Sometimes we make a mistake and we pass a non-existing or mistyped arg in -InputArgs. Invoke-AtomicRedTeam doesn't complain in such cases rendering the error silent...
I suggest adding an explicit error message when trying to use an invalid input arg to prevent such silly mistakes :)

Hi,
Is there way I can get some help. I would like to output result of all use cases test into a json file in the folder I would run using ATTiRe logging for VECTR import

"$techniques = gci C:\AtomicRedTeam\atomics* -Recurse -Include T*.yaml | Get-AtomicTechnique

foreach ($technique in $techniques) {
foreach ($atomic in $technique.atomic_tests) {
if ($atomic.supported_platforms.contains("windows") -and ($atomic.executor -ne "manual")) {
# Get Prereqs for test
Invoke-AtomicTest $technique.attack_technique -TestGuids $atomic.auto_generated_guid -GetPrereqs
# Invoke
Invoke-AtomicTest $technique.attack_technique -TestGuids $atomic.auto_generated_guid
# Sleep then cleanup
Start-Sleep 3
Invoke-AtomicTest $technique.attack_technique -TestGuids $atomic.auto_generated_guid -Cleanup
}
}
}"

Could you please edit the powershell script above to output the result into a json file for vectr import?

Thank you

Usecase

Invoke-AtomicTest is used to run a sequence of tests. This sequence is chained to a sequence of API calls to the SIEM supposed to detect these activities. Then, a test report is generated.

In this context, it is important to know where the test failed: because it couldn't run on the target or because the SIEM was blind.

One needs to confirm the successful execution of Atomic Tests.

Current Implementation

Unless called with -Interactive, the standard out and error streams are directed to the temporary folder art-out.txt and art-err.txt. The content of these files are sent to the main output once the process terminated, and are deleted. The Invoke-AtomicTest cmdlet doesn't return the process exit code.

As multiple tests may be run in a single invocation, it isn't easy to provide detailed results for every one of them without adding much complexity to the code.

Suggested Implementation

Add a switch -KeepStdOutStdErrFiles to bypass the Remove-Item instruction. It is then to the caller to ensure they clean the files at the right moment (which implies to restrict invocations to a single test, otherwise the output of every test will contain the previous ones as well). This way, the caller may check standard out and error streams for trace of errors.

Tools such as mimikatz don't output their errors to stderr, that's why we may need to check both files.

The check could look like this:

if (((Test-Path -Path "${Env:TEMP}/art-err.txt") -and (Select-String "(ERROR|Exception)" "${Env:TEMP}/art-err.txt")) -or 
    ((Test-Path -Path "${Env:TEMP}/art-out.txt") -and (Select-String "(ERROR|Exception)" "${Env:TEMP}/art-out.txt"))) {
          Write-Debug ">>> Error in stream, marking test as failed in Atomic"
          [...]
}

PR on its way.

Right now we can either run 1 Techinique at a time or All the Techniques.
There is no middle ground.

Here's a POC ps1 script that I put together that will loop for all provided Techniques and perform the following :

• Get Prerequesite
• Excute all test for the Technique
• Pause (so we can evaluate if our security solution detected the tests)
• Cleanup

#Requires -RunAsAdministrator
# Quick and dirty script to get prerequisite and run ART tests

# Change the path to fit your installation
Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force

# Change/Add all the tests you want to perform in the line below
# One day I might make this as arguments, but not tonight ;)
$ARTtests = "T1047 T1220 T1098 T1197" 
$ARTtests = $ARTtests.split(" ");
foreach ($ARTtest in $ARTtests) {
   Invoke-AtomicTest $ARTtest -GetPrereqs
   Invoke-AtomicTest $ARTtest
   pause
   Invoke-AtomicTest $ARTtest -Cleanup
}

Hello,

I m currently testing Invoke-AtomicTest remotely but i have this error when i try to get the prereq on the remote machine :
Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.

I already tried [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 on the machine containing the atomic repo but it's not working.
Am i missing something or it's normal ?

