Fix ART payloads using the environment variable set at $PathToAtomicsFolder

[EllynBsc]

Description

The Atomic Red Team set the $PathToAtomicsFolder environment variable to store and retrieve resources needed for executing payloads. However, our application does not include this environment variable by default.

We need to replace this variable when collecting Atomic Red Team payloads. Note that this goes beyond simply ensuring the folder exists, it also involves managing resources that we may not have.

We’ve identified three scenarios:

• Case 1: Commands use resources in $PathToAtomicsFolder that haven’t been pre-downloaded, and the path is not treated as a variable (e.g., "Process Hollowing in Go using CreateProcessW WinAPI"). => ❌
• Case 2: Commands use resources in $PathToAtomicsFolder, but this path can be user-defined (e.g., "TinyTurla backdoor service w64time").=> ✅
• Case 3: Some prerequisites download missing resources directly from GitHub, with additional behaviors:
  • A: Case 3 combined with Case 2 behavior (e.g., "Parent PID Spoofing using PowerShell"). => ✅
  • B: If the path doesn’t exist, all resources are stored in the ExternalPayloads directory that has been created just before. (e.g UltraVNC Execution ) => ✅

⚠ special case to check ;
Parent PID Spoofing using PowerShel
Persistence with Custom AutodialDLL

[MarineLeM]

In Atomic Red Team, $PathToAtomicsFolde refers to a directory that contains many resources that used to execute many payloads.
The problem is in our application we lack these resources...

This is the folder of the resources : https://github.com/redcanaryco/atomic-red-team/tree/25e3c3956c4bd7d7232c7ce24a96fcc079e4c4a0/atomics

cf the installation documentation of atomic red team https://github.com/redcanaryco/invoke-atomicredteam/wiki/Installing-Invoke-AtomicRedTeam