# Invoke-AtomicRedTeam
Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the atomics folder of Red Canary's Atomic Red Team project. The "atomics folder" contains a folder for each Technique defined in the MITRE ATT&CK™ Framework.

### Installation

This execution framework (Invoke-AtomicRedTeam) works cross-platform on Windows, Linux and MacOS. However, to use it on Linux and Mac you must install PowerShell Core. 

In [1]:
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics -Force



[93mInstallation of Invoke-AtomicRedTeam is complete. You can now use the Invoke-AtomicTest function[0m
[93mSee Wiki at https://github.com/redcanaryco/invoke-atomicredteam/wiki for complete details[0m


If the Installation failed in Windows, it's because of the Powershell Execution Policy preventing the script execution.  To disable, run the following commands and install the framework once again.

In [None]:
Set-ExecutionPolicy Bypass -Scope CurrentUser
Set-MpPreference -DisableRealtimeMonitoring $true

### Import the Module 

In order make the `Invoke-AtomicTest` function available for use in your current PowerShell session you must import the module. This is done automatically for you in the PowerShell window where you installed the execution framework, but in the event that you start a new PowerShell window, you will need to re-import the module which can be done as follows.

In [2]:
$PathToART = $( if ($IsLinux -or $IsMacOS) { $Env:HOME + "/AtomicRedTeam" } else { $env:HOMEDRIVE + "\AtomicRedTeam" })
Import-Module "$PathToART\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force

## List Atomic Tests

Now that the execution framework is installed and the module is imported you are ready to start using it. A good starting point is to list the Technique numbers and test names available for execution.

### Show Details Brief

Use the `-ShowDetailsBrief` switch to list the tests available for a given technique number.

In [3]:
Invoke-AtomicTest T1547.007 -ShowDetailsBrief

[96mPathToAtomicsFolder = /Users/0x6c/AtomicRedTeam/atomics
[0m




[96mT1547.007-2 Re-Opened Applications[0m


If you would like to show details for all techniques, you can use "All" as the technique number.

In [4]:
Invoke-AtomicTest All -ShowDetailsBrief

[96mPathToAtomicsFolder = /Users/0x6c/AtomicRedTeam/atomics
[0m




[96mT1560.001-5 Data Compressed - nix - zip[0m
[96mT1560.001-6 Data Compressed - nix - gzip Single File[0m
[96mT1560.001-7 Data Compressed - nix - tar Folder or File[0m
[96mT1560.001-8 Data Encrypted with zip and gpg symmetric[0m
[96mT1548.001-1 Make and modify binary from C source[0m
[96mT1548.001-2 Set a SetUID flag on file[0m
[96mT1548.001-3 Set a SetGID flag on file[0m
[96mT1496-1 macOS/Linux - Simulate CPU Load with Yes[0m
[96mT1053.003-1 Cron - Replace crontab with referenced file[0m
[96mT1053.003-2 Cron - Add script to cron folder[0m
[96mT1053.004-1 Event Monitor Daemon Persistence[0m
[96mT1030-1 Data Transfer Size Limits[0m
[96mT1562.001-5 Disable Carbon Black Response[0m
[96mT1562.001-6 Disable LittleSnitch[0m
[96mT1562.001-7 Disable OpenDNS Umbrella[0m
[96mT1562.001-8 Stop and unload Crowdstrike Falcon on macOS[0m
[96mT1056.002-1 AppleScript - Prompt User for Password[0m
[96mT1564.001-1 Create a hidden file in a hidden directory[0m
[96mT15

### Show Details (verbose) 

Use the `-ShowDetails` switch to show test details, including attack commands, input parameters, and prerequisites for a given technique number.

In [5]:
Invoke-AtomicTest T1547.007 -ShowDetails

[96mPathToAtomicsFolder = /Users/0x6c/AtomicRedTeam/atomics
[0m




[********BEGIN TEST*******]
[96mTechnique: [0m[92mBoot or Logon Autostart Execution: Re-opened Applications T1547.007[0m
[96mAtomic Test Name: [0m[92mRe-Opened Applications[0m
[96mAtomic Test Number: [0m[92m2[0m
[96mAtomic Test GUID: [0m[92m5f5b71da-e03f-42e7-ac98-d63f9e0465cb[0m
[96mDescription: [0mMac Defaults
[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html)
[93m
Attack Commands:[0m
[96mExecutor: [0m[92msh[0m
[96mElevationRequired: [0m[92mTrue[0m
[96mCommand:
[0m[92msudo defaults write com.apple.loginwindow LoginHook [0m[91m#{script}[0m
[96mCommand (with inputs):
[0m[92msudo defaults write com.apple.loginwindow LoginHook /path/to/script[0m
[!!!!!!!!END TEST!!!!!!!]


