Configuration
Invoke-AtomicRedTeam configures global and runtime properties through a default structured configuration object named $artConfig defined in Public/config.ps1.
The $artConfig Object
When the module is imported, $artConfig is loaded into global scope as a custom PowerShell object containing host metadata, directory references, logging preferences, and scheduling defaults.
Default Fields
| Configuration Property | Default Value / Calculation | Description |
|---|---|---|
basehostname |
Derived from hostname minus optional GUID structures |
Base name of the testing computer. |
OS |
windows, macos, or linux |
Target host operating system. |
PathToInvokeFolder |
C:/AtomicRedTeam/invoke-atomicredteam or $HOME/... |
Base directory containing the Invoke-AtomicRedTeam module. |
PathToPublicAtomicsFolder |
C:/AtomicRedTeam/atomics or $HOME/... |
Primary folder containing public technique subfolders (T#). |
PathToPrivateAtomicsFolder |
C:/PrivateAtomics/atomics or $HOME/... |
Secondary folder for loading custom or closed-source security tests. |
user |
Current domain\user or shell account | Executing identity logged into the session. |
basePath |
$env:USERPROFILE (Win) or $env:HOME (Unix) |
Base directory for schedule structures and active logs. |
scheduleTimeSpan |
New-TimeSpan -Days 7 |
Time period within which all tests on a schedule should run. |
kickOffDelay |
New-TimeSpan -Minutes 0 |
Optional standby period before automated schedules trigger execution. |
scheduleFileName |
"AtomicRunnerSchedule.csv" |
Filename used to save scheduled items. |
LoggingModule |
'' |
Target logging plugin (e.g., Default-ExecutionLogger, Attire-ExecutionLogger). |
syslogServer |
'' |
Server address (IP or hostname) for syslog-enabled log streams. |
syslogPort |
514 |
Target network port for syslog forwarding. |
syslogProtocol |
'UDP' |
Transport network protocol (UDP, TCP, or TCPwithTLS). |
logFolder |
"AtomicRunner-Logs" |
Target sub-folder path under basePath where telemetry gets saved. |
absb |
$null |
Custom script block for bypassing Windows Antimalware Scan Interface (AMSI) under authorized windows testing environments. |
ServiceInstallDir |
"${ENV:windir}\System32" |
Target installation folder for running the C# AtomicRunnerService wrapper. |
Dynamic Properties
Several paths are dynamically managed properties appended to the $artConfig instance on startup, calculating values based on other configured parameters:
runnerFolder: Maps toJoin-Path $artConfig.basePath "AtomicRunner"atomicLogsPath: Maps directly tologFolderpath locations.scheduleFile: Target schedule CSV location underrunnerFolder.execLogPath: Path where csv execution data is appended.logFile: Diagnostics trace path.
Overriding Settings with privateConfig.ps1
You can override any default parameter value inside $artConfig without modifying core project source files. On startup, the framework checks for a file named privateConfig.ps1 located in the parent directory of Invoke-AtomicRedTeam.
Example privateConfig.ps1
Create a file named privateConfig.ps1 alongside the invoke-atomicredteam directory:
# Modify directory destinations or syslog behaviors
$artConfig.PathToPublicAtomicsFolder = "D:\ThreatSimulation\atomics"
$artConfig.LoggingModule = "Syslog-ExecutionLogger"
$artConfig.syslogServer = "192.168.10.25"
$artConfig.syslogPort = 514
$artConfig.syslogProtocol = "UDP"
$artConfig.verbose = $true
Custom Script Execution Blocks (AMSI Bypass)
In some Windows environments, local AV/EDR policies may immediately block PowerShell actions via AMSI, disrupting test execution. The $artConfig.absb parameter allows you to define a custom script block that runs before execution cycles. Use this parameter only in isolated research networks where security bypass actions are authorized.
For structured scheduling setup, review Automated Runner. To set up advanced logging endpoints, see Execution Logging.