Helper functions - Adam-Mashinchi/invoke-atomicredteam GitHub Wiki
Invoke-Atomic includes a few useful helper functions.
The following functions are available to help you create new atomic tests:
-
New-AtomicTechniqueSpecifies a new Atomic Red Team technique. This function produces output intended to be piped directly toConvertTo-Yaml. -
New-AtomicTestSpecifies the name of a new atomic technique. -
New-AtomicTestDependencyAdds a dependency to an atomic test. -
New-AtomicTestInputArgumentAdds an input parameter to an atomic test.
Detailed documentation including usage examples is available by calling
Get-Help.
The function Invoke-WebRequestVerifyHash downloads a file if the file hash
matches a specified value.
Invoke-WebRequestVerifyHash <url> <output file> <hash>The function returns $true if successful and $false if not. For a usage
example, see the Windows credential editor test.
We recommend using this function to validate files from sources other than Github.
The function Invoke-MalDoc allows you to quickly develop malicious document
atomic tests. Instead of creating a new XLSM or DOCM file for each VBA macro,
this function allows you to specify all macro functionality from the test
itself, no file dependencies required.
Invoke-MalDoc <macro code> <office version> <office product>The arguments of Invoke-MalDoc are as follows:
-
<macro code>String of PowerShell-escaped VBA subroutine code. For example:" Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"cscript.exe #{jse_path}`"`n"We recommend using the CyberChef macro-to-string converter to produce the correct input.
-
<office version>String containing the Microsoft Office version number. To find this value, runGet-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office -
<office product>String containing the name of the associated Microsoft Office product. Currently supports"Excel"and"Word".