search

redcanaryco / invoke-atomicredteam

Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the [atomics folder](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics) of Red Canary's Atomic Red Team project.
MIT License
805 stars 190 forks source link

-ShowDetails(Brief) no output : Verbose mode : Unable to run non-macos tests. Why ? #118

Closed kripskroll closed 1 year ago

kripskroll commented 1 year ago

HI,

Using a MacOS with PowerShell installed

> pwsh -v
> PowerShell 7.3.3`

Followed Wiki to install framework without downloading and with all atomics techniques

PS /Users/toto> IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics -Force
PS /Users/toto> echo $profile
/Users/toto/.config/powershell/Microsoft.PowerShell_profile.ps1
PS /Users/toto> cat $profile
Import-Module "/Users/toto/AtomicRedTeam/invoke-atomicredteam/Invoke-AtomicRedTeam.psm1" -Force
$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="/Users/toto/AtomicRedTeam/atomics"}

Everything seems to be fine and I can invoke help Invoke-AtomicTest successfully Unfortunately, when asking for ShowDetails or ShowDetailsBrief, I have an empty output

PS /Users/toto> Invoke-AtomicTest T1036 -ShowDetailsBrief
PathToAtomicsFolder = /Users/toto/AtomicRedTeam/atomics

PS /Users/toto>
PS /Users/toto> Invoke-AtomicTest T1036 -ShowDetails
PathToAtomicsFolder = /Users/toto/AtomicRedTeam/atomics

PS /Users/toto>

With the verbose mode, my understanding is that it does not want to run because the test is not targeting MacOS. But I just want to see the Details. Not to run it

PS /Users/toto> Invoke-AtomicTest T1036 -ShowDetailsBrief -v
VERBOSE: Attempting to run Atomic Techniques
PathToAtomicsFolder = /Users/toto/AtomicRedTeam/atomics

VERBOSE: Removing the imported "Write-ExecutionLog" function.
VERBOSE: Removing the imported "Stop-ExecutionLog" function.
VERBOSE: Removing the imported "Start-ExecutionLog" function.
VERBOSE: Loading module from path '/Users/toto/AtomicRedTeam/invoke-atomicredteam/Public/Default-ExecutionLogger.psm1'.
VERBOSE: Exporting function 'Start-ExecutionLog'.
VERBOSE: Exporting function 'Write-ExecutionLog'.
VERBOSE: Exporting function 'Stop-ExecutionLog'.
VERBOSE: Importing function 'Start-ExecutionLog'.
VERBOSE: Importing function 'Stop-ExecutionLog'.
VERBOSE: Importing function 'Write-ExecutionLog'.
VERBOSE: Using Logger: Default-ExecutionLogger
VERBOSE: All logging commands found
VERBOSE: Determining tests for target platform
VERBOSE: Unable to run non-macos tests
VERBOSE: Determining tests for target platform
VERBOSE: Unable to run non-macos tests
PS /Users/toto>

Thanks in advance for your help

clr2of8 commented 1 year ago

New -anyOS flag added to meet this need as described here. thx!