose Stream
``` powershell
2019-08-27 20:32:00 -06:00
Invoke-AtomicTest T1117 -Verbose
2018-09-07 23:28:17 -04:00
```
#### Debug Stream
``` powershell
2019-08-27 20:32:00 -06:00
Invoke-AtomicTest T1117 -Debug
2018-09-07 23:28:17 -04:00
```
#### Confirm
2018-09-02 08:32:17 -06:00
2018-09-07 23:28:17 -04:00
To run all tests without confirming them run using the Confirm switch to false
2018-09-04 09:36:36 -06:00
2018-09-07 23:28:17 -04:00
``` powershell
2019-08-27 20:32:00 -06:00
Invoke-AtomicTest T1117 -Confirm: $false
2018-09-07 23:28:17 -04:00
```
2018-09-02 08:32:17 -06:00
2018-09-07 23:28:17 -04:00
Or you can set your `$ConfirmPreference` to 'Medium'
2018-09-04 09:28:28 -06:00
2018-09-07 23:28:17 -04:00
``` powershell
$ConfirmPreference = 'Medium'
2019-08-27 20:32:00 -06:00
Invoke-AtomicTest T1117
2018-09-07 23:28:17 -04:00
```