I tried those command :
Invoke-AtomicTest T1218.010-3 -Session $sess -GetPrereqs

Invoke-AtomicTest T1204.002-10 -Session $sess (don't have prereqs but fetch the lnk file on github).

I can see the command in the event log of the remote machine.

Thanks !

I know the initial recommendation is to use your own repo but for testing purposes I left it as is for simplicity. While testing T1546.010 I found something. I do not know if this "an" issue or a me thing. My current setup is running remotely via PSsession from Linux to Windows.

While using Invoke-AtomicTest T1546.010 -Session $sess -GetPrereqs I see that the reg and dll files get downloaded to the remote Windows box, but all of them have length of zero. As an example, if I run Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010.reg" -OutFile T1546.010.reg on the local Windows system, that pulls the right length.

The only way it seems I can pull the file remotely using the remote sessions method is using:

Invoke-Command -Session $sess -ScriptBlock {Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010.reg" -OutFile C:\Users\atomic\AppData\Local\Temp\AtomicRedTeam\T1546.010\src\T1546.010.reg}

Figured I would ask.

Thank You

The backslash at the end of the find command that contain -exec is incorrectly being escaped.

For example, the command for atomic-test T1552.004-3 is find #{search_path} -name id_rsa -exec cp --parents {} #{output_folder} \;. After it is escaped the command becomes find / -name id_rsa -exec cp --parents {} /tmp/art-staging \\;. An extra backslash is added causing the following error when executed find: missing argument to -exec.

Found this escaping scheme is causing issues for other tests, T1552.004-4 and T1217

Updating the command to remove the backslash escaping does resolve the errors with the find commands
From:

$finalCommand = $finalCommand -replace "[\\`"]", "`\$&"

To:

$finalCommand = $finalCommand -replace "[`"]", "`\$&"

It looks like that fix was proposed in PR #24 but later was enhanced to the current code submitted in PR #33

Saw that the escape logic was removed from the command_prompt executor block. Attempted to remove the line from the bash/sh logic bloc, but it broke atomic-test T1083-4

https://github.com/redcanaryco/invoke-atomicredteam/wiki/Specify-Custom-Input-Arguments

T1158 no longer works.

ERROR: C:\AtomicRedTeam\atomics\T1158\T1158.yaml does not exist
Check your Atomic Number and your PathToAtomicsFolder parameter

I have been writing a powershell script that has a list of commands to run (each one of them being Invoke-AtomicTest with a unique Technique/TestNumber).

Throughout this script I am producing log entries to the user Temp directory. The log entries are things like:

• Began running tests at 11:48 am on July 16, 2020
• I have 25 atomic tests to run
• Test 1/25 has now started
  ...
• Test 1/25 has finished.

My issue is that I have no output from the commands that the test case are running (the elipsis between 'started' and 'finished' above are empty). This is not optimal for me because I wish to run these test cases regularly and then run detection on the generated telemetry. This helps me to have confidence in my detection software as I modify it. If the test case failed then I'd like to know why and fix it.

I'd like to run this powershell script once per day (for example) and then scan the log file to ensure that it all ran as I expect it to. The problem that I have is that atomic test cases can fail silently and there is no log information about what failed and when and why...

What I want is to have a log file that looks like this:

[datetime] Began running test 1/25
[datetime]       Test: T1197 Testnumber 3
BITSADMIN version 3.0
...
Created job {abcdef12-12345678-...}
...
[datetime] Finished running test 1/25
[datetime] Began running test 2/25
...

I am producing all of the lines with the [datetime] in them and expected that when I called Invoke-AtomicTest, it would return the stdout in a variable OR I could pipe the output of the command to my log file (appending to what is already there).

This wasn't working (I'm quite new to Powershell so I figured that I had done something wrong) so I dug into the code. I found that this flow occurs, when I call Invoke-AtomicTest:
Invoke-AtomicTest -> Invoke-ExecuteCommand -> Invoke-Process
At the bottom of that flow, the Invoke-Process, I can see that the standard out and error are lost.

