2018-09-07 23:28:17 -04:00
# Invoke-AtomicRedTeam
2018-09-02 08:32:17 -06:00
2019-02-06 11:52:40 -07:00
## Setup
2018-09-07 23:28:17 -04:00
2019-02-06 11:52:40 -07:00
### Install Atomic Red Team
2018-09-04 09:52:15 -06:00
2019-12-16 15:20:02 -06:00
* Be sure to get permission and necessary approval before conducting tests. Unauthorized testing is a bad decision
2019-08-30 22:05:14 -06:00
and can potentially be a resume-generating event.
* Set up a test machine that would be similar to the build in your environment. Be sure you have your collection/EDR
solution in place, and that the endpoint is checking in and active. It is best to have AV turned off.
We made installing Atomic Red Team extremely easy.
2019-11-11 15:26:23 -06:00
For those running Atomic Red Team on MacOS or Linux download and install PowerShell Core.
[Linux ](https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-core-on-linux?view=powershell-6 )
[MacOS ](https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-core-on-macos?view=powershell-6 )
2020-01-08 12:45:50 -07:00
From a PowerShell prompt run the following command:
2019-02-14 14:13:13 -07:00
2019-11-10 19:43:28 -06:00
`IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/execution-frameworks/Invoke-AtomicRedTeam/install-atomicredteam.ps1'); Install-AtomicRedTeam -verbose`
2019-02-14 14:13:13 -07:00
2020-01-08 12:45:50 -07:00
If you get an Import-Module error stating that the module "cannot be loaded because running scripts is disabled on this system", restart powershell using "powershell -exec bypass" or bypass execution policy with one of [these ](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ ) methods and try again. Method 12 is especially promising.
2019-05-10 13:38:02 -06:00
[Source ](install-atomicredteam.ps1 )
2019-02-14 14:13:13 -07:00
2020-01-08 12:45:50 -07:00
By default, the installer will download and Install Atomic Red Team to `<BASEPATH>\AtomicRedTeam`
2019-11-11 15:26:23 -06:00
Where `<BASEPATH>` is `C:` in Windows or `~` in Linux/MacOS
2019-02-14 14:13:13 -07:00
2019-05-10 13:38:02 -06:00
Running the [Install script ](install-atomicredteam.ps1 ) locally provides three parameters:
2019-02-14 14:13:13 -07:00
InstallPath
2019-03-26 14:13:05 -06:00
- Where ART is to be Installed
2019-02-14 14:13:13 -07:00
2019-09-12 15:02:29 -06:00
`Install-AtomicRedTeam -InstallPath c:\tools\`
2019-02-14 14:13:13 -07:00
DownloadPath
- Where ART is to be downloaded
2019-09-12 15:02:29 -06:00
`Install-AtomicRedTeam -DownloadPath c:\tools\`
2019-02-14 14:13:13 -07:00
2019-11-11 15:26:23 -06:00
Force
- Force the new installation removing any previous installations in -InstallPath. **BE CAREFUL this will delete the entire install path folder **
2019-12-16 15:20:02 -06:00
2019-11-11 15:26:23 -06:00
`Install-AtomicRedTeam -Force`
2020-01-08 12:45:50 -07:00
### Manual Installation
2019-02-06 11:52:40 -07:00
[PowerShell-Yaml ](https://github.com/cloudbase/powershell-yaml ) is required to parse Atomic yaml files:
2018-09-07 23:28:17 -04:00
2020-01-08 12:45:50 -07:00
`Install-Module -Name powershell-yaml -Scope CurrentUser`
2019-02-06 11:52:40 -07:00
2020-01-08 12:45:50 -07:00
Clone the Atomic Red Team repository and import the Invoke-AtomicRedTeam module.
