Carrie Roberts
4955e67900
* move emond test into correct T# * only show cleanup with inputs if there are inputs * clarify use of Invoke-WebRequestVerifyHash Co-authored-by: Tony M Lambert <ForensicITGuy@users.noreply.github.com> Co-authored-by: Michael Haag <mike@redcanary.com>
Invoke-AtomicRedTeam
Setup
Install Atomic Red Team
-
Be sure to get permission and necessary approval before conducting tests. Unauthorized testing is a bad decision and can potentially be a resume-generating event.
-
Set up a test machine that would be similar to the build in your environment. Be sure you have your collection/EDR solution in place, and that the endpoint is checking in and active. It is best to have AV turned off.
We made installing Atomic Red Team extremely easy.
For those running Atomic Red Team on MacOS or Linux download and install PowerShell Core.
From a PowerShell prompt run the following command:
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/execution-frameworks/Invoke-AtomicRedTeam/install-atomicredteam.ps1'); Install-AtomicRedTeam -verbose
If you get an Import-Module error stating that the module "cannot be loaded because running scripts is disabled on this system", restart powershell using "powershell -exec bypass" or bypass execution policy with one of these methods and try again. Method 12 is especially promising.
By default, the installer will download and Install Atomic Red Team to <BASEPATH>\AtomicRedTeam
Where <BASEPATH> is C: in Windows or ~ in Linux/MacOS
Running the Install script locally provides three parameters:
InstallPath
-
Where ART is to be Installed
Install-AtomicRedTeam -InstallPath c:\tools\
DownloadPath
-
Where ART is to be downloaded
Install-AtomicRedTeam -DownloadPath c:\tools\
Force
-
Force the new installation removing any previous installations in -InstallPath. BE CAREFUL this will delete the entire install path folder
Install-AtomicRedTeam -Force
RepoOwner
-
Install ART from another repo. Default RepoOwner is "redcanaryco"
Install-AtomicRedTeam -RepoOwner clr2of8
Branch
-
Install ART from another branch. Default Branch is "master"
Install-AtomicRedTeam -RepoOwner clr2of8 -Branch start-process-branch
Manual Installation
set-executionpolicy Unrestricted
PowerShell-Yaml is required to parse Atomic yaml files:
Install-Module -Name powershell-yaml -Scope CurrentUser
Clone the Atomic Red Team repository and import the Invoke-AtomicRedTeam module.
import-module .\Invoke-AtomicRedTeam\Invoke-AtomicRedTeam.psm1
Getting Started
Before you can use the Invoke-AtomicTest function, you must first import the module:
Import-Module C:\AtomicRedTeam\execution-frameworks\Invoke-AtomicRedTeam\Invoke-AtomicRedTeam\Invoke-AtomicRedTeam.psm1
Note: Your path to the Invoke-AtomicRedTeam.psm1 may be different.
Display Test Details for the given Technique Number without Executing any Tests
Invoke-AtomicTest T1089 -ShowDetails
Using the ShowDetails switch causes the test details to be printed to the screen and allows for easy copy and paste execution.
Note: you may need to change the path where the test definitions are found with the PathToAtomicsFolder parameter.
Display Only Test Names and Numbers
Invoke-AtomicTest All -ShowDetailsBrief
Execute All Attacks for a Given Technique
Invoke-AtomicTest T1117
This assumes your atomics folder is in the default location of <BASEPATH>\AtomicRedTeam\atomics
Where <BASEPATH> is C: in Windows or ~ in Linux/MacOS
You can override the default path to the atomics folder using the $PSDefaultParameterValues preference variable as shown below.
$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="C:\Users\myuser\Documents\code\atomic-red-team\atomics"}
Tip: Add this to your PowerShell profile so it is always set to your preferred default value.
Execute Specific Attacks (by Attack Number) for a Given Technique
Invoke-AtomicTest T1117 -TestNumbers 1, 2
Execute Specific Attacks (by Attack Name) for a Given Technique
Invoke-AtomicTest T1117 -TestNames "Regsvr32 remote COM scriptlet execution","Regsvr32 local DLL execution"
Speficy a Process Timeout
Invoke-AtomicTest T1117 -TimeoutSeconds 15
If the attack commands do not exit (return) within in the specified -TimeoutSeconds, the process and it's children will be forcefully terminated. The default value of -TimeoutSeconds is 120. This allows the Invoke-AtomicTest script to move on to the next test.
Execute All Tests
Execute all Atomic tests:
Invoke-AtomicTest All
Execute All Tests from a Specific Directory
Specify a path to atomics folder, example C:\AtomicRedTeam\atomics
Invoke-AtomicTest All -PathToAtomicsFolder C:\AtomicRedTeam\atomics
Specify an Alternate Path for the Execution Log
Invoke-AtomicTest T1117 -ExecutionLogPath 'C:\Temp\mylog.csv'
By default, test execution details are written to Invoke-AtomicTest-ExecutionLog.csv in the current directory. Use the -ExecutionLogPath parameter to write to a different file. Execution is only logged in the execution log when the attack commands are run (not when -ShowDetails , -CheckPrereqs, GetPrereqs, or -Cleanup swiches are used). Use the -NoExecutionLog switch to not write execution details to disk.
Check that Prerequistes for a given test are met
Invoke-AtomicTest T1117 -TestNumber 1 -CheckPrereqs
For the "command_prompt", "bash", and "sh" executors, if any of the prereq_command's return a non-zero exit code, the pre-requisites are not met. Example: fltmc.exe filters | findstr #{sysmon_driver}
For the "powershell" executor, the prereq_command's are run as a script block and the script must exit 0 if the pre-requisites are met. Example: if(Test-Path C:\Windows\System32\cmd.exe) { exit 0 } else { exit 1 }
Pre-requisites will also be reported as not met if the test is defined with elevation_required: true but the current context is not elevated. You can still execute an attack even if the pre-requisites are not met but execution may fail.
Get Prerequistes
Invoke-AtomicTest T1117 -TestNumber 1 -GetPrereqs
This will run the "Get Prereq Commands" listed in the Dependencies section for the test.
The execution framework provides a helpful PowerShell function called Invoke-WebRequestVerifyHash which only downloads and saves a file to disk if the file hash matches the specified value. Call this method by passing in the url of the file to download, the path where it should be saved, and lastly the expected Sha256 file hash.
The function returns $true if the file was saved to disk, $false otherwise.
Important Note: You must add the import of Invoke-WebRequestVerifyHash.ps1 or the entire Invoke-AtomicRedTeam.psm1 to your PowerShell profile to make this function available to the prereq commands.
Specify Input Parameters on the Command Line
$myArgs = @{ "file_name" = "c:\Temp\myfile.txt"; "ads_filename" = "C:\Temp\ads-file.txt" }
Invoke-AtomicTest T1158 -TestNames "Create ADS command prompt" -InputArgs $myArgs
You can specify a subset of the input parameters via the command line. Any input parameters not explicitly defined will maintain their default values from the test definition yaml.
Run the Cleanup Commands For the Specified Test
Invoke-AtomicTest T1089 -TestNames "Uninstall Sysmon" -Cleanup
Additional Examples
Confirm
To run all tests without confirming them run using the Confirm switch to false
Invoke-AtomicTest All -Confirm:$false
Or you can set your $ConfirmPreference to 'Medium'
$ConfirmPreference = 'Medium'
Invoke-AtomicTest All