Carrie Roberts
019b63fdb5
* Support for CheckPrereqs and Cleanup Commands * for powershell executor, report prereqs are met if no prereq_commands are given * remove invoke call from end of file, commited accidentally
141 lines
3.1 KiB
Markdown
141 lines
3.1 KiB
Markdown
# Invoke-AtomicRedTeam
|
|
|
|
## Setup
|
|
|
|
### Install Atomic Red Team
|
|
|
|
Get started with our simple Install script:
|
|
|
|
`powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://psInstall.AtomicRedTeam.com')"`
|
|
|
|
[Source](install-atomicredteam.ps1)
|
|
|
|
By default, it will download and Install Atomic Red Team to `c:\AtomicRedTeam`
|
|
|
|
Running the [Install script](install-atomicredteam.ps1) locally provides three parameters:
|
|
|
|
InstallPath
|
|
- Where ART is to be Installed
|
|
|
|
`Install-AtomicRedTeam.ps1 -InstallPath c:\tools\`
|
|
|
|
DownloadPath
|
|
- Where ART is to be downloaded
|
|
|
|
`Install-AtomicRedTeam.ps1 -DownloadPath c:\tools\`
|
|
|
|
Verbose
|
|
- Verbose output during Installation
|
|
|
|
`Install-AtomicRedTeam.ps1 -verbose`
|
|
|
|
### Manual
|
|
|
|
|
|
`set-executionpolicy Unrestricted`
|
|
|
|
[PowerShell-Yaml](https://github.com/cloudbase/powershell-yaml) is required to parse Atomic yaml files:
|
|
|
|
|
|
`Install-Module -Name powershell-yaml`
|
|
|
|
`Import-Module .\Invoke-AtomicRedTeam.psm1`
|
|
|
|
## Getting Started
|
|
|
|
### Generate Tests
|
|
|
|
This process generates all Atomic tests (prints test details to screen) and allows for easy copy and paste execution.
|
|
Note: you may need to change the path.
|
|
|
|
Invoke-AllAtomicTests -GenerateOnly
|
|
|
|
#### Execute All Tests
|
|
|
|
Execute all Atomic tests:
|
|
|
|
Invoke-AllAtomicTests
|
|
|
|
#### Execute All Tests - Specific Directory
|
|
|
|
Specify a path to atomics folder, example C:\AtomicRedTeam\atomics
|
|
|
|
Invoke-AllAtomicTests -path C:\AtomicRedTeam\atomics
|
|
|
|
#### Execute All Attacks for a Given TTP
|
|
|
|
```powershell
|
|
Invoke-AtomicTest T1117
|
|
```
|
|
|
|
#### Check that Prerequistes for a Given TTP are met
|
|
|
|
For the "command_prompt" executor, if any of the prereq_command's return a non-zero exit code, the pre-requisites are not met. Example: **fltmc.exe filters | findstr #{sysmon_driver}**
|
|
For the "powershell" executor, the prereq_command's are run as a script block and the script must return 0 for success. Example: **if(Test-Path C:\Windows\System32\cmd.exe) { 0 } else { -1 }**
|
|
|
|
```powershell
|
|
Invoke-AtomicTest T1117 -CheckPrereqs
|
|
```
|
|
|
|
#### Execute Specific Attacks (by Attack Number) for a Given TTP
|
|
|
|
```powershell
|
|
Invoke-AtomicTest T1117 -TestNumbers 1, 2
|
|
```
|
|
|
|
#### Execute Specific Attacks (by Attack Name) for a Given TTP
|
|
|
|
```powershell
|
|
Invoke-AtomicTest T1117 -TestNames "Regsvr32 remote COM scriptlet execution","Regsvr32 local DLL execution"
|
|
```
|
|
#### Run the Cleanup Commands For the Specified Test
|
|
|
|
```powershell
|
|
Invoke-AtomicTest T1089 -TestNames "Uninstall Sysmon" -Cleanup
|
|
```
|
|
|
|
## Additional Examples
|
|
|
|
If you would like output when running tests using the following:
|
|
|
|
#### Informational Stream
|
|
|
|
```powershell
|
|
Invoke-AtomicTest T1117 -InformationAction Continue
|
|
```
|
|
|
|
#### Verbose Stream
|
|
|
|
```powershell
|
|
Invoke-AtomicTest T1117 -Verbose
|
|
```
|
|
|
|
#### Debug Stream
|
|
|
|
```powershell
|
|
Invoke-AtomicTest T1117 -Debug
|
|
```
|
|
|
|
#### WhatIf
|
|
|
|
If you would like to see what would happen without running the test
|
|
|
|
```powershell
|
|
Invoke-AtomicTest T1117 -WhatIf
|
|
```
|
|
|
|
#### Confirm
|
|
|
|
To run all tests without confirming them run using the Confirm switch to false
|
|
|
|
```powershell
|
|
Invoke-AtomicTest T1117 -Confirm:$false
|
|
```
|
|
|
|
Or you can set your `$ConfirmPreference` to 'Medium'
|
|
|
|
```powershell
|
|
$ConfirmPreference = 'Medium'
|
|
Invoke-AtomicTest T1117
|
|
```
|