whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Miscellaneous/Atomic Read Team.md

1.5 KiB
Raw Blame History

Atomic Red Team

https://github.com/redcanaryco/atomic-red-team

Structure

YAML files are used to describe a specific attack, which then can be replayed. Automatically most of the time. These scenarios are used for testing purposes.

Atomic Red Team for Powershell

Cmdlets are Invoke-AtomicRedTeam and Invoke-AtomicTest.

Import the module

powershell -ExecutionPolicy bypass
Import-Module Invoke-AtomicRedTeam.psd1 -Force
$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="C:\Users\Administrator\Desktop\atomics"}

Invoke-AtomicTest

Use Invoke-AtomicTest

Invoke-AtomicTest <MITRE TacticNo.> -ShowDetailsBrief
Invoke-AtomicTest <MITRE TacticNo.> -ShowDetails

Check if prerequisites are available

Invoke-AtomicTest <MITRE TechniqueNo.> -GetPreReqs

Multiple techniques can be executed through the following line

'T<number>', 'T<number>', 'T<number>' | ForEach-Object {echo "Enumerating Tactic $_"; Invoke-AtomicTest $_ -showDetails}

Use -cleanup to revert the changes. Use -promptForInputArgs to set variables interactively.

Argument Customization

Customize arguments of a test execution via

$customArgs=@{"user" = "username"; "password" = "securepassword"}
Invoke-AtomicTest T<number>-<Testnumber> -InputArgs $customArgs

AtomicGUI

There is a web application that can be started via Start-AtomicGUI to create new atomic rules.