API tools faq
paste
jessemoore

InstallART-NWACC

jessemoore
Oct 8th, 2021 (edited)
137
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.03 KB | None | 0 0
raw download clone embed print report
  1. # 10-08-2021 Jesse Moore dfir-jesseee
  2. # For NWACC 2021
  3. #
  4. # This makes sure you can run scripts on machine
  5. Set-ExecutionPolicy Bypass -Force -ErrorAction Ignore
  6.  
  7. # CurrentUser Bypass
  8. # Set-ExecutionPolicy -Scope CurrentUser Bypass -Force -ErrorAction Ignore
  9.  
  10. #This should disable Defender but doesn't really work well within this script
  11. # Set-MpPreference -DisableRealtimeMonitoring $true -Force -ErrorAction Ignore
  12.  
  13. #Instead of the above I use this to exlude where the Atomics will be with Defender
  14. Add-MpPreference -ExclusionPath C:\AtomicRedTeam\
  15.  
  16. # This installs yaml that is needed for Atomic Red Team atomics to work
  17. Install-Module powershell-yaml -Force -ErrorAction Ignore
  18.  
  19. Write-Host "INSTALL EXECUTION FRAMEWORK ONLY" -fore green
  20. IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
  21. Install-AtomicRedTeam -Force -ErrorAction Ignore
  22.  
  23. Write-Host "Install Execution Framework and Atomics Folder" -fore green
  24. IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
  25. Install-AtomicRedTeam -getAtomics -Force -ErrorAction Ignore
  26.  
  27. # Write-Host "Setup session $PROFILE to persist PSD" -fore green
  28. Write-Host "Import-Module Invoke-AtomicRedTeam.PSD1" -fore green
  29.  
  30. # Ensure module is in session profile to use execution framework
  31. $string = 'Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force; $PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="C:\AtomicRedTeam\atomics\"}'
  32. $string | Out-File -FilePath "C:\Users\Administrator\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1" -Append
  33.  
  34. # Thsi set the cmd prompt to this location
  35. set-location C:\AtomicRedTeam\atomics
  36.  
  37.  
  38. # T1070.001-1 Clear Logs
  39. # This wil run locally
  40. Invoke-AtomicTest T1070.001 -Testnumber 1-ShowDetailsBrief
  41.  
  42. # This is for remotely accessing machine which is identified in $sess variable
  43. # Invoke-AtomicTest T1070.001 -Session $sess -ShowDetailsBrief
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!