atomic-red-team/execution-frameworks/Invoke-AtomicRedTeam

Invoke-AtomicRedTeam

Setup

Install Atomic Red Team

Get started with our simple install script:

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://psinstall.AtomicRedTeam.com')"

Source

By default, it will download and install Atomic Red Team to c:\tools\

Running the install script locally provides three parameters:

InstallPath

• Where ART is to be installed

  install-AtomicRedTeam.ps1 --InstallPath c:\tools\

DownloadPath

• Where ART is to be downloaded

  install-AtomicRedTeam.ps1 --DownloadPath c:\tools\

Verbose

• Verbose output during installation

  install-AtomicRedTeam.ps1 --verbose

Manual

set-executionpolicy Unrestricted

PowerShell-Yaml is required to parse Atomic yaml files:

Install-Module -Name powershell-yaml

Import-Module .\Invoke-AtomicRedTeam.psm1

Getting Started

Generate Tests

This process generates all Atomic tests and allows for easy copy and paste execution. Note: you may need to change the path.

Invoke-AllAtomicTests -GenerateOnly

Execute All Tests

Execute all Atomic tests:

Invoke-AllAtomicTests

Execute All Tests - Specific Directory

Specify a path to atomics folder, example C:\AtomicRedTeam\atomics

Invoke-AllAtomicTests -path C:\AtomicRedTeam\atomics

Execute a Single Test

$T1117 = Get-AtomicTechnique -Path ..\..\atomics\T1117\T1117.yaml
Invoke-AtomicTest $T1117

Additional Examples

If you would like output when running tests using the following:

Informational Stream

Invoke-AtomicTest $T1117 -InformationAction Continue

Verbose Stream

Invoke-AtomicTest $T1117 -Verbose

Debug Stream

Invoke-AtomicTest $T1117 -Debug

WhatIf

If you would like to see what would happen without running the test

Invoke-AtomicTest $T1117 -WhatIf

Confirm

To run all tests without confirming them run using the Confirm switch to false

Invoke-AtomicTest $T1117 -Confirm:$false

Or you can set your $ConfirmPreference to 'Medium'

$ConfirmPreference = 'Medium'
Invoke-AtomicTest $T1117