Skip to content

Validating windows tests with Pester

rc-dbogle edited this page Oct 19, 2022 · 1 revision

AtomicTestHarnesses includes a suite of Pester tests that you can use to determine whether your attack technique simulations execute as expected.

Install Pester

To run the included tests, you need Pester version 5 or later.

You can upgrade or install Pester by running the following command:

Install-Module -Name Pester -MinimumVersion 5.0.0 -Scope CurrentUser

If your machine has Pester version 3.4.0, you'll need to enable the -SkipPublisherCheck and -Force flags.

Run tests

To execute Pester tests, navigate to the AtomicTestHarnesses directory and run the following:

Invoke-Pester -Output Detailed -TagFilter <tag>

Be sure to replace <tag> with one of these supported arguments:

  • Module Tests to ensure module-wide consistency
  • Unit Unit tests for individual functions
  • Technique Tests that exercise technique-specific functionality
  • T1055 Tests for Process Injection
  • T1055.002 Tests for Process Injection: Portable Executable Injection
  • T1059.001 Tests for Command and Scripting Interpreter: PowerShell
  • T1127.001 Tests for Trusted Developer Utilities Proxy Execution: MSBuild
  • T1134.001 Tests for Access Token Manipulation: Token Impersonation/Theft
  • T1134.002 Tests for Access Token Manipulation: Create Process with Token
  • T1134.004 Tests for Access Token Manipulation: Parent PID Spoofing
  • T1218 Tests for Signed Binary Proxy Execution
  • T1218.001 Tests for Signed Binary Proxy Execution: Compiled HTML File
  • T1218.005 Tests for Signed Binary Proxy Execution: Mshta
  • T1218.007 Tests for Signed Binary Proxy Execution: Msiexec
  • T1543.003 Tests for Create or Modify System Process: Windows Service
  • T1574.012 Tests for Hijack Execution Flow: COR_PROFILER

Retrieving test output

You can save the output of a test for later use:

$TestResults = Invoke-Pester -Output Detailed -TagFilter <tag> -PassThru

# These results can be passed to the next stage in your testing pipeline
$TestResults.Passed.StandardOutput
Clone this wiki locally