-
Notifications
You must be signed in to change notification settings - Fork 46
Validating windows tests with Pester
rc-dbogle edited this page Oct 19, 2022
·
1 revision
AtomicTestHarnesses includes a suite of Pester tests that you can use to determine whether your attack technique simulations execute as expected.
To run the included tests, you need Pester version 5 or later.
You can upgrade or install Pester by running the following command:
Install-Module -Name Pester -MinimumVersion 5.0.0 -Scope CurrentUser
If your machine has Pester version 3.4.0, you'll need to enable the
-SkipPublisherCheck
and -Force
flags.
To execute Pester tests, navigate to the AtomicTestHarnesses
directory and
run the following:
Invoke-Pester -Output Detailed -TagFilter <tag>
Be sure to replace <tag>
with one of these supported arguments:
-
Module
Tests to ensure module-wide consistency -
Unit
Unit tests for individual functions -
Technique
Tests that exercise technique-specific functionality -
T1055
Tests for Process Injection -
T1055.002
Tests for Process Injection: Portable Executable Injection -
T1059.001
Tests for Command and Scripting Interpreter: PowerShell -
T1127.001
Tests for Trusted Developer Utilities Proxy Execution: MSBuild -
T1134.001
Tests for Access Token Manipulation: Token Impersonation/Theft -
T1134.002
Tests for Access Token Manipulation: Create Process with Token -
T1134.004
Tests for Access Token Manipulation: Parent PID Spoofing -
T1218
Tests for Signed Binary Proxy Execution -
T1218.001
Tests for Signed Binary Proxy Execution: Compiled HTML File -
T1218.005
Tests for Signed Binary Proxy Execution: Mshta -
T1218.007
Tests for Signed Binary Proxy Execution: Msiexec -
T1543.003
Tests for Create or Modify System Process: Windows Service -
T1574.012
Tests for Hijack Execution Flow: COR_PROFILER
You can save the output of a test for later use:
$TestResults = Invoke-Pester -Output Detailed -TagFilter <tag> -PassThru
# These results can be passed to the next stage in your testing pipeline
$TestResults.Passed.StandardOutput