clr2of8
commented
1 year ago Hello @darpan-shri, I see how this is very confusing. The invoke-atomicredteam module will disregard any atomic tests for which there is no compatible executor (command_prompt or powershell for Windows). So if you run -showDetailsBrief from Windows you won't see those aws atomics listed because their executors are set the sh or bin making them apply to linux/mac only. If you ran the same command from a linux/mac you would see the tests listed. You could use the following code to list a few details of all aws tests regardless of executor.
$path = "C:\AtomicRedTeam\atomics\*" # Set this to point to your atomics folder
$techniques = Get-ChildItem $path -Recurse -Include T*.yaml | Get-AtomicTechnique
foreach ($technique in $techniques) {
foreach ($atomic in $technique.atomic_tests) {
if ($atomic.supported_platforms.contains("iaas:aws")) {
Write-Host -Fore Cyan $atomic.Name
Write-Host -Fore Green $atomic.auto_generated_guid
Write-Host -Fore Green "$($atomic.executor)`n"
}
}
}
It came to my attention that AtomicRedTeam has a few tests for AWS as listed on this page - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/Indexes/Indexes-CSV/iaas-index.csv.
However, when I invoke atomicredteam and get the details of the tests, I cannot find any AWS tests in there For eg - "Invoke-Atomictest T1562.008 -ShowDetailsBrief", I can only see Azure and Microsoft 365. But when I go into the atomics directory, I can see the YAML file for the AWS Cloudtrail test and upon opening I can see the AWS test commands and much more.