I made some changes that allow me to:
Invoke-AtomicTest T1197 -TestNumbers 3 -LogFileName "C:\Users\john\AppData\Local\Temp\2020-07-16-214534.txt

I've modified the call flow so that it:

• passes that filename all the way down to the Invoke-Process where
• it will capture the stdout and stderr to files (ART-stdout.txt and ART-stderr.txt)
• when the process is finished, it will Get-Content those files and append them to the log file name that has been passed down.

It works pretty well. As I was working on that this week I was thinking that I may not be the only person who would like to have complete logs after I run a test.

I will try to do a pull and submit my code for your review. I'm sure that there is a better way to do this (by somehow flowing the stdout/stderr back up to the caller) but I'm not skilled enough to pull that off.

I think that the below a useful use case to support. The output would be a log file with my progress messages as well as the stdout/stderr from the commands being run in the Atomic test.

"run_tests.ps1"
$List-Of-Tests = @{} $List-Of-Tests += { Invoke-AtomicTest T1197 -TestNumbers 3 } .... Add-Content $ALOGFILENAME -value "Starting my tests" foreach ( $COMMAND in $List-Of-Tests ) { Invoke-Command -ScriptBlock $COMMAND | Out-File $ALOGFILENAME -Append }

"The system cannot find the file specified"

It came to my attention that AtomicRedTeam has a few tests for AWS as listed on this page - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/Indexes/Indexes-CSV/iaas-index.csv.

However, when I invoke atomicredteam and get the details of the tests, I cannot find any AWS tests in there For eg - "Invoke-Atomictest T1562.008 -ShowDetailsBrief", I can only see Azure and Microsoft 365. But when I go into the atomics directory, I can see the YAML file for the AWS Cloudtrail test and upon opening I can see the AWS test commands and much more.

Suggestion: Enable to have multi logging options - ex. WindowsEvent and Attire Logger

Hello experts,
yes my powershell game is weak. I get the following path errors and I am a bit stumped.

It looks like the whitespace between program files && Some Path Notification Tools causes the issue but I am not sure.

EDITS: sorry was trying to make the code block easy to read

PS H:\> Invoke-AtomicTest T1003.001 -CheckPrereqs
PathToAtomicsFolder = C:\Program Files\Some Path Notification Tools\atomics
CheckPrereq's for: T1003.001-1 Windows Credential Editor                                                                                 
Prerequisites met: T1003.001-1 Windows Credential Editor
Test-Path : A positional parameter cannot be found that accepts argument 'Files\Some'. At line:1 char:8 + & {if (Test-Path C:\Program Files\Some Path Notification Tools\ ...     + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    
+ CategoryInfo: InvalidArgument: (:) [Test-Path], ParameterBindingException + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.TestPathCommand 
CheckPrereq's for: T1003.001-2 Dump LSASS.exe Memory using ProcDump                                                                      
Prerequisites met: T1003.001-2 Dump LSASS.exe Memory using ProcDump 
Test-Path : A positional parameter cannot be found that accepts argument  ETC same error``` 

Get-AtomicTechnique : The term 'ConvertFrom-Yaml' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\invoke-atomicredteam-master\invoke-atomicredteam-master\Public\Invoke-AtomicTest.ps1:133 char:71
+ ... aml) { $AtomicTechniqueHash = Get-AtomicTechnique -Path $pathToYaml }
+                                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-AtomicTechnique

Remedied by installing unofficial PowerShell-yaml from Install-Module -Name powershell-yaml -RequiredVersion 0.3.1 which then installs dependency NuGet

Did I miss a step in the instructions where this yaml handling should have been taken care of?

Hi,

I tried to install Invoke Atomic Red Team using this command :

IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing); Install-AtomicRedTeam

But i got this error :

Install-AtomicRedTeam : Installation of AtomicRedTeam Failed.
At line:2 char:1
+ Install-AtomicRedTeam -Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Install-AtomicRedTeam

Cannot convert null to type "System.DateTime".

