APRIL, 2018
Moti Bani at Microsoft has developed a Powershell script which helps to evaluate security products and monitoring solutions based on their effectiveness to detect advanced persistent threats.
It was created to fulfil the need for a tool that can generate data which represent real-world targeted attacks. The script utilises a set of functions to simulate adversarial behaviour within Windows Enterprise networks, post-compromise. Doing so allows the user to assess their security monitoring tools and practices and evaluate endpoint detection agents.

How invoke-adversary works

The script is broken down into several menu options corresponding to the techniques in Mitre’s enhanced model for cyber adversarial behaviour: The “Adversarial Tactics, Techniques, and Common Knowledge” (ATTA&CK) matrix. This matrix provides the most comprehensive framework for adversarial techniques and tactics which enterprises encounter daily.


Each section in the script has a variety of different functions for realising the corresponding tactic. For example, within the ‘Defense Evasion’ tactic, the functions inside include ‘Disable network interface’, ‘Turn off Windows Firewall’ and ‘Clear Security Log’. These functions do exactly as they describe to simulate an adversary performing these actions. These actions can then be run and tested on a machine or network, to see how they cope with these forms of attacks. This allows the user to analyse the affects of an adversary, post-compromise, and help to determine what measures should be in place to mitigate or defend against them.

Below is an excerpt of Bani’s article found on Microsoft’s TechNet blog, showing how to implement Invoke-Adversary. You can find the full article here: https://blogs.technet.microsoft.com/motiba/2018/04/09/invoke-adversary-simulating-adversary-operations/


Requirements for deploying:
  • PowerShell version 3.0 and above.
  • Windows 7 and above.


Step 1

The simplest way to run the script is to open an elevated PowerShell ISE window and press F5 to run it.

Step 2

The script will start and ask you to read the disclaimer and accept the terms by typing ‘yes’.

Step 3

Now you can select any test case by choosing its number on the menu.

Step 4

Once a selection is made, the corresponding sub-menu is opened. Enter the number of the tactic you wish to test. (Screenshots: Main -> Discovery -> System Owner Discovery)

Step 5

The tactic will be attempted, and post-compromise analysis can begin.

Keep Up To Date

Join our mailing list to receive the latest news and updates from Secrutiny.

We hate spam and promise to keep your email address safe. You can always unsubscribe at any time…