Michael Haag
5f49684c43
* Install fixes Updated casing. Should be happier * fix docs-invoke page Fixing docs invoke page to match the other readme
127 lines
3.1 KiB
Markdown
127 lines
3.1 KiB
Markdown
---
|
|
layout: default
|
|
---
|
|
|
|
# Getting Started - PowerShell Invoke-AtomicRedTeam
|
|
|
|
1. [Install Atomic Red Team](#install-atomic-red-team)
|
|
2. [Generate Tests](#generate-tests)
|
|
3. [Execute Tests](#execute-tests)
|
|
4. [Other Examples](#Other-Examples)
|
|
|
|
## Install Atomic Red Team
|
|
|
|
* Be sure to get permission and necessary approval before conducting test's. Unauthorized testing is a bad decision
|
|
and can potentially be a resume-generating event.
|
|
|
|
* Set up a test machine that would be similar to the build in your environment. Be sure you have your collection/EDR
|
|
solution in place, and that the endpoint is checking in and active. It is best to have AV turned off.
|
|
|
|
We made installing Atomic Red Team extremely easy.
|
|
|
|
Once the environment is ready, run the following PowerShell one liner as Administrator:
|
|
|
|
`powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://psinstall.AtomicRedTeam.com')"`
|
|
|
|
[Source](https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/execution-frameworks/Invoke-AtomicRedTeam/install-AtomicRedTeam.ps1)
|
|
|
|
By default, it will download and install Atomic Red Team to `c:\tools\`
|
|
|
|
Running the [install script](https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/execution-frameworks/Invoke-AtomicRedTeam/install-AtomicRedTeam.ps1) locally provides three parameters:
|
|
|
|
InstallPath
|
|
- Where ART is to be installed
|
|
|
|
`install-AtomicRedTeam.ps1 -InstallPath c:\tools\`
|
|
|
|
DownloadPath
|
|
- Where ART is to be downloaded
|
|
|
|
`install-AtomicRedTeam.ps1 -DownloadPath c:\tools\`
|
|
|
|
Verbose
|
|
- Verbose output during installation
|
|
|
|
`install-AtomicRedTeam.ps1 -verbose`
|
|
|
|
### Manual Installation
|
|
|
|
To manually install Invoke-AtomicRedTeam:
|
|
|
|
`set-executionpolicy Unrestricted`
|
|
|
|
[PowerShell-Yaml](https://github.com/cloudbase/powershell-yaml) is required to parse Atomic yaml files:
|
|
|
|
`Install-Module -Name powershell-yaml`
|
|
|
|
`Import-Module .\Invoke-AtomicRedTeam.psm1`
|
|
|
|
## Generate Tests
|
|
|
|
This process generates all Atomic tests and allows for easy copy and paste execution.
|
|
Note: you may need to change the path.
|
|
|
|
Invoke-AllAtomicTests -GenerateOnly
|
|
|
|
### Execute All Tests
|
|
|
|
Execute all Atomic tests:
|
|
|
|
Invoke-AllAtomicTests
|
|
|
|
### Execute All Tests - Specific Directory
|
|
|
|
Specify a path to atomics folder, example C:\AtomicRedTeam\atomics
|
|
|
|
Invoke-AllAtomicTests -path C:\AtomicRedTeam\atomics
|
|
|
|
### Execute a Single test
|
|
|
|
$T1117 = Get-AtomicTechnique -Path ..\..\atomics\T1117\T1117.yaml
|
|
Invoke-AtomicTest $T1117
|
|
|
|
## Other Examples
|
|
|
|
If you would like output when running tests using the following:
|
|
|
|
#### Informational Stream
|
|
|
|
```powershell
|
|
Invoke-AtomicTest $T1117 -InformationAction Continue
|
|
```
|
|
|
|
#### Verbose Stream
|
|
|
|
```powershell
|
|
Invoke-AtomicTest $T1117 -Verbose
|
|
```
|
|
|
|
#### Debug Stream
|
|
|
|
```powershell
|
|
Invoke-AtomicTest $T1117 -Debug
|
|
```
|
|
|
|
#### WhatIf
|
|
|
|
If you would like to see what would happen without running the test
|
|
|
|
```powershell
|
|
Invoke-AtomicTest $T1117 -WhatIf
|
|
```
|
|
|
|
#### Confirm
|
|
|
|
To run all tests without confirming them run using the Confirm switch to false
|
|
|
|
```powershell
|
|
Invoke-AtomicTest $T1117 -Confirm:$false
|
|
```
|
|
|
|
Or you can set your `$ConfirmPreference` to 'Medium'
|
|
|
|
```powershell
|
|
$ConfirmPreference = 'Medium'
|
|
Invoke-AtomicTest $T1117
|
|
```
|