Configuration

Invoke-AtomicRedTeam configures global and runtime properties through a default structured configuration object named $artConfig defined in Public/config.ps1.

The $artConfig Object

When the module is imported, $artConfig is loaded into global scope as a custom PowerShell object containing host metadata, directory references, logging preferences, and scheduling defaults.

Default Fields

Configuration Property Default Value / Calculation Description
basehostname Derived from hostname minus optional GUID structures Base name of the testing computer.
OS windows, macos, or linux Target host operating system.
PathToInvokeFolder C:/AtomicRedTeam/invoke-atomicredteam or $HOME/... Base directory containing the Invoke-AtomicRedTeam module.
PathToPublicAtomicsFolder C:/AtomicRedTeam/atomics or $HOME/... Primary folder containing public technique subfolders (T#).
PathToPrivateAtomicsFolder C:/PrivateAtomics/atomics or $HOME/... Secondary folder for loading custom or closed-source security tests.
user Current domain\user or shell account Executing identity logged into the session.
basePath $env:USERPROFILE (Win) or $env:HOME (Unix) Base directory for schedule structures and active logs.
scheduleTimeSpan New-TimeSpan -Days 7 Time period within which all tests on a schedule should run.
kickOffDelay New-TimeSpan -Minutes 0 Optional standby period before automated schedules trigger execution.
scheduleFileName "AtomicRunnerSchedule.csv" Filename used to save scheduled items.
LoggingModule '' Target logging plugin (e.g., Default-ExecutionLogger, Attire-ExecutionLogger).
syslogServer '' Server address (IP or hostname) for syslog-enabled log streams.
syslogPort 514 Target network port for syslog forwarding.
syslogProtocol 'UDP' Transport network protocol (UDP, TCP, or TCPwithTLS).
logFolder "AtomicRunner-Logs" Target sub-folder path under basePath where telemetry gets saved.
absb $null Custom script block for bypassing Windows Antimalware Scan Interface (AMSI) under authorized windows testing environments.
ServiceInstallDir "${ENV:windir}\System32" Target installation folder for running the C# AtomicRunnerService wrapper.

Dynamic Properties

Several paths are dynamically managed properties appended to the $artConfig instance on startup, calculating values based on other configured parameters:

  • runnerFolder: Maps to Join-Path $artConfig.basePath "AtomicRunner"
  • atomicLogsPath: Maps directly to logFolder path locations.
  • scheduleFile: Target schedule CSV location under runnerFolder.
  • execLogPath: Path where csv execution data is appended.
  • logFile: Diagnostics trace path.

Overriding Settings with privateConfig.ps1

You can override any default parameter value inside $artConfig without modifying core project source files. On startup, the framework checks for a file named privateConfig.ps1 located in the parent directory of Invoke-AtomicRedTeam.

Example privateConfig.ps1

Create a file named privateConfig.ps1 alongside the invoke-atomicredteam directory:

# Modify directory destinations or syslog behaviors
$artConfig.PathToPublicAtomicsFolder = "D:\ThreatSimulation\atomics"
$artConfig.LoggingModule = "Syslog-ExecutionLogger"
$artConfig.syslogServer = "192.168.10.25"
$artConfig.syslogPort = 514
$artConfig.syslogProtocol = "UDP"
$artConfig.verbose = $true

Custom Script Execution Blocks (AMSI Bypass)

In some Windows environments, local AV/EDR policies may immediately block PowerShell actions via AMSI, disrupting test execution. The $artConfig.absb parameter allows you to define a custom script block that runs before execution cycles. Use this parameter only in isolated research networks where security bypass actions are authorized.

For structured scheduling setup, review Automated Runner. To set up advanced logging endpoints, see Execution Logging.