diff --git a/docs/invoke-atomic-red-team.md b/docs/invoke-atomic-red-team.md deleted file mode 100644 index a4c41d351b..0000000000 --- a/docs/invoke-atomic-red-team.md +++ /dev/null @@ -1,126 +0,0 @@ ---- -layout: default ---- - -# Getting Started - PowerShell Invoke-AtomicRedTeam - -1. [Install Atomic Red Team](#install-atomic-red-team) -2. [Generate Tests](#generate-tests) -3. [Execute Tests](#execute-tests) -4. [Other Examples](#Other-Examples) - -## Install Atomic Red Team - -* Be sure to get permission and necessary approval before conducting test's. Unauthorized testing is a bad decision -and can potentially be a resume-generating event. - -* Set up a test machine that would be similar to the build in your environment. Be sure you have your collection/EDR -solution in place, and that the endpoint is checking in and active. It is best to have AV turned off. - -We made installing Atomic Red Team extremely easy. - -Once the environment is ready, run the following PowerShell one liner as Administrator: - -`powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://psinstall.AtomicRedTeam.com')"` - -[Source](https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/execution-frameworks/Invoke-AtomicRedTeam/install-AtomicRedTeam.ps1) - -By default, it will download and install Atomic Red Team to `c:\tools\` - -Running the [install script](https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/execution-frameworks/Invoke-AtomicRedTeam/install-AtomicRedTeam.ps1) locally provides three parameters: - -InstallPath -- Where ART is to be installed - - `install-AtomicRedTeam.ps1 -InstallPath c:\tools\` - -DownloadPath -- Where ART is to be downloaded - - `install-AtomicRedTeam.ps1 -DownloadPath c:\tools\` - -Verbose -- Verbose output during installation - - `install-AtomicRedTeam.ps1 -verbose` - -### Manual Installation - -To manually install Invoke-AtomicRedTeam: - -`set-executionpolicy Unrestricted` - -[PowerShell-Yaml](https://github.com/cloudbase/powershell-yaml) is required to parse Atomic yaml files: - -`Install-Module -Name powershell-yaml` - -`Import-Module .\Invoke-AtomicRedTeam.psm1` - -## Generate Tests - -This process generates all Atomic tests and allows for easy copy and paste execution. -Note: you may need to change the path. - - Invoke-AllAtomicTests -GenerateOnly - -### Execute All Tests - -Execute all Atomic tests: - - Invoke-AllAtomicTests - -### Execute All Tests - Specific Directory - -Specify a path to atomics folder, example C:\AtomicRedTeam\atomics - - Invoke-AllAtomicTests -path C:\AtomicRedTeam\atomics - -### Execute a Single test - - $T1117 = Get-AtomicTechnique -Path ..\..\atomics\T1117\T1117.yaml - Invoke-AtomicTest $T1117 - -## Other Examples - -If you would like output when running tests using the following: - -#### Informational Stream - -```powershell -Invoke-AtomicTest $T1117 -InformationAction Continue -``` - -#### Verbose Stream - -```powershell -Invoke-AtomicTest $T1117 -Verbose -``` - -#### Debug Stream - -```powershell -Invoke-AtomicTest $T1117 -Debug -``` - -#### WhatIf - -If you would like to see what would happen without running the test - -```powershell -Invoke-AtomicTest $T1117 -WhatIf -``` - -#### Confirm - -To run all tests without confirming them run using the Confirm switch to false - -```powershell -Invoke-AtomicTest $T1117 -Confirm:$false -``` - -Or you can set your `$ConfirmPreference` to 'Medium' - -```powershell -$ConfirmPreference = 'Medium' -Invoke-AtomicTest $T1117 -``` diff --git a/execution-frameworks/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam.psd1 b/execution-frameworks/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam.psd1 index c1bba7f614..93a261f7eb 100644 --- a/execution-frameworks/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam.psd1 +++ b/execution-frameworks/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam.psd1 @@ -69,7 +69,11 @@ # NestedModules = @() # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. - FunctionsToExport = @() + FunctionsToExport = @( + 'Confirm-Dependencies', + 'Invoke-AtomicTest', + 'Write-ExeutionLog' + ) # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. CmdletsToExport = @() diff --git a/execution-frameworks/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam.psm1 b/execution-frameworks/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam.psm1 index c45bbdc33b..9ac1bbd175 100644 --- a/execution-frameworks/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam.psm1 +++ b/execution-frameworks/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam.psm1 @@ -5,13 +5,11 @@ $Public = @( Get-ChildItem -Path $PSScriptRoot\Public\*.ps1 -Recurse -ErrorActio $Private = @( Get-ChildItem -Path $PSScriptRoot\Private\*.ps1 -Recurse -ErrorAction SilentlyContinue ) #Dot source the files -Foreach ($import in @($Private + $Public)) { +Foreach ($import in @($Public + $Private)) { Try { . $import.fullname } Catch { Write-Error -Message "Failed to import function $($import.fullname): $_" } -} - -Export-ModuleMember -Function $Public.Basename \ No newline at end of file +} \ No newline at end of file diff --git a/execution-frameworks/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam/Public/Write-ExecutionLog.ps1 b/execution-frameworks/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam/Private/Write-ExecutionLog.ps1 similarity index 100% rename from execution-frameworks/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam/Public/Write-ExecutionLog.ps1 rename to execution-frameworks/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam/Private/Write-ExecutionLog.ps1 diff --git a/execution-frameworks/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam/Public/Invoke-AllAtomicTests.ps1 b/execution-frameworks/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam/Public/Invoke-AllAtomicTests.ps1 deleted file mode 100644 index ab41492260..0000000000 --- a/execution-frameworks/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam/Public/Invoke-AllAtomicTests.ps1 +++ /dev/null @@ -1,77 +0,0 @@ -<# -.SYNOPSIS - Invokes all Atomic test(s) -.DESCRIPTION - Invokes all Atomic tests(s). Optionally, you can specify if you want to generate all Atomic test(s) only. -.EXAMPLE Invokes Atomic Test - PS/> Invoke-AllAtomicTests - PS/> Invoke-AllAtomicTests -Force -.EXAMPLE Generate All Atomic Tests - PS/> Invoke-AllAtomicTests -GenerateOnly -.PARAMETER Path - Path to atomics folder, example C:\AtomicRedTeam\atomics -.PARAMETER GenerateOnly - Generate tests only do not execute. Writes test commands to STDOUT -.PARAMETER Force - Override safety handler. Normally this will prompt you to confirm all tests. This will override that. -.NOTES - Create Atomic Tests from yaml files described in Atomic Red Team. https://github.com/redcanaryco/atomic-red-team -.LINK - Github repo: https://github.com/redcanaryco/atomic-red-team -#> -function Invoke-AllAtomicTests { - [CmdletBinding(DefaultParameterSetName = 'technique', - SupportsShouldProcess = $true, - PositionalBinding = $false, - ConfirmImpact = 'Medium')] - Param( - [Parameter(Mandatory = $true, - Position = 0, - ValueFromPipelineByPropertyName = $true, - ParameterSetName = 'technique')] - [ValidateNotNullOrEmpty()] - [System.String] - $Path, - - [Parameter(Mandatory = $false, - Position = 1, - ValueFromPipelineByPropertyName = $true, - ParameterSetName = 'technique')] - [switch] - $GenerateOnly, - - [switch] - $Force - ) - $InformationPreference = 'Continue' - - function Invoke-AllTests() - { - - $AllAtomicTests = New-Object System.Collections.ArrayList - $AtomicFilePath = $Path - Get-ChildItem $AtomicFilePath -Recurse -Filter *.yaml -File | ForEach-Object { - $currentTechnique = [System.IO.Path]::GetFileNameWithoutExtension($_.FullName) - $AllAtomicTests.Add($currentTechnique); - } - if($GenerateOnly) - { - $AllAtomicTests.GetEnumerator() | Foreach-Object { Invoke-AtomicTest $_ -GenerateOnly } - - } - else - { - $AllAtomicTests.GetEnumerator() | Foreach-Object { Invoke-AtomicTest $_ } - } - - } - - if ( $Force -or $psCmdlet.ShouldContinue( 'Do you wish to execute all tests?', - "Highway to the danger zone, Executing All Atomic Tests!" ) ) - { - Invoke-AllTests - } - - - -} diff --git a/execution-frameworks/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam/Public/Invoke-AtomicTest.ps1 b/execution-frameworks/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam/Public/Invoke-AtomicTest.ps1 index 7cba0608c1..b79051e629 100644 --- a/execution-frameworks/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam/Public/Invoke-AtomicTest.ps1 +++ b/execution-frameworks/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam/Public/Invoke-AtomicTest.ps1 @@ -10,7 +10,7 @@ .EXAMPLE Run the Cleanup Commmand for the given Atomic Test PS/> Invoke-AtomicTest T1117 -Cleanup .EXAMPLE Generate Atomic Test (Output Test Definition Details) - PS/> Invoke-AtomicTest T1117 -GenerateOnly + PS/> Invoke-AtomicTest T1117 -ShowDetails .NOTES Create Atomic Tests from yaml files described in Atomic Red Team. https://github.com/redcanaryco/atomic-red-team .LINK @@ -36,7 +36,7 @@ function Invoke-AtomicTest { ValueFromPipelineByPropertyName = $true, ParameterSetName = 'technique')] [switch] - $GenerateOnly, + $ShowDetails, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] @@ -66,164 +66,194 @@ function Invoke-AtomicTest { $Cleanup = $false, [Parameter(Mandatory = $false, - ParameterSetName = 'technique')] + ParameterSetName = 'technique')] [switch] $NoExecutionLog = $false, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [String] - $ExecutionLogPath = "Invoke-AtomicTest-ExecutionLog.csv" + $ExecutionLogPath = "Invoke-AtomicTest-ExecutionLog.csv", + + [Parameter(Mandatory = $false, + ParameterSetName = 'technique')] + [switch] + $Force ) BEGIN { } # Intentionally left blank and can be removed PROCESS { + # $InformationPrefrence = 'Continue' Write-Verbose -Message 'Attempting to run Atomic Techniques' - $AtomicTechniqueHash = Get-AtomicTechnique -Path $PathToAtomicsFolder\$AtomicTechnique\$AtomicTechnique.yaml - $techniqueCount = 0 - foreach ($technique in $AtomicTechniqueHash) { + function Invoke-AtomicTestSingle ($AT) { - $techniqueCount++ - $props = @{ - Activity = "Running $($technique.display_name.ToString()) Technique" - Status = 'Progress:' - PercentComplete = ($techniqueCount / ($AtomicTechniqueHash).Count * 100) - } - Write-Progress @props + $AtomicTechniqueHash = Get-AtomicTechnique -Path $PathToAtomicsFolder\$AT\$AT.yaml + $techniqueCount = 0 + foreach ($technique in $AtomicTechniqueHash) { - Write-Debug -Message "Gathering tests for Technique $technique" - - $testCount = 0 - foreach ($test in $technique.atomic_tests) { - $testCount++ - - if ($null -ne $TestNumbers) { - if (-Not ($TestNumbers -contains $testCount) ) { continue } - } - - if ($null -ne $TestNames) { - if (-Not ($TestNames -contains $test.name) ) { continue } - } + $techniqueCount++ $props = @{ - Activity = 'Running Atomic Tests' + Activity = "Running $($technique.display_name.ToString()) Technique" Status = 'Progress:' - PercentComplete = ($testCount / ($technique.atomic_tests).Count * 100) + PercentComplete = ($techniqueCount / ($AtomicTechniqueHash).Count * 100) } Write-Progress @props - Write-Verbose -Message 'Determining tests for Windows' + Write-Debug -Message "Gathering tests for Technique $technique" - if (-Not $test.supported_platforms.Contains('windows')) { - Write-Verbose -Message 'Unable to run non-Windows tests' - continue - } + $testCount = 0 + foreach ($test in $technique.atomic_tests) { + $testCount++ - Write-Verbose -Message 'Determining manual tests' + if ($null -ne $TestNumbers) { + if (-Not ($TestNumbers -contains $testCount) ) { continue } + } - if ($test.executor.name.Contains('manual')) { - Write-Verbose -Message 'Unable to run manual tests' - continue - } + if ($null -ne $TestNames) { + if (-Not ($TestNames -contains $test.name) ) { continue } + } + + $props = @{ + Activity = 'Running Atomic Tests' + Status = 'Progress:' + PercentComplete = ($testCount / ($technique.atomic_tests).Count * 100) + } + Write-Progress @props + + Write-Verbose -Message 'Determining tests for Windows' + + if (-Not $test.supported_platforms.Contains('windows')) { + Write-Verbose -Message 'Unable to run non-Windows tests' + continue + } + + Write-Verbose -Message 'Determining manual tests' - Write-Information -MessageData ("[********BEGIN TEST*******]`n" + - $technique.display_name.ToString(), $technique.attack_technique.ToString()) -Tags 'Details' + if ($test.executor.name.Contains('manual')) { + Write-Verbose -Message 'Unable to run manual tests' + continue + } + + Write-Information -MessageData ("[********BEGIN TEST*******]`n" + + $technique.display_name.ToString(), $technique.attack_technique.ToString()) -Tags 'Details' - Write-Information -MessageData $test.name.ToString() -Tags 'Details' - Write-Information -MessageData $test.description.ToString() -Tags 'Details' + Write-Information -MessageData $test.name.ToString() -Tags 'Details' + Write-Information -MessageData $test.description.ToString() -Tags 'Details' - Write-Debug -Message 'Gathering final Atomic test command' + Write-Debug -Message 'Gathering final Atomic test command' - $prereqCommand = $test.executor.prereq_command - $command = $test.executor.command - $cleanupCommand = $test.executor.cleanup_command + $prereqCommand = $test.executor.prereq_command + $command = $test.executor.command + $cleanupCommand = $test.executor.cleanup_command - if ($test.input_arguments.Count -gt 0) { - Write-Verbose -Message 'Replacing inputArgs with default values' - $inputArgs = [Array]($test.input_arguments.Keys).Split(" ") - $inputDefaults = [Array]($test.input_arguments.Values | ForEach-Object { $_.default }).Split(" ") + if ($test.input_arguments.Count -gt 0) { + Write-Verbose -Message 'Replacing inputArgs with default values' + $inputArgs = [Array]($test.input_arguments.Keys).Split(" ") + $inputDefaults = [Array]($test.input_arguments.Values | ForEach-Object { $_.default.toString() }).Split(" ") - for ($i = 0; $i -lt $inputArgs.Length; $i++) { - $findValue = '#{' + $inputArgs[$i] + '}' - if( $nul -ne $prereqCommand ) { $prereqCommand = $prereqCommand.Replace($findValue, $inputDefaults[$i]) } else { $prereqCommand = "" } - $Command = $command.Replace($findValue, $inputDefaults[$i]) - if( $nul -ne $cleanupCommand ) { $cleanupCommand = $cleanupCommand.Replace($findValue, $inputDefaults[$i]) } else { $cleanupCommand = "" } + for ($i = 0; $i -lt $inputArgs.Length; $i++) { + $findValue = '#{' + $inputArgs[$i] + '}' + if ( $nul -ne $prereqCommand ) { $prereqCommand = $prereqCommand.Replace($findValue, $inputDefaults[$i]) } else { $prereqCommand = "" } + $Command = $command.Replace($findValue, $inputDefaults[$i]) + if ( $nul -ne $cleanupCommand ) { $cleanupCommand = $cleanupCommand.Replace($findValue, $inputDefaults[$i]) } else { $cleanupCommand = "" } + } } - } - if ($CheckPrereqs) { - $finalCommand = $prereqCommand - } - elseif ($Cleanup) { - $finalCommand = $cleanupCommand - } - else { - $finalCommand = $command - } + if ($CheckPrereqs) { + $finalCommand = $prereqCommand + } + elseif ($Cleanup) { + $finalCommand = $cleanupCommand + } + else { + $finalCommand = $command + } - Write-Debug -Message 'Getting executor and build command script' + Write-Debug -Message 'Getting executor and build command script' - if ($GenerateOnly) { - Write-Information -MessageData $finalCommand -Tags 'Command' - } - else { - $startTime = get-date - $attackExecuted = $false - Write-Verbose -Message 'Invoking Atomic Tests using defined executor' - $testName = $test.name.ToString() - if ($pscmdlet.ShouldProcess($testName, 'Execute Atomic Test')) { - switch ($test.executor.name) { - "command_prompt" { - Write-Information -MessageData "Command Prompt:`n $finalCommand" -Tags 'AtomicTest' - $finalCommandEscaped = $finalCommand -replace "`"", "```"" - $execCommand = $finalCommandEscaped.Split("`n") | Where-Object { $_ -ne "" } - $exitCodes = New-Object System.Collections.ArrayList - $execCommand | ForEach-Object { - Invoke-Expression "cmd.exe /c `"$_`" " - $exitCodes.Add($LASTEXITCODE) | Out-Null - if($finalCommand -eq $command){ $attackExecuted = $true} - } - $nonZeroExitCodes = $exitCodes | Where-Object { $_ -ne 0 } - if ($CheckPrereqs ) { - if ($nonZeroExitCodes.Count -ne 0) { - Write-Host -ForegroundColor Red "Prerequisites not met: $testName" + if ($ShowDetails) { + Write-Information -MessageData $finalCommand -Tags 'Command' + } + else { + $startTime = get-date + $attackExecuted = $false + Write-Verbose -Message 'Invoking Atomic Tests using defined executor' + $testName = $test.name.ToString() + if ($pscmdlet.ShouldProcess($testName, 'Execute Atomic Test')) { + switch ($test.executor.name) { + "command_prompt" { + Write-Information -MessageData "Command Prompt:`n $finalCommand" -Tags 'AtomicTest' + $finalCommandEscaped = $finalCommand -replace "`"", "```"" + $execCommand = $finalCommandEscaped.Split("`n") | Where-Object { $_ -ne "" } + $exitCodes = New-Object System.Collections.ArrayList + $execCommand | ForEach-Object { + Invoke-Expression "cmd.exe /c `"$_`" " + $exitCodes.Add($LASTEXITCODE) | Out-Null + if ($finalCommand -eq $command) { $attackExecuted = $true } } - else { - Write-Host -ForegroundColor Green "Prerequisites met: $testName" + $nonZeroExitCodes = $exitCodes | Where-Object { $_ -ne 0 } + if ($CheckPrereqs ) { + if ($nonZeroExitCodes.Count -ne 0) { + Write-Host -ForegroundColor Red "Prerequisites not met: $AT-$testCount $testName" + } + else { + Write-Host -ForegroundColor Green "Prerequisites met: $AT-$testCount $testName" + } } + if (-not $NoExecutionLog -and $attackExecuted) { Write-ExecutionLog $startTime $AT $testCount $testName $ExecutionLogPath } + continue } - if(-not $NoExecutionLog -and $attackExecuted) { Write-ExecutionLog $startTime $AtomicTechnique $testCount $testName $ExecutionLogPath } - continue - } - "powershell" { - Write-Information -MessageData "PowerShell`n $finalCommand" -Tags 'AtomicTest' - $execCommand = "Invoke-Command -ScriptBlock {$finalCommand}" - $res = Invoke-Expression $execCommand - if($finalCommand -eq $command){ $attackExecuted = $true} - if ($CheckPrereqs ) { - if ([string]::IsNullOrEmpty($finalCommand) -or $res -ne 0) { - Write-Host -ForegroundColor Red "Prerequisites not met: $testName" - } - else { - Write-Host -ForegroundColor Green "Prerequisites met: $testName" + "powershell" { + Write-Information -MessageData "PowerShell`n $finalCommand" -Tags 'AtomicTest' + $execCommand = "Invoke-Command -ScriptBlock {$finalCommand}" + $res = Invoke-Expression $execCommand + if ($finalCommand -eq $command) { $attackExecuted = $true } + if ($CheckPrereqs ) { + if (-not [string]::IsNullOrEmpty($finalCommand) -and $res -ne 0) { + Write-Host -ForegroundColor Red "Prerequisites not met: $AT-$testCount $testName" + } + else { + Write-Host -ForegroundColor Green "Prerequisites met: $AT-$testCount $testName" + } } + if (-not $NoExecutionLog -and $attackExecuted) { Write-ExecutionLog $startTime $AT $testCount $testName $ExecutionLogPath } + continue + } + default { + Write-Warning -Message "Unable to generate or execute the command line properly." + continue } - if(-not $NoExecutionLog -and $attackExecuted) { Write-ExecutionLog $startTime $AtomicTechnique $testCount $testName $ExecutionLogPath } - continue - } - default { - Write-Warning -Message "Unable to generate or execute the command line properly." - continue - } - } # End of executor switch - } # End of if ShouldProcess block - } # End of else statement - } # End of foreach Test in single Atomic Technique - - Write-Information -MessageData "[!!!!!!!!END TEST!!!!!!!]`n`n" -Tags 'Details' - - } # End of foreach Technique in Atomic Tests + } # End of executor switch + } # End of if ShouldProcess block + } # End of else statement + } # End of foreach Test in single Atomic Technique + + Write-Information -MessageData "[!!!!!!!!END TEST!!!!!!!]`n`n" -Tags 'Details' + + } # End of foreach Technique in Atomic Tests + } # End of Invoke-AtomicTestSingle function + + if ($AtomicTechnique -eq "All") { + function Invoke-AllTests() { + $AllAtomicTests = New-Object System.Collections.ArrayList + Get-ChildItem $PathToAtomicsFolder -Recurse -Filter *.yaml -File | ForEach-Object { + $currentTechnique = [System.IO.Path]::GetFileNameWithoutExtension($_.FullName) + if ( $currentTechnique -ne "index" ) { $AllAtomicTests.Add($currentTechnique) | Out-Null } + } + $AllAtomicTests.GetEnumerator() | Foreach-Object { Invoke-AtomicTestSingle $_ } + } + + if ( $Force -or $psCmdlet.ShouldContinue( 'Do you wish to execute all tests?', + "Highway to the danger zone, Executing All Atomic Tests!" ) ) { + Invoke-AllTests + } + } + else { + Invoke-AtomicTestSingle $AtomicTechnique + } + } # End of PROCESS block END { } # Intentionally left blank and can be removed } diff --git a/execution-frameworks/Invoke-AtomicRedTeam/README.md b/execution-frameworks/Invoke-AtomicRedTeam/README.md index 67ccf5e7a6..d16858e31e 100644 --- a/execution-frameworks/Invoke-AtomicRedTeam/README.md +++ b/execution-frameworks/Invoke-AtomicRedTeam/README.md @@ -4,7 +4,15 @@ ### Install Atomic Red Team -Get started with our simple Install script: +* Be sure to get permission and necessary approval before conducting test's. Unauthorized testing is a bad decision +and can potentially be a resume-generating event. + +* Set up a test machine that would be similar to the build in your environment. Be sure you have your collection/EDR +solution in place, and that the endpoint is checking in and active. It is best to have AV turned off. + +We made installing Atomic Red Team extremely easy. + +Once the environment is ready, run the following PowerShell one liner as Administrator: `powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://psInstall.AtomicRedTeam.com')"` @@ -43,26 +51,31 @@ Verbose ## Getting Started -### Generate Tests - -This process generates all Atomic tests (prints test details to screen) and allows for easy copy and paste execution. -Note: you may need to change the path. - - Invoke-AllAtomicTests -GenerateOnly - #### Execute All Tests Execute all Atomic tests: - Invoke-AllAtomicTests - +```powershell +Invoke-AtomicTest All +``` #### Execute All Tests - Specific Directory Specify a path to atomics folder, example C:\AtomicRedTeam\atomics - Invoke-AllAtomicTests -path C:\AtomicRedTeam\atomics +```powershell +Invoke-AtomicTest All -PathToAtomicsFolder C:\AtomicRedTeam\atomics +``` -#### Execute All Attacks for a Given TTP +### Display Test Details without Executing the Test + +```powershell +Invoke-AtomicTest All -ShowDetails -InformationAction Continue +``` + +Using the `ShowDetails` switch causes