Execution Logging
Invoke-AtomicRedTeam standardizes telemetry capture through modular logging providers. Every test execution is recorded with execution timestamps, executing user context, target hostnames, process IDs, and exit code indicators.
Logging Configuration
Enable log modules globally using the $artConfig.LoggingModule property inside your configuration files, or specify them on demand during runtime via the Invoke-AtomicTest parameter -LoggingModule:
Invoke-AtomicTest T1003 -LoggingModule "Default-ExecutionLogger,Attire-ExecutionLogger"
Note: To specify multiple logging engines simultaneously, pass them as a single comma-separated string.
Built-in Logging Modules
1. Default-ExecutionLogger
Records test metadata locally in a standard comma-separated values (CSV) format. Appends execution outputs under $artConfig.execLogPath.
Schema fields recorded:
Execution Time (UTC)Execution Time (Local)TechniqueTest NumberTest NameHostnameIP AddressUsernameGUIDProcessIdExitCode
2. Attire-ExecutionLogger
Generates structured JSON execution logs matching the Attire Specification (maintained by Security Risk Advisors). This log style is designed for parsing by reporting utilities, SIEM dashboards, and threat metrics tools.
Output structure example:
{
"attire-version": "1.1",
"execution-data": {
"execution-source": "Invoke-Atomicredteam",
"execution-id": "Z3VpZC1zdHJpbmc...",
"execution-category": {
"name": "Atomic Red Team",
"abbreviation": "ART"
},
"execution-command": "Invoke-AtomicTest T1003 -TestNumbers 1",
"target": {
"user": "SYSTEM",
"host": "TEST-ENDPOINT",
"ip": "192.168.12.50",
"path": "/usr/local/bin:/usr/bin..."
},
"time-generated": "2026-07-01T16:36:00.000Z"
},
"procedures": [
{
"mitre-technique-id": "T1003.001",
"procedure-name": "Dump LSASS with procdump",
"procedure-id": {
"type": "guid",
"id": "6f26cf94-4d8b-49ea-b97e-131758df634f"
},
"procedure-description": "Dump LSASS memory using Sysinternals ProcDump",
"order": 1,
"steps": [
{
"order": 1,
"time-start": "2026-07-01T16:36:01.000Z",
"time-stop": "2026-07-01T16:36:05.000Z",
"executor": "command_prompt",
"command": "procdump.exe -ma lsass.exe lsass.dmp",
"process-id": 4504,
"exit-code": 0,
"is-timeout": false,
"output": [
{
"content": "ProcDump v10.0 - Writes process dumps... Dump written to lsass.dmp",
"level": "STDOUT",
"type": "console"
}
]
}
]
}
]
}
3. Syslog-ExecutionLogger
Converts the execution event metadata block into a compressed JSON payload and transmits it over the network to a central Syslog collector. Requires the external module Posh-SYSLOG (auto-installed during runner setup if server fields are set).
Configure your central log collector targets inside $artConfig:
$artConfig.syslogServer = "logstash.corp.local"
$artConfig.syslogPort = 514
$artConfig.syslogProtocol = "UDP" # Supports UDP, TCP, TCPwithTLS
4. WinEvent-ExecutionLogger
Writes execution log telemetry into the Windows Application and Services event structure under a dedicated channel called Atomic Red Team with EventID 3001:
# Query recorded execution metadata events via PowerShell
Get-WinEvent -LogName "Atomic Red Team" | Where-Object { $_.Id -eq 3001 }
Troubleshooting Logging Modules
- File Write Errors: If local logs are not writing, verify that the active user shell has write permissions to the configured
$artConfig.logFolderpath. - Unsent Syslog Telemetry: When using the
Syslog-ExecutionLogger, firewall configurations might prevent port communication. Test the port usingTest-NetConnection -ComputerName $artConfig.syslogServer -Port $artConfig.syslogPort. - WinEvent Registration: To create the "Atomic Red Team" custom log channel, the executing PowerShell session must run with administrative privileges during the first execution.
To view scheduling setups, refer to Automated Runner. To see how custom configurations override paths, visit Configuration.