The command Invoke-AtomicTest -All -GetPrereqs on the wiki https://github.com/redcanaryco/invoke-atomicredteam/wiki/Offline-Installation -> Steps to take from the online system section doesn't work.
The right command is Invoke-AtomicTest All -GetPrereqs

Invoke-AtomicTest should be able to run solely based on the test_guids. Guids generation should be globally unique and thus have no collision across techniques.

1. As Mitre updates the Att$ck matrix sub-techniques change IDs.
   a. There have been multiple instances of techniques changing IDs in the matrix. e.g., Port Monitors changed from T1013 to T1547.010.
   b. Using guids to run tests will allow for atomics to be re-organized to match the changing matrix without breaking automations

2. Having to use techniques to call a tests also forces mapping detections (with auto unit testing through ART) to be mapped to the proper (new) Att$ck technique ID and to the one were ART has it mapped (not always the same).

I run into an error: "Cannot convert null to type System.DateTime"

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1')

Install-AtomicRedTeam -Force
Installation of AtomicRedTeam Failed.
Cannot convert null to type "System.DateTime".

Install-AtomicRedTeam -InstallPath "C:\Windows\Temp" -Force
Installation of AtomicRedTeam Failed.
Cannot convert null to type "System.DateTime".

The web page says the atomics will be stored in (usually) C:\AtomicRedTeam\atomics and they are.

When I ran the command to install AtomicRedTeam, the Invoke-atomicredteam.ps1 file was placed at C:\Users\fauxmal\Documents\WindowsPowerShell\Modules\Invoke-AtomicRedTeam\1.0.0.0.

After moving the Invoke-AtomicRedTeam folder to C:\AtomicRedTeam, running the command to import the module during a new powershell session fails, because the command is stored in a subfolder named 1.0.0.0.

Let me know if you require more information.

I installed using Windows Terminal.

Hello,

I am using Invoke-Atomic to perform tests on remote Linux machines. Most of the tests I am interested in leverage local ressources, but some require external scripts or binaries.

I have noticed that while most of the tests can download external requirements if missing (e.g. Capture Passwords with MimiPenguin), T1003-007 (Dump individual process memory with Python (Local)) requires a dump_heap.py python script that is nor copied from the attacking machine, nor downloaded from a github repo.

As such, I need to manually identify similar tests where dependencies are not automatically downloaded and manually upload them on my target machines.

Am I doing something wrong or is it the intended behavior ?

When I try to run a powershell test from Debian to Windows, I get the following error

Usage: pwsh[.exe]
(...)
The argument "&" is not recognized as the name of a script file...

It is working well when I run a "command-prompt" test

It seems that pwsh is expecting a file name instead of a command line. I tried "-c" before the powershell command but not working

install-atomicredteam.ps1 defaults to importing the module by its .psm1 file. Modules that specify a module manifest (.PSD1) should be imported instead. For example, the invoke-atomicredteam module manifest handles some dependencies while also invoking the .psm1.

What needs to be done:

1. Change the reference of .psm1 to .psd1 in install-atomicredteam.ps1.
2. Update the Import the Module documentation to reflect importing by the .psd1.

atomics/T1485/T1485.yaml

dd of=#{file_to_overwrite} if=#{overwrite_source}

has neither timeout nor size limit, and will fill the disk (T1499) vs just wiping the file

Please forgive my noobness.

I was working on the subject file and noticed that there is a Parameter that can be passed into the function called $Session.

That variable is used 2 times in the file.

I see a variable called $session that is used 8 times in the function but is never initialized.

I think that the passed in parameter called $Session is intended to be used throughout in the function but it has been mis-spelled as $session in 8 places.

This is, of course, a very easy fix but the testing is beyond my available time.

I'm very new to Powershell so I might be missing something. Perhaps someone can confirm my finding? I would appreciate knowing that I'm not crazy. At least about this 8-D

There is a problem running https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.yaml on MacOS Catalina. The file is not dropped in /tmp and the output looks incorrect.

Testing the bash command in islation yields the correct result, so it appears to be caused by the wrapping framework.

