Merge branch 'master' of https://github.com/redcanaryco/invoke-atomic…

…redteam into atomic-sudo

Public/Get-PreferredIPAddress.ps1

@@ -3,7 +3,7 @@ function Get-PreferredIPAddress($isWindows) {
         return (Get-NetIPAddress | Where-Object { $_.PrefixOrigin -ne "WellKnown" }).IPAddress
     }
     elseif ($IsMacOS) {
-        return ifconfig -l | xargs -n1 ipconfig getifaddr
+        return /sbin/ifconfig -l | /usr/bin/xargs -n1 /usr/sbin/ipconfig getifaddr
     }
     elseif ($IsLinux) {
         return ip -4 -br addr show | sed -n -e 's/^.*UP\s* //p' | cut -d "/" -f 1

Public/Invoke-AtomicRunner.ps1

@@ -37,6 +37,9 @@ function Invoke-AtomicRunner {
         [ValidateRange(0, [int]::MaxValue)]
         [int] $PauseBetweenAtomics,
 
+        [parameter(Mandatory = $false)]
+        [switch] $scheduledTaskCleanup,
+
         [Parameter(Mandatory = $false, ValueFromRemainingArguments = $true)]
         $OtherArgs
     )
@@ -183,6 +186,7 @@ function Invoke-AtomicRunner {
         $htvars.Remove('OtherArgs') | Out-Null
         $htvars.Remove('Cleanup') | Out-Null
         $htvars.Remove('PauseBetweenAtomics') | Out-Null
+        $htvars.Remove('scheduledTaskCleanup') | Out-Null
 
         $schedule = Get-Schedule $listOfAtomics
         # If the schedule is empty, end process
@@ -223,11 +227,16 @@ function Invoke-AtomicRunner {
             }
 
             if ($null -ne $tr) {
-                # run the atomic test and exit
-                Invoke-AtomicTestFromScheduleRow $tr
-                # Cleanup after running test
-                Write-Host -Fore cyan "Sleeping for $SleepTillCleanup seconds before cleaning up for $($tr.Technique) $($tr.auto_generated_guid) "; Start-Sleep -Seconds $SleepTillCleanup
-                Invoke-AtomicTestFromScheduleRow $tr $true
+                if ($scheduledTaskCleanup) {
+                    # Cleanup after running test
+                    Write-Host -Fore cyan "Sleeping for $SleepTillCleanup seconds before cleaning up for $($tr.Technique) $($tr.auto_generated_guid) "; Start-Sleep -Seconds $SleepTillCleanup
+                    Invoke-AtomicTestFromScheduleRow $tr $true
+                }
+                else {
+                    # run the atomic test and exit
+                    Invoke-AtomicTestFromScheduleRow $tr
+                    Start-Sleep 3; exit
+                }
             }
             else {
                 LogRunnerMsg "Could not find Test: $guid in schedule. Please update schedule to run this test."

Public/Invoke-KickoffAtomicRunner.ps1

@@ -25,19 +25,29 @@ function Invoke-KickoffAtomicRunner {
 
     #Create log files as needed
     $all_log_file = Join-Path $artConfig.atomicLogsPath "all-out-$($artConfig.basehostname).txt"
+    $all_log_file_cleanup = Join-Path $artConfig.atomicLogsPath "all-out-$($artConfig.basehostname)-cleanup.txt"
     New-Item $all_log_file -ItemType file -ErrorAction Ignore
+    New-Item $all_log_file_cleanup -ItemType file -ErrorAction Ignore
     New-Item $artConfig.logFile -ItemType File -ErrorAction Ignore
 
     #Rotate logs based on FileSize and Date max_filesize
     $max_filesize = 200 #in MB
     $max_file_age = 30 #in days
     Rotate-Log $all_log_file $max_filesize $max_file_age
+    Rotate-Log $all_log_file_cleanup $max_filesize $max_file_age
+
     Rotate-Log $artConfig.logFile $max_filesize $max_file_age #no need to repeat this. Can reduce further.
 
     # Optional additional delay before starting
     Start-Sleep $artConfig.kickOffDelay.TotalSeconds
 
-    if ($artConfig.debug) { Invoke-AtomicRunner  *>> $all_log_file } else { Invoke-AtomicRunner }
+    $WorkingDirectory = if ($IsLinux -or $IsMacOS) { "/tmp" } else { $env:TEMP }
+    $FileName = if ($IsLinux -or $IsMacOS) { "pwsh" } else { "powershell.exe" }
+    if ($artConfig.debug) { $Arguments = "-Command Invoke-AtomicRunner *>> $all_log_file" } else { $Arguments = "-Command Invoke-AtomicRunner" }
+    # Invoke the atomic as its own process because we don't want to skip the cleanup and rename process in the event that AV kills the process running the atomic
+    Start-Process -FilePath $FileName -ArgumentList $Arguments -WorkingDirectory $WorkingDirectory
+    # Run the cleanup commmands
+    if ($artConfig.debug) { Invoke-AtomicRunner -scheduledTaskCleanup *>> $all_log_file_cleanup } else { Invoke-AtomicRunner -scheduledTaskCleanup }
 }
 
 function LogRunnerMsg ($message) {