Execution Logging

Invoke-AtomicRedTeam standardizes telemetry capture through modular logging providers. Every test execution is recorded with execution timestamps, executing user context, target hostnames, process IDs, and exit code indicators.

Logging Configuration

Enable log modules globally using the $artConfig.LoggingModule property inside your configuration files, or specify them on demand during runtime via the Invoke-AtomicTest parameter -LoggingModule:

Invoke-AtomicTest T1003 -LoggingModule "Default-ExecutionLogger,Attire-ExecutionLogger"

Note: To specify multiple logging engines simultaneously, pass them as a single comma-separated string.

Built-in Logging Modules

1. Default-ExecutionLogger

Records test metadata locally in a standard comma-separated values (CSV) format. Appends execution outputs under $artConfig.execLogPath.

Schema fields recorded:

  • Execution Time (UTC)
  • Execution Time (Local)
  • Technique
  • Test Number
  • Test Name
  • Hostname
  • IP Address
  • Username
  • GUID
  • ProcessId
  • ExitCode

2. Attire-ExecutionLogger

Generates structured JSON execution logs matching the Attire Specification (maintained by Security Risk Advisors). This log style is designed for parsing by reporting utilities, SIEM dashboards, and threat metrics tools.

Output structure example:

{
  "attire-version": "1.1",
  "execution-data": {
    "execution-source": "Invoke-Atomicredteam",
    "execution-id": "Z3VpZC1zdHJpbmc...",
    "execution-category": {
      "name": "Atomic Red Team",
      "abbreviation": "ART"
    },
    "execution-command": "Invoke-AtomicTest T1003 -TestNumbers 1",
    "target": {
      "user": "SYSTEM",
      "host": "TEST-ENDPOINT",
      "ip": "192.168.12.50",
      "path": "/usr/local/bin:/usr/bin..."
    },
    "time-generated": "2026-07-01T16:36:00.000Z"
  },
  "procedures": [
    {
      "mitre-technique-id": "T1003.001",
      "procedure-name": "Dump LSASS with procdump",
      "procedure-id": {
        "type": "guid",
        "id": "6f26cf94-4d8b-49ea-b97e-131758df634f"
      },
      "procedure-description": "Dump LSASS memory using Sysinternals ProcDump",
      "order": 1,
      "steps": [
        {
          "order": 1,
          "time-start": "2026-07-01T16:36:01.000Z",
          "time-stop": "2026-07-01T16:36:05.000Z",
          "executor": "command_prompt",
          "command": "procdump.exe -ma lsass.exe lsass.dmp",
          "process-id": 4504,
          "exit-code": 0,
          "is-timeout": false,
          "output": [
            {
              "content": "ProcDump v10.0 - Writes process dumps... Dump written to lsass.dmp",
              "level": "STDOUT",
              "type": "console"
            }
          ]
        }
      ]
    }
  ]
}

3. Syslog-ExecutionLogger

Converts the execution event metadata block into a compressed JSON payload and transmits it over the network to a central Syslog collector. Requires the external module Posh-SYSLOG (auto-installed during runner setup if server fields are set).

Configure your central log collector targets inside $artConfig:

$artConfig.syslogServer = "logstash.corp.local"
$artConfig.syslogPort = 514
$artConfig.syslogProtocol = "UDP" # Supports UDP, TCP, TCPwithTLS

4. WinEvent-ExecutionLogger

Writes execution log telemetry into the Windows Application and Services event structure under a dedicated channel called Atomic Red Team with EventID 3001:

# Query recorded execution metadata events via PowerShell
Get-WinEvent -LogName "Atomic Red Team" | Where-Object { $_.Id -eq 3001 }

Troubleshooting Logging Modules

  • File Write Errors: If local logs are not writing, verify that the active user shell has write permissions to the configured $artConfig.logFolder path.
  • Unsent Syslog Telemetry: When using the Syslog-ExecutionLogger, firewall configurations might prevent port communication. Test the port using Test-NetConnection -ComputerName $artConfig.syslogServer -Port $artConfig.syslogPort.
  • WinEvent Registration: To create the "Atomic Red Team" custom log channel, the executing PowerShell session must run with administrative privileges during the first execution.

To view scheduling setups, refer to Automated Runner. To see how custom configurations override paths, visit Configuration.