2019-02-06 11:52:40 -07:00
2019-09-12 15:02:29 -06:00
`import-module .\Invoke-AtomicRedTeam\Invoke-AtomicRedTeam.psm1`
2019-02-06 11:52:40 -07:00
## Getting Started
2019-11-08 10:57:08 -07:00
Before you can use the **_Invoke-AtomicTest_ ** function, you must first import the module:
``` powershell
2019-11-22 11:57:30 -07:00
Import-Module C: \ AtomicRedTeam \ execution-frameworks \ Invoke-AtomicRedTeam \ Invoke-AtomicRedTeam \ Invoke-AtomicRedTeam . psm1
2019-11-08 10:57:08 -07:00
```
Note: Your path to the **_Invoke-AtomicRedTeam.psm1_ ** may be different.
2019-02-14 14:13:13 -07:00
#### Execute All Tests
Execute all Atomic tests:
2019-08-30 22:05:14 -06:00
``` powershell
Invoke-AtomicTest All
```
2019-09-12 15:02:29 -06:00
2019-11-22 11:57:30 -07:00
This assumes your atomics folder is in the default location of `<BASEPATH>\AtomicRedTeam\atomics`
2019-11-11 15:26:23 -06:00
Where `<BASEPATH>` is `C:` in Windows or `~` in Linux/MacOS
2019-11-08 10:50:31 -07:00
2019-11-11 23:21:34 -08:00
You can override the default path to the atomics folder using the `$PSDefaultParameterValues` preference variable as shown below.
2019-11-08 10:50:31 -07:00
```
$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="C:\Users\myuser\Documents\code\atomic-red-team\atomics"}
```
Tip: Add this to your PowerShell profile so it is always set to your preferred default value.
2019-09-12 15:02:29 -06:00
2019-02-14 14:13:13 -07:00
#### Execute All Tests - Specific Directory
Specify a path to atomics folder, example C:\AtomicRedTeam\atomics
2019-08-30 22:05:14 -06:00
``` powershell
Invoke-AtomicTest All -PathToAtomicsFolder C: \ AtomicRedTeam \ atomics
```
2019-02-14 14:13:13 -07:00
2019-09-06 11:28:13 -06:00
#### Display Test Details without Executing the Test
2020-01-09 09:12:38 -06:00
Show the attack commands:
2019-08-30 22:05:14 -06:00
``` powershell
2019-11-25 10:28:08 -07:00
Invoke-AtomicTest All -ShowDetails
2019-08-30 22:05:14 -06:00
```
2020-01-09 09:12:38 -06:00
Show the Prereq commands:
2019-09-06 11:28:13 -06:00
``` powershell
2020-01-09 09:12:38 -06:00
Invoke-AtomicTest All -CheckPrereqs -ShowDetails
2019-09-06 11:28:13 -06:00
```
2020-01-09 09:12:38 -06:00
Show the Cleanup commands:
2019-09-06 11:28:13 -06:00
``` powershell
2020-01-09 09:12:38 -06:00
Invoke-AtomicTest All -Cleanup -ShowDetails
2019-09-06 11:28:13 -06:00
```
2020-01-09 09:12:38 -06:00
Using the `ShowDetails` switch causes the test details to be printed to the screen and allows for easy copy and paste execution.
Note: you may need to change the path where the test definitions are found with the `PathToAtomicsFolder` parameter.
#### Execute All Attacks for a Given Technique
2019-02-14 14:13:13 -07:00
2019-08-27 20:32:00 -06:00
``` powershell
2020-01-09 09:12:38 -06:00
Invoke-AtomicTest T1117
2019-08-27 20:32:00 -06:00
```
2019-08-30 12:16:53 -06:00
By default, test execution details are written to `Invoke-AtomicTest-ExecutionLog.csv` in the current directory.
#### Specify an Alternate Path for the Execution Log
``` powershell
Invoke-AtomicTest T1117 -ExecutionLogPath 'C:\Temp\mylog.csv'
```
2020-01-09 09:12:38 -06:00
By default, test execution details are written to `Invoke-AtomicTest-ExecutionLog.csv` in the current directory. Use the `-ExecutionLogPath` parameter to write to a different file. Nothing is logged in the execution log when only running pre-requisite checks with `-CheckPrereqs` or cleanup commands with `-Cleanup` . Use the `-NoExecutionLog` switch to not write execution details to disk.
