security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

readme updates/fixes (#557)

Browse Source
This commit is contained in:
Carrie Roberts
2019-09-06 11:28:13 -06:00
committed by Michael Haag
parent 0110ceec98
commit 3b784d023c
1 changed files with 20 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
execution-frameworks/Invoke-AtomicRedTeam/README.md
+20 -3
View File
@@ -66,14 +66,28 @@ Specify a path to atomics folder, example C:\AtomicRedTeam\atomics
Invoke-AtomicTest All -PathToAtomicsFolder C:\AtomicRedTeam\atomics
```
### Display Test Details without Executing the Test
#### Display Test Details without Executing the Test
Show the attack commands:
```powershell
Invoke-AtomicTest All -ShowDetails -InformationAction Continue
```
Show the Prereq commands:
```powershell
Invoke-AtomicTest All -CheckPrereqs -ShowDetails -InformationAction Continue
```
Show the Cleanup commands:
```powershell
Invoke-AtomicTest All -Cleanup -ShowDetails -InformationAction Continue
```
Using the `ShowDetails` switch causes the test details to be printed to the screen and allows for easy copy and paste execution.
Note: you may need to change the path with the `PathToAtomicsFolder` parameter.
Note: you may need to change the path where the test definitions are found with the `PathToAtomicsFolder` parameter.
#### Execute All Attacks for a Given Technique
@@ -98,8 +112,11 @@ Invoke-AtomicTest T1117 -CheckPrereqs
```
For the "command_prompt" executor, if any of the prereq_command's return a non-zero exit code, the pre-requisites are not met. Example: **fltmc.exe filters | findstr #{sysmon_driver}**
For the "powershell" executor, the prereq_command's are run as a script block and the script must return 0 if the pre-requisites are met. Example: **if(Test-Path C:\Windows\System32\cmd.exe) { 0 } else { -1 }**
Pre-requisites will also be reported as not met if the test is defined with `elevation_required: true` but the current context is not elevated. You can still execute an attack even if the pre-requisites are not met but execution may fail.
#### Execute Specific Attacks (by Attack Number) for a Given Technique
```powershell
@@ -118,7 +135,7 @@ $inputParameters = @{ "file_name" = "c:\Temp\myfile.txt"; "ads_filename" = "C:\T
Invoke-AtomicTest T1158 -TestNames "Create ADS command prompt" -InputParameters $inputParameters
```
You can specify a subset of the input parameters via the command line. Any input parameters not explicitly defined will maintain their default values.
You can specify a subset of the input parameters via the command line. Any input parameters not explicitly defined will maintain their default values from the test definition yaml.
#### Run the Cleanup Commands For the Specified Test