Invoke-AtomicTest T1059 -TestNumbers 1                                                                                                                                                                                            PathToAtomicsFolder = /Users/Chuck/AtomicRedTeam/atomics                                                                                                                                                                                                                                                                          Executing test: T1059-1 Command-Line Interface                                                                                                                                                                                                                            curl: try 'curl --help' or 'curl --manual' for more information

the curl line (which appears that options aren't passed correctly) disappears with the following output when it returns to prompt:

PS /Users/Chuck/github/atomic-red-team> Invoke-AtomicTest T1059 -TestNumbers 1                                                                                                                                                                                            PathToAtomicsFolder = /Users/Chuck/AtomicRedTeam/atomics                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Executing test: T1059-1 Command-Line Interface                                                                                                                                                                                                                            Done executing test: T1059-1 Command-Line Interface                                                                                                                                                                                                                       PS /Users/Chuck/github/atomic-red-team>

HI,

Using a MacOS with PowerShell installed

> pwsh -v
> PowerShell 7.3.3`

Followed Wiki to install framework without downloading and with all atomics techniques

PS /Users/toto> IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics -Force
PS /Users/toto> echo $profile
/Users/toto/.config/powershell/Microsoft.PowerShell_profile.ps1
PS /Users/toto> cat $profile
Import-Module "/Users/toto/AtomicRedTeam/invoke-atomicredteam/Invoke-AtomicRedTeam.psm1" -Force
$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="/Users/toto/AtomicRedTeam/atomics"}

Everything seems to be fine and I can invoke help Invoke-AtomicTest successfully
Unfortunately, when asking for ShowDetails or ShowDetailsBrief, I have an empty output

PS /Users/toto> Invoke-AtomicTest T1036 -ShowDetailsBrief
PathToAtomicsFolder = /Users/toto/AtomicRedTeam/atomics

PS /Users/toto>
PS /Users/toto> Invoke-AtomicTest T1036 -ShowDetails
PathToAtomicsFolder = /Users/toto/AtomicRedTeam/atomics

PS /Users/toto>

With the verbose mode, my understanding is that it does not want to run because the test is not targeting MacOS.
But I just want to see the Details. Not to run it

PS /Users/toto> Invoke-AtomicTest T1036 -ShowDetailsBrief -v
VERBOSE: Attempting to run Atomic Techniques
PathToAtomicsFolder = /Users/toto/AtomicRedTeam/atomics

VERBOSE: Removing the imported "Write-ExecutionLog" function.
VERBOSE: Removing the imported "Stop-ExecutionLog" function.
VERBOSE: Removing the imported "Start-ExecutionLog" function.
VERBOSE: Loading module from path '/Users/toto/AtomicRedTeam/invoke-atomicredteam/Public/Default-ExecutionLogger.psm1'.
VERBOSE: Exporting function 'Start-ExecutionLog'.
VERBOSE: Exporting function 'Write-ExecutionLog'.
VERBOSE: Exporting function 'Stop-ExecutionLog'.
VERBOSE: Importing function 'Start-ExecutionLog'.
VERBOSE: Importing function 'Stop-ExecutionLog'.
VERBOSE: Importing function 'Write-ExecutionLog'.
VERBOSE: Using Logger: Default-ExecutionLogger
VERBOSE: All logging commands found
VERBOSE: Determining tests for target platform
VERBOSE: Unable to run non-macos tests
VERBOSE: Determining tests for target platform
VERBOSE: Unable to run non-macos tests
PS /Users/toto>

Thanks in advance for your help

In https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Get-AtomicTechnique.ps1#L108-L109, two arrays are defined showing the valid executor types. The dependency executor types are limited to just "powershell", meaning the execution framework will throw an error for something like "dependency_executor_name: command_prompt". However, https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Get-AtomicTechnique.ps1#L294-L295 returns a list of all valid executor types when the condition is not met. For example if you set dependency_executor_name to "command_prompt", the tool will check if its "powershell" then tell you it must be one of "command_prompt", "sh", "bash", "powershell", "manual". The specification (https://github.com/redcanaryco/atomic-red-team/blob/d127147734978cddaeb4afe793938733b992b53e/atomic_red_team/spec.yaml#L77) doesn't really give much info on this field other than saying that it will default to the type used by the attacks (leading me believe, there shouldn't be any additional restrictions on executor type).

