Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the [atomics folder](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics) of Red Canary's Atomic Red Team project.
MIT License
793
stars
190
forks
source link
Idea: Allow Atomics to be run Solely by test GUID #167
Invoke-AtomicTest should be able to run solely based on the test_guids. Guids generation should be globally unique and thus have no collision across techniques.
As Mitre updates the Att$ck matrix sub-techniques change IDs.
a. There have been multiple instances of techniques changing IDs in the matrix. e.g., Port Monitors changed from T1013 to T1547.010.
b. Using guids to run tests will allow for atomics to be re-organized to match the changing matrix without breaking automations
Having to use techniques to call a tests also forces mapping detections (with auto unit testing through ART) to be mapped to the proper (new) Att$ck technique ID and to the one were ART has it mapped (not always the same).
Invoke-AtomicTest should be able to run solely based on the test_guids. Guids generation should be globally unique and thus have no collision across techniques.
As Mitre updates the Att$ck matrix sub-techniques change IDs. a. There have been multiple instances of techniques changing IDs in the matrix. e.g., Port Monitors changed from T1013 to T1547.010. b. Using guids to run tests will allow for atomics to be re-organized to match the changing matrix without breaking automations
Having to use techniques to call a tests also forces mapping detections (with auto unit testing through ART) to be mapped to the proper (new) Att$ck technique ID and to the one were ART has it mapped (not always the same).