search

redcanaryco / invoke-atomicredteam

Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the [atomics folder](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics) of Red Canary's Atomic Red Team project.
MIT License
831 stars 195 forks source link

Problem: When invoking all tests, on tactic T1529 windows shuts down, other tests are not executed because of that #195

Open ghost6-2 opened 3 months ago

ghost6-2 commented 3 months ago

What did you do?

ℹ Please replace this with what you did. I used the script from your github page to invoke all tests:

$techniques = gci C:\AtomicRedTeam\atomics* -Recurse -Include T*.yaml | Get-AtomicTechnique

foreach ($technique in $techniques) { foreach ($atomic in $technique.atomic_tests) { if ($atomic.supported_platforms.contains("windows") -and ($atomic.executor -ne "manual")) {

Get Prereqs for test

        Invoke-AtomicTest $technique.attack_technique -TestGuids $atomic.auto_generated_guid -GetPrereqs
        # Invoke
        Invoke-AtomicTest $technique.attack_technique -TestGuids $atomic.auto_generated_guid -ExecutionLogPath 'C:\Users\user1\log.csv'
        # Sleep then cleanup
        Start-Sleep 3
        Invoke-AtomicTest  $technique.attack_technique -TestGuids $atomic.auto_generated_guid -Cleanup 
    }
}

}

What did you expect to happen?

ℹ Please replace this with what you expected to happen. Other tests after T1529 are not executed, which they should.

What happened instead?

ℹ Please replace this with of what happened instead. When the test come to T1529 which is System Shutdown/Reboot, the machine shutdowns and all other tests who are behind T1529 are cancelled.

Your Environment

OS Name: Microsoft Windows Server 2022 Standard OS Version: 10.0.20348 N/A Build 20348