Be sure to get permission and necessary approval before conducting test's. Unauthorized testing is a bad decision and can potentially be a resume-generating event.
Set up a test machine that would be similar to the build in your environment. Be sure you have your collection/EDR solution in place, and that the endpoint is checking in and active. It is best to have AV turned off.

We made installing Atomic Red Team extremely easy.

For those running Atomic Red Team on MacOS or Linux download and install PowerShell Core.

Linux MacOS

Once the environment is ready, run PowerShell as an adminstrator and run the following PowerShell one liner:

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/execution-frameworks/Invoke-AtomicRedTeam/install-atomicredteam.ps1'); Install-AtomicRedTeam -verbose

Source

By default, it will download and Install Atomic Red Team to <BASEPATH>\AtomicRedTeam

Where <BASEPATH> is C: in Windows or ~ in Linux/MacOS

Running the Install script locally provides three parameters:

InstallPath

Where ART is to be Installed

Install-AtomicRedTeam -InstallPath c:\tools\

DownloadPath

Where ART is to be downloaded

Install-AtomicRedTeam -DownloadPath c:\tools\

Force

Force the new installation removing any previous installations in -InstallPath. BE CAREFUL this will delete the entire install path folder

Install-AtomicRedTeam -Force

Manual

set-executionpolicy Unrestricted

PowerShell-Yaml is required to parse Atomic yaml files:

Install-Module -Name powershell-yaml

import-module .\Invoke-AtomicRedTeam\Invoke-AtomicRedTeam.psm1

Getting Started

Before you can use the Invoke-AtomicTest function, you must first import the module:

Import-Module C:\AtomicRedTeam\execution-frameworks\Invoke-AtomicRedTeam\Invoke-AtomicRedTeam\Invoke-AtomicRedTeam.psm1

Note: Your path to the Invoke-AtomicRedTeam.psm1 may be different.

Execute All Tests

Execute all Atomic tests:

Invoke-AtomicTest All

This assumes your atomics folder is in the default location of <BASEPATH>\AtomicRedTeam\atomics

Where <BASEPATH> is C: in Windows or ~ in Linux/MacOS

You can override the default path to the atomics folder using the $PSDefaultParameterValues preference variable as shown below.

$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="C:\Users\myuser\Documents\code\atomic-red-team\atomics"}

Tip: Add this to your PowerShell profile so it is always set to your preferred default value.

Execute All Tests - Specific Directory

Specify a path to atomics folder, example C:\AtomicRedTeam\atomics

Invoke-AtomicTest All -PathToAtomicsFolder C:\AtomicRedTeam\atomics

Display Test Details without Executing the Test

Show the attack commands:

Invoke-AtomicTest All -ShowDetails

Show the Prereq commands:

Invoke-AtomicTest All -CheckPrereqs -ShowDetails

Show the Cleanup commands:

Invoke-AtomicTest All -Cleanup -ShowDetails

Using the ShowDetails switch causes the test details to be printed to the screen and allows for easy copy and paste execution. Note: you may need to change the path where the test definitions are found with the PathToAtomicsFolder parameter.

Execute All Attacks for a Given Technique

Invoke-AtomicTest T1117

By default, test execution details are written to Invoke-AtomicTest-ExecutionLog.csv in the current directory.

Specify an Alternate Path for the Execution Log

Invoke-AtomicTest T1117 -ExecutionLogPath 'C:\Temp\mylog.csv'

By default, test execution details are written to Invoke-AtomicTest-ExecutionLog.csv in the current directory. Use the -ExecutionLogPath parameter to write to a different file. Nothing is logged in the execution log when only running pre-requisite checks with -CheckPrereqs or cleanup commands with -Cleanup. Use the -NoExecutionLog switch to not write execution details to disk.

Check that Prerequistes for a Given Technique are met

Invoke-AtomicTest T1117 -CheckPrereqs

For the "command_prompt", "bash", and "sh" executors, if any of the prereq_command's return a non-zero exit code, the pre-requisites are not met. Example: fltmc.exe filters | findstr #{sysmon_driver}

For the "powershell" executor, the prereq_command's are run as a script block and the script must return 0 if the pre-requisites are met. Example: if(Test-Path C:\Windows\System32\cmd.exe) { 0 } else { -1 }

Pre-requisites will also be reported as not met if the test is defined with elevation_required: true but the current context is not elevated. You can still execute an attack even if the pre-requisites are not met but execution may fail.

Execute Specific Attacks (by Attack Number) for a Given Technique

Invoke-AtomicTest T1117 -TestNumbers 1, 2

Execute Specific Attacks (by Attack Name) for a Given Technique

Invoke-AtomicTest T1117 -TestNames "Regsvr32 remote COM scriptlet execution","Regsvr32 local DLL execution"

Specify Input Parameters on the Command Line

$myArgs = @{ "file_name" = "c:\Temp\myfile.txt"; "ads_filename" = "C:\Temp\ads-file.txt"  }
Invoke-AtomicTest T1158 -TestNames "Create ADS command prompt" -InputArgs $myArgs

You can specify a subset of the input parameters via the command line. Any input parameters not explicitly defined will maintain their default values from the test definition yaml.

Run the Cleanup Commands For the Specified Test

Invoke-AtomicTest T1089 -TestNames "Uninstall Sysmon" -Cleanup

Additional Examples

If you would like output when running tests using the following:

Informational Stream

Invoke-AtomicTest T1117 -InformationAction Continue

Verbose Stream

Invoke-AtomicTest T1117 -Verbose

Debug Stream

Invoke-AtomicTest T1117 -Debug

Confirm

To run all tests without confirming them run using the Confirm switch to false

Invoke-AtomicTest T1117 -Confirm:$false

Or you can set your $ConfirmPreference to 'Medium'

$ConfirmPreference = 'Medium'
Invoke-AtomicTest T1117