-
Notifications
You must be signed in to change notification settings - Fork 202
Installing Invoke AtomicRedTeam
This execution framework (Invoke-AtomicRedTeam) works cross-platform on Windows, Linux and MacOS. However, to use it on Linux and Mac you must install PowerShell Core. See Installing PowerShell Core on Linux and Installing PowerShell Core on MacOS for details.
An alternative to installing Atomic Red Team on your device is to use it inside of a Docker container or the Windows Sandbox where it is already pre-installed.
Docker container with Atomic Red Team Installed Windows Sandbox with Atomic Red Team Installed
Minimum supported PowerShell version is 5.0
The Invoke-AtomicRedTeam Execution is available for install from the PowerShell Gallery and can be installed with one simple command executed from a PowerShell prompt:
Install-Module -Name invoke-atomicredteam,powershell-yaml -Scope CurrentUser
Note: If you get an error relating to a missing PSRepository, use Register-PSRepository -Default
to register the needed repository.
To install the execution framework without downloading it from the PowerShell Gallery as shown above, you can continue with the following instructions:
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam
If you get an Import-Module
error stating that the module "cannot be loaded because running scripts is disabled on this system", restart powershell using powershell -exec bypass
or bypass execution policy with one of these methods and try again. Method 12 is especially promising.
If you use the Install-Module
method, the module will be located in your default PowerShell modules folder and you won't need to manually import the module each time you start a new PowerShell Windows. Otherwise, if you install using Install-AtomicRedTeam
, the installer will download and install the execution framework to <BASEPATH>\AtomicRedTeam
Where <BASEPATH>
is C:
in Windows or ~
in Linux/MacOS
Installing the execution framework (Invoke-AtomicRedTeam) does not download the repository of atomic test definitions by default (aka the Atomics Folder). This is because the atomics folder contains many files likely to trigger AV alerts on the endpoint. You may choose to white-list the install directory (<BASEPATH>\AtomicRedTeam
by default) so that files are not quarantined or removed. Or you may choose to copy a version of the atomics folder over to the system that contains only the tests you intend to run.
If you get an error of "Could no create SSL/TLS secure channel." run the following PowerShell command before your run the install commands.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
The Atomics Folder contains the test definitions; the commands that the execution framework will execute. If you would like to install the atomics folder at the same time that you install the execution framework, you can do this by adding the -getAtomics
switch during the install of the execution framework.
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics
If the execution framework or the atomics folder are already found on disk you must use the -Force
parameter during install as follows to erase and replace these folders.
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics -Force
If you prefer to download the atomics folder with only the test definition yaml files and none of the payloads from the /src
or /bin
directories, use the -noPayloads
flag as follows. You can use the -getPrereq
flag with Invoke-AtomicTest
to download the payloads for the atomics you choose to run.
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics -Force -noPayloads
If you would like to install the atomics folder as a separate step or at a later time, you can do it with the Install-AtomicsFolder
function as follows.
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicsfolder.ps1' -UseBasicParsing);
Install-AtomicsFolder
If you prefer to download the atomics folder with only the test definition yaml files and none of the payloads from the /src
or /bin
directories, use the -noPayloads
flag as follows. You can use the -getPrereq
flag with Invoke-AtomicTest
to download the payloads for the atomics you choose to run.
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicsfolder.ps1' -UseBasicParsing);
Install-AtomicsFolder -noPayloads -Force
Both the Install-AtomicRedTeam and the Install-AtomicsFolder functions have the following optional parameters:
InstallPath
- Where to install (default: C:\AtomicRedTeam on Windows or ~\AtomicRedteam on MacOS and Linux)
Install-AtomicRedTeam -InstallPath "c:\tools"
Install-AtomicsFolder -InstallPath "c:\tools"
Force
- Remove the previous installation before installing
Install-AtomicRedTeam -Force
Install-AtomicsFolder -Force
RepoOwner
- Install from another GitHub repo. Default RepoOwner is "redcanaryco"
Install-AtomicRedTeam -RepoOwner "clr2of8"
Install-AtomicsFolder -RepoOwner "clr2of8"
Branch
- Install from another branch. Default Branch is "master"
Install-AtomicRedTeam -RepoOwner "clr2of8" -Branch "start-process-branch"
Install-AtomicsFolder -RepoOwner "clr2of8" -Branch "start-process-branch"
Questions? Get connected to the community on the Atomic Red Team Slack channel.
- Installation
- Import the Module
- List Atomic Tests
- Check/Get Prerequisites for Atomic Tests
- Execute Atomic Tests (Local)
- Execute Atomic Tests (Remote)
- Specify Custom Input Arguments
- Cleanup after Executing Atomic Tests
- Execution Logging
- Adversary Emulation
- Continuous Atomic Testing
- Execution Hooks
- Helper Functions
- The Atomic GUI
- Uninstallation