Based on this, what are the expected inputs and behaviors?

Everything else works perfectly. When I run Start-Atomic GUI I receive the following error. I have tried specifying a different port but I continue to receive this error and am unable to access the GUI. I've also tried re-installing the UniversalDashboard module with no luck.

Start-Process: /home/vagrant/AtomicRedTeam/invoke-atomicredteam/Public/Start-AtomicGUI.ps1:263
Line |
263 | start-process http://localhost:$port
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| This command cannot be run due to the error: No such file or directory.

I was attempting to use this execution framework to test some automation and kept running into an issue where the system was saying the path was not found for an included bat file. It turns out that the -PathToAtomicsFolder argument does not support relative paths. Once I switched to absolute paths, it worked.

As a test, I added the following line to Public/Invoke-AtomicTest.ps1 at the start of the processs block:

$PathToAtomicsFolder = (Resolve-Path $PathToAtomicsFolder).Path

and I was able to use relative paths for the atomics folder.

Do you foresee any issues with this approach?

Use-cases

As a user, I want to output the current test GUID before running the test so that it will be easier to identify which test ran in logging mechanisms.

Another idea is to also set this to an environment variable as well.

Proposal

Add an optional Boolean command line parameter named

—AddGUIDPrefix

which would then prefix the command with something like

echo “{TEST GUID}” && {run test normally}

References

https://atomicredteam.slack.com/archives/CTXD5274M/p1689173909822249

Hello,

I couldn't find any documentation entry about how to "clean all" after testing, this can be done using:
"Invoke-AtomicTest All -Cleanup"
Thanks to redcanaryco/atomic-red-team#1847

Could be nice to add it in the doc (my bad if I didn't found it)

How can we search amongst the output . for example querying all the techniques or tests which contain the word of "SMB".
Is there a way to do it directly without saving the output file?
I want to find all the Tests that are related to "SMB" for example

When Invoke-AtomicRedTeam need to execute a command with cmd.exe or powershell.exe, their binaries are called and the commands are passed on the command line, for example:

cmd.exe /C net user "domain admins"...
powershell.exe -c iex(new-object net.webclient).downloadstring('...

From a detection standpoint, some security solutions might detect it because they see a suspicious command on the command line of the cmd.exe/powershell.exe process whereas I consider it being an artifact of how the test is launched instead of what we want to detect. For example, it would not be the same if those commands where run in an interactive cmd/powershell console!

Here for example we want to detect user "domain admins" in the command line of net1.exe and the iex(new-object... PowerShell command itself.

Therefore, I suggest changing the way commands are passed to cmd.exe/powershell.exe. I don't have a very specific solution in mind, but I think something that would open these as consoles without any command line, then injecting commands for execution once open. Obviously we could inject keystrokes but that might trigger some products and that would be an undesired artifact too.
What do you think? Maybe you have an idea?

Hello,

I'm trying to install Invoke-AtomicRedTeam as follows:

>  IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1')

> Install-AtomicRedTeam -Force
Installation of AtomicRedTeam Failed.
Cannot convert null to type "System.DateTime".

> Install-AtomicRedTeam -InstallPath "C:\Windows\Temp" -Force
Installation of AtomicRedTeam Failed.
Cannot convert null to type "System.DateTime".

As you can see, the installation seems to be failing for some reason. Some details:

• AV is disabled
• I tried performing the installation both with a normal user and local administrator account
• I'm running Windows 10.0.18363.719

Thank you!

Looking through documentation, I may have missed something, but is it possible to run custom yaml with Invoke-Atomic, given that it fits the standard yaml format for ART? Thanks in advance!

I want to list all atomic test -> (Invoke-AtomicTest All -ShowDetailsBrief) and export the list to file. How to?

hello
i try different solutions on a windows 2022. If you can help

Install-AtomicRedTeam
Installation of AtomicRedTeam Failed.
Impossible de trouver un paramètre correspondant au nom « DestinationPath ».

