security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cd32b7cf92bfaefe485fd002a06de0f01368eba1
atomic-red-team/docs/invoke-atomic-red-team.md
T
Michael Haag 5f49684c43 Install fixes (#462) 
* Install fixes

Updated casing. Should be happier

* fix docs-invoke page

Fixing docs invoke page to match the other readme
2019-03-26 13:13:05 -07:00

3.1 KiB
Raw Blame History

layout
layout
default

Getting Started - PowerShell Invoke-AtomicRedTeam

  1. Install Atomic Red Team
  2. Generate Tests
  3. Execute Tests
  4. Other Examples

Install Atomic Red Team

  • Be sure to get permission and necessary approval before conducting test's. Unauthorized testing is a bad decision and can potentially be a resume-generating event.

  • Set up a test machine that would be similar to the build in your environment. Be sure you have your collection/EDR solution in place, and that the endpoint is checking in and active. It is best to have AV turned off.

We made installing Atomic Red Team extremely easy.

Once the environment is ready, run the following PowerShell one liner as Administrator:

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://psinstall.AtomicRedTeam.com')"

Source

By default, it will download and install Atomic Red Team to c:\tools\

Running the install script locally provides three parameters:

InstallPath

  • Where ART is to be installed

    install-AtomicRedTeam.ps1 -InstallPath c:\tools\

DownloadPath

  • Where ART is to be downloaded

    install-AtomicRedTeam.ps1 -DownloadPath c:\tools\

Verbose

  • Verbose output during installation

    install-AtomicRedTeam.ps1 -verbose

Manual Installation

To manually install Invoke-AtomicRedTeam:

set-executionpolicy Unrestricted

PowerShell-Yaml is required to parse Atomic yaml files:

Install-Module -Name powershell-yaml

Import-Module .\Invoke-AtomicRedTeam.psm1

Generate Tests

This process generates all Atomic tests and allows for easy copy and paste execution. Note: you may need to change the path.

Invoke-AllAtomicTests -GenerateOnly

Execute All Tests

Execute all Atomic tests:

Invoke-AllAtomicTests

Execute All Tests - Specific Directory

Specify a path to atomics folder, example C:\AtomicRedTeam\atomics

Invoke-AllAtomicTests -path C:\AtomicRedTeam\atomics

Execute a Single test

$T1117 = Get-AtomicTechnique -Path ..\..\atomics\T1117\T1117.yaml
Invoke-AtomicTest $T1117

Other Examples

If you would like output when running tests using the following:

Informational Stream

Invoke-AtomicTest $T1117 -InformationAction Continue

Verbose Stream

Invoke-AtomicTest $T1117 -Verbose

Debug Stream

Invoke-AtomicTest $T1117 -Debug

WhatIf

If you would like to see what would happen without running the test

Invoke-AtomicTest $T1117 -WhatIf

Confirm

To run all tests without confirming them run using the Confirm switch to false

Invoke-AtomicTest $T1117 -Confirm:$false

Or you can set your $ConfirmPreference to 'Medium'

$ConfirmPreference = 'Medium'
Invoke-AtomicTest $T1117
Reference in New Issue View Git Blame Copy Permalink