Atomic Red Team
Description¶
Module orchestrates Atomic Red Team using the Invoke-Atomic Powershell module.
It also gives you the option to select or install Powershell on the target system.
NOTE: OSX is unsupported.
Prerequisites¶
Powershell on the target system and a valid/working Metasploit session on the target system.
If the target system is Windows, make sure to update the Virus & threat protections settings.
Input parameters¶
technique¶
ID of the Atomic technique (possibly with test IDs defined using short form).
| Name | Type | Required | Default value | Example value |
|---|---|---|---|---|
technique |
string | ✓ | T1222.002 T1222.002-1,2 |
test_guids¶
Test GUIDs to run.
| Name | Type | Required | Default value | Example value |
|---|---|---|---|---|
test_guids |
array[string] | ✗ | ["34...-690adf36a135", "fc...-381f5c35aff3"] |
parameters¶
Input arguments for the test(s).
| Name | Type | Required | Default value | Example value |
|---|---|---|---|---|
parameters |
object | ✗ | {"numeric_mode": "700"} |
command¶
Custom Atomic command.
| Name | Type | Required | Default value | Example value |
|---|---|---|---|---|
command |
string | ✓ | Invoke-AtomicTest T1222.001 -InputArgs @{"a"="b"} |
session_id¶
Metasploit session ID to use.
| Name | Type | Required | Default value | Example value |
|---|---|---|---|---|
session_id |
integer | ✓ | 1 |
powershell¶
Powershell related options.
| Name | Type | Required | Default value | Example value |
|---|---|---|---|---|
powershell |
object | ✗ | {} |
{"install": true} |
Only one of the two following properties can be set.
executable¶
Path to Powershell executable.
| Name | Type | Required | Default value | Example value |
|---|---|---|---|---|
executable |
string | ✗ | powershell.exe |
install¶
Whether to auto install Powershell.
| Name | Type | Required | Default value | Example value |
|---|---|---|---|---|
install |
boolean | ✗ | false |
true |
Examples¶
Execute technique and all of its tests (including Powershell installation)¶
Input:
my-step:
module: atomic_red_team
arguments:
session_id: 1
technique: T1222.002
powershell:
install: true
Output:
{
"result": "ok",
"output": "PathToAtomicsFolder = /home/test/AtomicRedTeam/atomics\n\nExecuting test: T1222.002-1 chmod - Change file or folder mode (numeric mode)\nchmod: cannot access '/tmp/AtomicRedTeam/atomics/T1222.002': No such file or directory\nExit code: 1\nDone executing test: T1222.002-1 chmod - Change file or folder mode (numeric mode)\n",
"serialized_output": {}
}
Execute specific test with custom parameters¶
Input:
my-step:
module: atomic_red_team
arguments:
session_id: 1
technique: T1222.002
test_guids:
- 34ca1464-de9d-40c6-8c77-690adf36a135
parameters:
numeric_mode: 700
file_or_folder: /tmp/file
Output:
{
"result": "ok",
"output": "PathToAtomicsFolder = /home/test/AtomicRedTeam/atomics\n\nExecuting test: T1222.002-1 chmod - Change file or folder mode (numeric mode)\nchmod: cannot access '/tmp/AtomicRedTeam/atomics/T1222.002': No such file or directory\nExit code: 1\nDone executing test: T1222.002-1 chmod - Change file or folder mode (numeric mode)\n",
"serialized_output": {}
}
Run custom Atomic command¶
Input:
my-step:
module: atomic_red_team
arguments:
session_id: 1
command: Invoke-AtomicTest T1222.001
Output:
{
"result": "ok",
"output": "PathToAtomicsFolder = /home/test/AtomicRedTeam/atomics\n\nExecuting test: T1222.002-1 chmod - Change file or folder mode (numeric mode)\nchmod: cannot access '/tmp/AtomicRedTeam/atomics/T1222.002': No such file or directory\nExit code: 1\nDone executing test: T1222.002-1 chmod - Change file or folder mode (numeric mode)\n",
"serialized_output": {}
}
Troubleshooting¶
So far so good.
Output serialization¶
Not available at the moment.