Install-AtomicsFolder
Installation of the AtomicsFolder Failed.
Impossible de trouver un paramètre correspondant au nom « DestinationPath ».

thanks
Best regards

Hey,

I was reading the source code and I came across these lines:

I think line 270 is not needed because it is a duplicate of L 263.

This is a feature request.

Would it be possible to pass Invoke-Process $Process.Id and $Process.Exit code to loggers via Write-ExecutionLog?
The process id is specially helpful when correlating with EDR timelines to validate detections.

Thanks in advance!

I added it in #30 for when Invoke-WebRequestVerifyHash is used, however many tests simply use Invoke-WebRequest from PowerShell to download their prereq files.
GitHub on its github.com now requires TLS 1.2 which prevents download for example:

PS C:\windows\system32> Invoke-AtomicTest T1003 -TestNumbers 7 -GetPrereqs
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

GetPrereq's for: T1003-7 Dump LSASS.exe Memory using direct system calls and API unhooking
Attempting to satisfy prereq: Dumpert executable must exist on disk at specified location (C:\AtomicRedTeam\atomics\T100
3\bin\Outflank-Dumpert.exe)
Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.
At line:2 char:1
+ Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
   eption
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

Failed to meet prereq: Dumpert executable must exist on disk at specified location (C:\AtomicRedTeam\atomics\T1003\bin\O
utflank-Dumpert.exe)

I tried adding the following in the .psm1 file but it doesn't look like to be sufficient:

[Net.ServicePointManager]::SecurityProtocol = ([Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12)

Which is normal considering that it seems that a child powershell.exe is launched, so different context!
I don't know very much the code so I don't know where we could inject it the best to ensure it applies to most of the code :)

A short term solution could be using raw.githubusercontent.com links (which still accepts TLS 1.0 and 1.1) instead of https://github.com//Dumpert/raw... but let's do better ;)

We use the Atomic Red Team & Invoke-AtomicRedTeam Projects within our CI pipeline in BLUESPAWN . This gives us at least some automated insight into the current coverage of BLUESPAWN and visibility into any possible regressions in detection logic.

Recently, we started having some of the tests fail and exit because the prerequisites were not met, ultimately failing the builds. For example, we run the following PowerShell command within our main test script which selectively runs ART tests for techniques we support.

Invoke-AtomicTest T1053.005 -ExecutionLogPath 'd:\a\BLUESPAWN\BLUESPAWN\AtomicTestsResults.csv'

Given this failure, I began investigating more into how Invoke-AtomicRedTeam handles checking pre-reqs. Based on my review of the code/testing, there does not seem to be an automated way to check if pre-reqs are met programmatically (?). Given that this project is meant to automate the running of these tests, I was wondering if you might consider adding a way to get this status.

I see a few possible ways this could be supported. First, prereqs could automatically be checked when a test is run by default. If the prereqs were not satisfied, the test would just be skipped (and/or an error printed). This would enable folks to keep using a command line (like the one above) having confidence that any prereq issues would be ignored or alerted on properly.

Alternatively, you could also add a function to return a boolean if prereqs are supported. That way developers could write something like the following code block:

If(Test-AtomicTestPrereqsMet T1053.005 -eq $true) {
Invoke-AtomicTest T1053.005 -ExecutionLogPath 'd:\a\BLUESPAWN\BLUESPAWN\AtomicTestsResults.csv'
} Else { ... }

Finally, a hybrid of the two options could be added such as an additional parameter called something like "-SkipIfPrereqsNotMet"

PS C:> IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);

Install-AtomicRedTeam -getAtomics -Force -noPayloads
Installation of AtomicRedTeam Failed.
Cannot convert null to type "System.DateTime".

I have these issues during installation. anyone can help? Installed on win 11

Thanks.

Under Refresh the Schedule in the following section it says Invoke-RefreshSchedule. That commandlet no longer exists and should be replaced by Invoke-RefreshExistingSchedule
https://github.com/redcanaryco/invoke-atomicredteam/wiki/Continuous-Atomic-Testing#refresh-the-schedule

I'm using Invoke-Atomic as the attack simulation tool in a research paper on Sysmon.

