security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
019b63fdb52bb80cfe85dbd590091814b9734761
atomic-red-team/execution-frameworks/Invoke-AtomicRedTeam
T
History
Carrie Roberts 019b63fdb5 Support for CheckPrereqs and Cleanup Commands (#531) 
* Support for CheckPrereqs and Cleanup Commands

* for powershell executor, report prereqs are met if no prereq_commands are given

* remove invoke call from end of file, commited accidentally
2019-08-30 09:42:44 -06:00
..
Invoke-AtomicRedTeam
Support for CheckPrereqs and Cleanup Commands (#531)
2019-08-30 09:42:44 -06:00
Tests
Added Pester tests and modified Manifest file
2018-09-13 22:55:35 -04:00
install-atomicredteam.ps1
Install Atomic - Fixed Paths (#517)
2019-08-14 10:36:16 -06:00
README.md
Support for CheckPrereqs and Cleanup Commands (#531)
2019-08-30 09:42:44 -06:00

README.md

Invoke-AtomicRedTeam

Setup

Install Atomic Red Team

Get started with our simple Install script:

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://psInstall.AtomicRedTeam.com')"

Source

By default, it will download and Install Atomic Red Team to c:\AtomicRedTeam

Running the Install script locally provides three parameters:

InstallPath

  • Where ART is to be Installed

    Install-AtomicRedTeam.ps1 -InstallPath c:\tools\

DownloadPath

  • Where ART is to be downloaded

    Install-AtomicRedTeam.ps1 -DownloadPath c:\tools\

Verbose

  • Verbose output during Installation

    Install-AtomicRedTeam.ps1 -verbose

Manual

set-executionpolicy Unrestricted

PowerShell-Yaml is required to parse Atomic yaml files:

Install-Module -Name powershell-yaml

Import-Module .\Invoke-AtomicRedTeam.psm1

Getting Started

Generate Tests

This process generates all Atomic tests (prints test details to screen) and allows for easy copy and paste execution. Note: you may need to change the path.

Invoke-AllAtomicTests -GenerateOnly

Execute All Tests

Execute all Atomic tests:

Invoke-AllAtomicTests

Execute All Tests - Specific Directory

Specify a path to atomics folder, example C:\AtomicRedTeam\atomics

Invoke-AllAtomicTests -path C:\AtomicRedTeam\atomics

Execute All Attacks for a Given TTP

Invoke-AtomicTest T1117

Check that Prerequistes for a Given TTP are met

For the "command_prompt" executor, if any of the prereq_command's return a non-zero exit code, the pre-requisites are not met. Example: fltmc.exe filters | findstr #{sysmon_driver} For the "powershell" executor, the prereq_command's are run as a script block and the script must return 0 for success. Example: if(Test-Path C:\Windows\System32\cmd.exe) { 0 } else { -1 }

Invoke-AtomicTest T1117 -CheckPrereqs

Execute Specific Attacks (by Attack Number) for a Given TTP

Invoke-AtomicTest T1117 -TestNumbers 1, 2

Execute Specific Attacks (by Attack Name) for a Given TTP

Invoke-AtomicTest T1117 -TestNames "Regsvr32 remote COM scriptlet execution","Regsvr32 local DLL execution"

Run the Cleanup Commands For the Specified Test

Invoke-AtomicTest T1089 -TestNames "Uninstall Sysmon" -Cleanup

Additional Examples

If you would like output when running tests using the following:

Informational Stream

Invoke-AtomicTest T1117 -InformationAction Continue

Verbose Stream

Invoke-AtomicTest T1117 -Verbose

Debug Stream

Invoke-AtomicTest T1117 -Debug

WhatIf

If you would like to see what would happen without running the test

Invoke-AtomicTest T1117 -WhatIf

Confirm

To run all tests without confirming them run using the Confirm switch to false

Invoke-AtomicTest T1117 -Confirm:$false

Or you can set your $ConfirmPreference to 'Medium'

$ConfirmPreference = 'Medium'
Invoke-AtomicTest T1117
Reference in New Issue View Git Blame Copy Permalink