Execute an atomic test locally - Adam-Mashinchi/invoke-atomicredteam GitHub Wiki

Running tests on a local machine.

• Contents
• Set execution path
• Execute atomic tests by technique number
• Execute tests by identifier
• Execute tests by location
• Execute tests interactively
• Specify custom input arguments
• Change output location
• Run tests without confirmation
• Up next

Invoke-Atomic assumes that your atomics folder is in its default location: <install path>\AtomicRedTeam\atomics. You can override the default path using the PSDefaultParameterValues variable:

$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="<custom path>\atomic-red-team\atomics"}

💡 Tip: Add this line to your PowerShell profile to set your custom path as the default.

You can execute all tests associated with a given technique number:

Invoke-AtomicTest <technique number>

To set a process timeout, use the -TimeoutSeconds flag. The default value is 120.

Invoke-AtomicTest <technique number> -TimeoutSeconds <seconds>

👉 Note: We don't recommend it, but you can execute every atomic test in the atomics directory by running Invoke-AtomicTest All.

To execute a test by its atomic test number, use the -TestNumbers flag. Separate each argument with a comma.

Invoke-AtomicTest <technique number> -TestNumbers <number,number,...>

You can also execute tests by name. Use the -TestNames flag.

Invoke-AtomicTest <technique number> -TestNames <"name","name",...>

When scripting, we recommend using the -TestGuids flag to execute tests by GUID. This is because GUIDs never change, while test numbers and names can change.

Invoke-AtomicTest <technique number> -TestGuids <GUID,GUID,...>

You can specify a custom path to your atomics directory:

Invoke-AtomicTest <technique number> -PathToAtomicsFolder <custom path>\atomics

Some tests require user input to run. To execute these tests, specify the -Interactive flag:

Invoke-AtomicTest <technique number> -Interactive

If you run an interactive test without the -Interactive flag, you'll have to wait for the test to time out before you try again.

Use the -PromptForInputArgs flag to set your own values for the inputs used by an atomic test:

Invoke-AtomicTest <technique number> -PromptForInputArgs

You can specify all or some of the inputs via PowerShell. For example:

$myArgs = @{ "file_name" = "c:\Temp\myfile.txt"; "ads_filename" = "C:\Temp\ads-file.txt"  }
Invoke-AtomicTest T1158 -TestNames "Create ADS command prompt" -InputArgs $myArgs

Any inputs not explicitly defined maintain their default values.

By default, Invoke-Atomic writes its execution details to Invoke-AtomicTest-ExecutionLog.csv in your temporary directory. To write output to a different file, use the -ExecutionLogPath flag:

Invoke-AtomicTest <technique number> -ExecutionLogPath "<custom path>"

💡 Tip: Use the -NoExecutionLog flag to stop Invoke-Atomic from writing its output to disk.

To execute tests without manually confirming them, set the -Confirm flag to $false:

Invoke-AtomicTest <technique number> -Confirm:$false

You can also set the $ConfirmPreference variable to 'Medium':

$ConfirmPreference = 'Medium'

• Cleanup after execution