the test details to be printed to the screen and allows for easy copy and paste execution. +Note: you may need to change the path with the `PathToAtomicsFolder` parameter. + +#### Execute All Attacks for a Given Technique ```powershell Invoke-AtomicTest T1117 @@ -78,22 +91,22 @@ Invoke-AtomicTest T1117 -ExecutionLogPath 'C:\Temp\mylog.csv' By default, test execution details are written to `Invoke-AtomicTest-ExecutionLog.csv` in the current directory. Use the `-ExecutionLogPath` parameter to write to a different file. Nothing is logged in the execution log when only running pre-requisite checks with `-CheckPrereqs` or cleanup commands with `-Cleanup`. Use the `-NoExecutionLog` switch to not write execution details to disk. -#### Check that Prerequistes for a Given TTP are met - -For the "command_prompt" executor, if any of the prereq_command's return a non-zero exit code, the pre-requisites are not met. Example: **fltmc.exe filters | findstr #{sysmon_driver}** -For the "powershell" executor, the prereq_command's are run as a script block and the script must return 0 if the pre-requisites are met. Example: **if(Test-Path C:\Windows\System32\cmd.exe) { 0 } else { -1 }** +#### Check that Prerequistes for a Given Technique are met ```powershell Invoke-AtomicTest T1117 -CheckPrereqs ``` -#### Execute Specific Attacks (by Attack Number) for a Given TTP +For the "command_prompt" executor, if any of the prereq_command's return a non-zero exit code, the pre-requisites are not met. Example: **fltmc.exe filters | findstr #{sysmon_driver}** +For the "powershell" executor, the prereq_command's are run as a script block and the script must return 0 if the pre-requisites are met. Example: **if(Test-Path C:\Windows\System32\cmd.exe) { 0 } else { -1 }** + +#### Execute Specific Attacks (by Attack Number) for a Given Technique ```powershell Invoke-AtomicTest T1117 -TestNumbers 1, 2 ``` -#### Execute Specific Attacks (by Attack Name) for a Given TTP +#### Execute Specific Attacks (by Attack Name) for a Given Technique ```powershell Invoke-AtomicTest T1117 -TestNames "Regsvr32 remote COM scriptlet execution","Regsvr32 local DLL execution" @@ -126,14 +139,6 @@ Invoke-AtomicTest T1117 -Verbose Invoke-AtomicTest T1117 -Debug ``` -#### WhatIf - -If you would like to see what would happen without running the test - -```powershell -Invoke-AtomicTest T1117 -WhatIf -``` - #### Confirm To run all tests without confirming them run using the Confirm switch to false diff --git a/execution-frameworks/Invoke-AtomicRedTeam/install-atomicredteam.ps1 b/execution-frameworks/Invoke-AtomicRedTeam/install-atomicredteam.ps1 index 65812014ae..7e050c61d5 100644 --- a/execution-frameworks/Invoke-AtomicRedTeam/install-atomicredteam.ps1 +++ b/execution-frameworks/Invoke-AtomicRedTeam/install-atomicredteam.ps1 @@ -34,48 +34,6 @@ function Install-AtomicRedTeam { Install Atomic Red Team PS> Install-AtomicRedTeam.ps1 - .EXAMPLE - - Execute a single test - $T1117 = Get-AtomicTechnique -Path ..\..\atomics\T1117\T1117.yaml - Invoke-AtomicTest $T1117 - - .EXAMPLE - - Informational Stream - Invoke-AtomicTest $T1117 -InformationAction Continue - - .EXAMPLE - - Verbose Stream - Invoke-AtomicTest $T1117 -Verbose - - .EXAMPLE - - Debug Stream - Invoke-AtomicTest $T1117 -Debug - - .EXAMPLE - - What if - If you would like to see what would happen without running the test - Invoke-AtomicTest $T1117 -WhatIf - - .EXAMPLE - - - To run all tests without confirming them run using the Confirm switch to false - - Invoke-AtomicTest $T1117 -Confirm:$false - Or you can set your $ConfirmPreference to 'Medium' - - $ConfirmPreference = 'Medium' - Invoke-AtomicTest $T1117 - - .EXAMPLE - - Invoke-AllAtomicTests -GenerateOnly - .NOTES Use the '-Verbose' option to print detailed information.