Small wrapper to use Invoke-AtomicRedTeam in Purple Team Engagements.

We had a situation where we wanted to have multiple MITRE attack detections tested to ensure that detections were working correctly. There was also a need for having different toolsets in the environment tested that detections were being written and implemented in.

Thus this tool was written to give red teamers and blue teamers a way to test a certain set of MITRE techniques against a device.

At this time only local tests are implemented with more development to come for handling remote sessions at a later date.

Ensure powershell is on the device:

Linux https://docs.microsoft.com/en-us/powershell/scripting/install/install-ubuntu?view=powershell-7.2

MacOS brew install powershell

Install Invoke-AtomicRedTeam via powershell:

https://github.com/redcanaryco/invoke-atomicredteam

Install Python requirements... $ pip3 install -r requirements.txt

Setup Environment Variable

$ cp .env.example .env

INVOKE-ATOMIC="<PATH to psd1 here>"

$ python3 main.py -h
usage: main.py [-h] [-l LIST] [-cp] [-o OUTPUT] [-e EXECUTABLE]

Purple Team Wrapper using Atomic Red Team (Invoke-AtomicTest)

optional arguments:
 -h, --help            show this help message and exit
 -l LIST, --list LIST  List of tests to be tested
 -cp, --custom-parameters
                       Enable custom parameters
 -o OUTPUT, --output OUTPUT
                       stdin to file output
 -e EXECUTABLE, --executable EXECUTABLE
                       powershell executable (default: pwsh

example-list.txt

T1040
T1003

Run Tests with default arguments:

$ python3 main -l example-list.txt -o example

Run Tests with custom parameters:

$ python3 main -l example-list.txt -o example -cp

All output will be saved in the ./output directory that will be created on first run of the tool.

EX: ./output/example_T1040_2022-05-18093142.txt