-
Notifications
You must be signed in to change notification settings - Fork 0
/
playbook.yml
75 lines (67 loc) · 3.24 KB
/
playbook.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
---
- hosts: all
gather_facts: false
vars:
tasks:
- name: Run test
win_shell: |
if (-not ([System.Management.Automation.PSTypeName]'ServerCertificateValidationCallback').Type)
{
$certCallback = @"
using System;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
public class ServerCertificateValidationCallback
{
public static void Ignore()
{
if(ServicePointManager.ServerCertificateValidationCallback ==null)
{
ServicePointManager.ServerCertificateValidationCallback +=
delegate
(
Object obj,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors errors
)
{
return true;
};
}
}
}
"@
Add-Type $certCallback
}
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;
[ServerCertificateValidationCallback]::Ignore()
$sourcetype = "_json"
$source = "splunk:redteam"
$requestid = "{{ request_id }}"
$url = "{{ splunk_hec_url }}/services/collector/event"
$header = @{Authorization = "Splunk {{ splunk_hec_token }}"}
write-output "RequestID={{ request_id }} Running test: {{ technique_id }} {{ ("-TestNumbers " + (technique_test_numbers|string)) if (technique_test_numbers is defined) and (technique_test_numbers|string != "0") else "" }}" | Out-file -FilePath "$env:Temp\technique_output.txt"
IEX (IWR 'https://raw.githubusercontent.com/clr2of8/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -RepoOwner "clr2of8" -getAtomics -Force
# T1053.005 (scheduled task example)
Remove-Item c:\results.csv -Recurse -Force -ErrorAction SilentlyContinue
Invoke-AtomicTest {{ technique_id }} {{ ("-TestNumbers " + (technique_test_numbers|string)) if (technique_test_numbers is defined) and (technique_test_numbers|string != "0") else "" }} -ExecutionLogPath c:\results.csv
Import-Csv 'c:\results.csv' | % {
$_ | add-member -NotePropertyName "RequestID" -NotePropertyValue $requestid
$event = @{
source = $source
sourcetype = $sourcetype
event = $_
} | ConvertTo-Json -Compress
$result = Invoke-RestMethod -Method Post -Uri $url -Headers $header -Body $event
}
Start-Sleep -Seconds 30
Invoke-AtomicTest {{ technique_id }} {{ ("-TestNumbers " + (technique_test_numbers|string)) if (technique_test_numbers is defined) and (technique_test_numbers|string != "0") else "" }} -cleanup
Remove-Item c:\AtomicRedTeam -Recurse -Force -ErrorAction SilentlyContinue
register: script_result
- name: Result
debug:
msg:
- "{{ script_result }}"