2019-08-30 12:16:53 -06:00
2020-01-09 09:12:38 -06:00
#### Check that Prerequistes for a Given Technique are met
2019-08-30 09:42:44 -06:00
``` powershell
2020-01-09 09:12:38 -06:00
Invoke-AtomicTest T1117 -CheckPrereqs
2019-08-30 09:42:44 -06:00
```
2019-11-11 15:26:23 -06:00
For the "command_prompt", "bash", and "sh" executors, if any of the prereq_command's return a non-zero exit code, the pre-requisites are not met. Example: **fltmc.exe filters | findstr #{sysmon_driver} **
2019-09-06 11:28:13 -06:00
2019-08-30 22:05:14 -06:00
For the "powershell" executor, the prereq_command's are run as a script block and the script must return 0 if the pre-requisites are met. Example: **if(Test-Path C:\Windows\System32\cmd.exe) { 0 } else { -1 } **
2019-09-06 11:28:13 -06:00
Pre-requisites will also be reported as not met if the test is defined with `elevation_required: true` but the current context is not elevated. You can still execute an attack even if the pre-requisites are not met but execution may fail.
2020-01-09 09:12:38 -06:00
#### Execute Specific Attacks (by Attack Number) for a Given Technique
2019-08-27 20:32:00 -06:00
``` powershell
2020-01-09 09:12:38 -06:00
Invoke-AtomicTest T1117 -TestNumbers 1 , 2
2019-08-27 20:32:00 -06:00
```
2020-01-09 09:12:38 -06:00
#### Execute Specific Attacks (by Attack Name) for a Given Technique
2018-09-07 23:28:17 -04:00
2020-01-09 09:12:38 -06:00
``` powershell
Invoke-AtomicTest T1117 -TestNames " Regsvr32 remote COM scriptlet execution " , " Regsvr32 local DLL execution "
```
2019-09-04 10:52:24 -06:00
#### Specify Input Parameters on the Command Line
``` powershell
2019-09-06 19:36:02 -06:00
$myArgs = @ { " file_name " = " c:\Temp\myfile.txt " ; " ads_filename " = " C:\Temp\ads-file.txt " }
Invoke-AtomicTest T1158 -TestNames " Create ADS command prompt " -InputArgs $myArgs
2019-09-04 10:52:24 -06:00
```
2019-09-06 11:28:13 -06:00
You can specify a subset of the input parameters via the command line. Any input parameters not explicitly defined will maintain their default values from the test definition yaml.
2019-09-04 10:52:24 -06:00
2019-08-30 09:42:44 -06:00
#### Run the Cleanup Commands For the Specified Test
``` powershell
Invoke-AtomicTest T1089 -TestNames " Uninstall Sysmon " -Cleanup
```
2018-09-07 23:28:17 -04:00
## Additional Examples
2020-01-09 09:12:38 -06:00
If you would like output when running tests using the following:
#### Informational Stream
``` powershell
Invoke-AtomicTest T1117 -InformationAction Continue
```
#### Verbose Stream
``` powershell
Invoke-AtomicTest T1117 -Verbose
```
#### Debug Stream
``` powershell
Invoke-AtomicTest T1117 -Debug
```
2018-09-07 23:28:17 -04:00
#### Confirm
2018-09-02 08:32:17 -06:00
2018-09-07 23:28:17 -04:00
To run all tests without confirming them run using the Confirm switch to false
2018-09-04 09:36:36 -06:00
2018-09-07 23:28:17 -04:00
``` powershell
2020-01-09 09:12:38 -06:00
Invoke-AtomicTest T1117 -Confirm: $false
2018-09-07 23:28:17 -04:00
```
2018-09-02 08:32:17 -06:00
2018-09-07 23:28:17 -04:00
Or you can set your `$ConfirmPreference` to 'Medium'
2018-09-04 09:28:28 -06:00
2018-09-07 23:28:17 -04:00
``` powershell
$ConfirmPreference = 'Medium'
2020-01-09 09:12:38 -06:00
Invoke-AtomicTest T1117
2018-09-07 23:28:17 -04:00
```