Yesterday, I went to execute the test for T1193. The phishingattachment.xlsm downloaded via PowerShell as expected, but google.com never opened up.

When I opened phishingattachment.xlsm manually, Excel said there was an error between the file format and the file type/extension.

We get a lot of question about what atomic red team has/doesn't have in terms of coverage and often times the answer is present by scraping the atomic YAML and hacking together a number. For example, how many atomic test are applicable to macos? What percentage of tests are applicable to linux, etc.

What common questions do you have of the atomics directory in atomic-red-team? What output might you like to see from a Get-AtomicStatistics function? Add your feedback to this issue. Thank you!

Join-Path : Cannot find drive. A drive with the name 'U' does not exist.

I think this is an issue with how Join-Path is being used.
See: https://chrisoldwood.blogspot.com/2014/09/join-path-fails-when-local-drive-letter.html

What did you do?

[root@localhost ~]# pwsh
PowerShell 7.3.4
PS /root> IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
PS /root> Install-AtomicRedTeam -getAtomics -Force
Installation of AtomicRedTeam Failed.
The SSL connection could not be established, see inner exception.

PS /root> Install-AtomicRedTeam -getAtomics -Force
Installation of AtomicRedTeam Failed.
Connection timed out (github.com:443)

PS /root> Install-AtomicRedTeam -getAtomics -Force
Add-Type:
Line |
166 | Add-Type -TypeDefinition $Source -Language CSharp
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| (14,5): error SYSLIB0014: “WebClient.WebClient()”已过时:“WebRequest, HttpWebRequest, ServicePoint, and WebClient are obsolete. Use HttpClient instead.”
public ExtendedWebClient() {
^
Installation of AtomicRedTeam Failed.
Cannot add type. Compilation errors occurred.

What did you expect to happen?

Successfully installed AtomicRedTeam and can execute test cases

What happened instead?

centos installation atomic red team error

PS /root> Install-AtomicRedTeam -getAtomics -Force
Add-Type:
Line |
166 | Add-Type -TypeDefinition $Source -Language CSharp
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| (14,5): error SYSLIB0014: “WebClient.WebClient()”已过时:“WebRequest, HttpWebRequest, ServicePoint, and WebClient are obsolete. Use HttpClient instead.”
public ExtendedWebClient() {
^
Installation of AtomicRedTeam Failed.
Cannot add type. Compilation errors occurred.

Your Environment

• CentOS Linux release 7.5.1804 (Core)
• PowerShell 7.3.4

Under Execution Logging page, Redirect Output From Test Execution to a File section: Invoke-AtomicTest tT1027 -TestNumbers 2 *>&1 | Tee-Object atomic-out.txt -Append should be changed to Invoke-AtomicTest T1027 -TestNumbers 2 *>&1 | Tee-Object atomic-out.txt -Append removing the extra t.

Hi, after a week of perfectly fine using invoke-atomic with no issues, I encountered today with an unexpected error,
"Could not create SSL\TLS secure Tunnel", I found some work arounds such as adding the following line in PowerShell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
It seemed to work when I re-downloaded Invoke Atomics from github, but after installing and attempting to execute the test it stilled gave me an error.
I could attempt to add the line also in the executed script but I don't know which file will include all tests.

Please help

Newly installed today per the instructions for Mac that are pertinent. Installed the Execution Framework and then the Atomics folder and all are present and installed fine. Also added the automatic import to my pwsh profile.
When I run "Invoke-AtomicTest T1003 -ShowDetailsBrief

" I only get back this "PathToAtomicsFolder = /Users/user/AtomicRedTeam/atomics" ...which is the correct path but I should be getting the test details etc.

If I run just "Invoke-AtomicTest" I do get the expected prompt however?

Running on a Mac PB Mojave 10.14.6 with PowerShell Core 7.0.3 (pwsh) installed and working.

Screens attached. Thank you.