Built-in logging options
By default, test execution details are written to Invoke-AtomicTest-ExecutionLog.csv
in the tmp directory ($env:TEMP, %tmp%, or \tmp). Use the -ExecutionLogPath
parameter to write to a different file. Execution is only logged when the attack commands are run (not when the -ShowDetails
, -CheckPrereqs
, GetPrereqs
, or -Cleanup
switches are used). Use the -NoExecutionLog
switch to not write execution details to disk.
Specify an alternate path\filename for writing the execution log
Invoke-AtomicTest T1218.010 -ExecutionLogPath 'C:\Temp\mylog.csv'
The execution log records test name and number, execution time, user, and hostname. It does not include the output seen on the screen when you run the test. The following PowerShell command provides a convenient view of the execution log.
Import-Csv $env:TEMP\Invoke-AtomicTest-ExecutionLog.csv | Out-GridView
Execution Log Example
Execution Time (UTC) | Execution Time (Local) | Technique | Test Number | Test Name | Hostname | IP Address | Username | GUID | ProcessId | ExitCode |
---|---|---|---|---|---|---|---|---|---|---|
2023-06-16T14:09:24Z | 2023-06-16T08:09:24Z | T1016 | 1 | System Network Configuration Discovery on Windows | art-vm2 | 192.168.8.165 | testdomain\art | 970ab6a1-0157-4f3f-9a73-ec4166754b23 | 12584 | 0 |
2023-06-16T14:09:25Z | 2023-06-16T08:09:25Z | T1016 | 2 | List Windows Firewall Rules | art-vm2 | 192.168.8.165 | testdomain\art | 038263cb-00f4-4b0a-98ae-0696c67e1752 | 11796 | 0 |
2023-06-16T14:10:09Z | 2023-06-16T08:10:09Z | T1016 | 5 | Adfind - Enumerate Active Directory Subnet Objects | art-vm2 | 192.168.8.165 | testdomain\art | 9bb45dd7-c466-4f93-83a1-be30e56033ee | 12908 | -1 |
2023-06-16T14:10:10Z | 2023-06-16T08:10:10Z | T1016 | 6 | Qakbot Recon | art-vm2 | 192.168.8.165 | testdomain\art | 121de5c6-5818-4868-b8a7-8fd07c455c1b | 2160 | 0 |
Redirect output from test execution to a file
The Attire Logger is the only logging mechanism that produces a log containing the full command input and output details. If you want to capture the command output while using one of the other loggers you can use a command like the following.
Invoke-AtomicTest T1027 -TestNumbers 2 *>&1 | Tee-Object atomic-out.txt -Append
The command above will log all three output streams, everything you see on the screen, to a file called atomic-out.txt
and the -Append
flag will cause it to append the data to the file instead of overwrite it.
If you would like to write the errors out to a separate file so they are easier to spot you can use the following command.
Invoke-AtomicTest T1027 -TestNumbers 2 2>>atomic-error.txt | Tee-Object atomic-out.txt -Append