-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathauto_art_collection.ps1
123 lines (106 loc) · 4.75 KB
/
auto_art_collection.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
param(
[Parameter()]
[string]
$TestRoot = "Z:\ArtTests",
[Parameter()]
[int]
$StartTest = 0,
[Parameter()]
[int]
$EndTest = 2000,
[Parameter()]
[string]
$DefaultConfig = "C:\Configs\standard_config.xml",
[Parameter()]
[string]
$ResearchConfig = "C:\Configs\research_config.xml",
[Parameter()]
[boolean]
$AvoidShutdowns = $True
)
import-module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force
import-module "C:\Scripts\Export-WinEvents\Export-WinEvents.psm1"
$TestDirectory = "$($TestRoot)\Tests"
$Date = Get-Date -Format "yyyy_MM_dd"
$Channels = @('Security', 'Microsoft-Windows-Sysmon/Operational')
if (!(Test-Path $TestDirectory)) {
New-Item $TestDirectory -ItemType Directory -Force
}
$techniques = Get-ChildItem C:\AtomicRedTeam\atomics\* -Recurse -Include T*.yaml | Get-AtomicTechnique
# Set the research config
Sysmon64.exe -c $ResearchConfig | ForEach-Object{ "$_" }
$TotalTestCount = 0
foreach ($technique in $techniques) {
$Count = 1
if ($TotalTestCount -gt $EndTest) {
break
}
foreach ($atomic in $technique.atomic_tests) {
if ($atomic.supported_platforms.contains("windows") -and ($atomic.executor -ne "manual")) {
$TotalTestCount += 1
if ($TotalTestCount -lt $StartTest) {
continue
} elseif ($TotalTestCount -gt $EndTest ) {
break
}
$TechniqueID = ($technique.attack_technique -join ',')
$TestStatus = "Failed"
$CheckResponse = "NA"
$Failure = "NA"
$TestResponse = "NA"
$TestFolder = "$TestDirectory\$TechniqueID\$Count"
if (!(Test-Path $TestFolder)) {
New-Item -Path $TestFolder -Force -ItemType Directory
}
# Check if test messes with Sysmon - if so, skip it
if ($atomic.name | Select-String -Quiet "Sysmon") {
$Failure = "Skipped - uses Sysmon"
} elseif ($AvoidShutdowns -And ($TechniqueID | Select-String -Quiet "T1529")) {
$Failure = "Skipped - avoiding shutdowns"
} elseif ($TechniqueID -like "*T1562.001*" -and $Count -eq 30) {
$Failure = "Skipped - this test breaks Sysmon"
} else {
# Get Prereqs for test
Invoke-AtomicTest $technique.attack_technique -TestGuids $atomic.auto_generated_guid -GetPrereqs -InformationVariable PrereqResponse
if ($PrereqResponse | Select-String -Quiet "Failed to meet prereq") {
$Failure = "Failed to meet Prereq"
} elseif ($PrereqResponse | Select-String -Quiet "Elevation required but not provided") {
$Failure = "Possible Elevation Error"
} else {
Invoke-AtomicTest $technique.attack_technique -TestGuids $atomic.auto_generated_guid -CheckPrereqs -InformationVariable CheckResponse
# TODO: check that prereq was successfully acquired
if ($CheckResponse | Select-String -Quiet "Prerequisites not met") {
$Failure = "Error - Failed CheckPrereq after Successful GetPrereq"
} else {
# I tried using -StartDate and -EndDate but it didn't work
$Channels | Clear-WinEvents
# Invoke
Invoke-AtomicTest $technique.attack_technique -TestGuids $atomic.auto_generated_guid -InformationVariable TestResponse
# Sleep 1 second & export
Start-Sleep 1
$Channels | Export-WinEvents -OutputFolder $TestFolder
# Clean
Invoke-AtomicTest $technique.attack_technique -TestGuids $atomic.auto_generated_guid -Cleanup
# Dump test data to files
$TestStatus = "Successful"
}
}
}
$StatusObj = [PSCustomObject]@{
Status = $TestStatus
Technique = $TechniqueID
TestNumber = $Count
PrereqResponse = $PrereqResponse.MessageData.Message | Out-String
CheckResponse = $CheckResponse.MessageData.Message | Out-String
TestResponse = $TestResponse.MessageData.Message | Out-String
Date = $Date
Time = Get-Date -Format "HH_mm_ss"
GUID = $atomic.auto_generated_guid
Failure = $Failure
}
$StatusObj | ConvertTo-Json | Out-File "$($TestFolder)\status.json"
}
}
$Count += 1
}
Sysmon64.exe -c $DefaultConfig | ForEach-Object{ "$_" }