Skip to content
Invoke-Atomic
Docs
Execution logging

Built-in logging options

By default, test execution details are written to Invoke-AtomicTest-ExecutionLog.csv in the tmp directory ($env:TEMP, %tmp%, or \tmp). Use the -ExecutionLogPath parameter to write to a different file. Execution is only logged when the attack commands are run (not when the -ShowDetails , -CheckPrereqs, GetPrereqs, or -Cleanup switches are used). Use the -NoExecutionLog switch to not write execution details to disk.

Specify an alternate path\filename for writing the execution log

Invoke-AtomicTest T1218.010 -ExecutionLogPath 'C:\Temp\mylog.csv'

The execution log records test name and number, execution time, user, and hostname. It does not include the output seen on the screen when you run the test. The following PowerShell command provides a convenient view of the execution log.

Import-Csv $env:TEMP\Invoke-AtomicTest-ExecutionLog.csv | Out-GridView

Execution Log Example

Execution Time (UTC)Execution Time (Local)TechniqueTest NumberTest NameHostnameIP AddressUsernameGUIDProcessIdExitCode
2023-06-16T14:09:24Z2023-06-16T08:09:24ZT10161System Network Configuration Discovery on Windowsart-vm2192.168.8.165testdomain\art970ab6a1-0157-4f3f-9a73-ec4166754b23125840
2023-06-16T14:09:25Z2023-06-16T08:09:25ZT10162List Windows Firewall Rulesart-vm2192.168.8.165testdomain\art038263cb-00f4-4b0a-98ae-0696c67e1752117960
2023-06-16T14:10:09Z2023-06-16T08:10:09ZT10165Adfind - Enumerate Active Directory Subnet Objectsart-vm2192.168.8.165testdomain\art9bb45dd7-c466-4f93-83a1-be30e56033ee12908-1
2023-06-16T14:10:10Z2023-06-16T08:10:10ZT10166Qakbot Reconart-vm2192.168.8.165testdomain\art121de5c6-5818-4868-b8a7-8fd07c455c1b21600

Redirect output from test execution to a file

The Attire Logger is the only logging mechanism that produces a log containing the full command input and output details. If you want to capture the command output while using one of the other loggers you can use a command like the following.

Invoke-AtomicTest T1027 -TestNumbers 2 *>&1 | Tee-Object atomic-out.txt -Append

The command above will log all three output streams, everything you see on the screen, to a file called atomic-out.txt and the -Append flag will cause it to append the data to the file instead of overwrite it.

If you would like to write the errors out to a separate file so they are easier to spot you can use the following command.

Invoke-AtomicTest T1027  -TestNumbers 2 2>>atomic-error.txt | Tee-Object atomic-out.txt -Append