Atomic Red Team

Atomic Red Team

Continuing my research into ATT&CK, I came across a neat looking tool that can help any security team simulate adversaries. "Atomic Red Team allows every security team to test their controls by executing simple "atomic tests" that exercise the same techniques used by adversaries (all mapped to Mitre's ATT&CK)." So in short, its a package of small, easy to use "attacks." This creates a quick way to test security controls as well as find gaps. Being able to map them back to ATT&CK allows teams to understand what adversaries are up to. As I mentioned in this post, you may want to prioritize controls that line up with the adversaries in your field.

Let's talk about how to utilize Atomic Red Team. To start, I want to make a note that I'll be running these tests against Windows Defender on Windows 10. There are obviously several other controls that would be factored into an enterprise security team. The first step I took was to disable the Real-Time Protection. I took this step simply to allow me to place the entire tool set on to the target machine.

We will want to visit the Github page for the project and get the tests on to our target machine. I chose to simply download the zip file. Unzipping on our desktop and navigating to the "atomics" directory, we can see that they are all nicely organized to the ATT&CK technique. Not all of these will apply to our Windows target, but it is nice to see just how many tests are available.

One really neat way of performing the tests is through an execution framework. I'll be using this as a way to demonstrate the tool. Invoke-AtomicRedTeam is available to us as a PowerShell execution framework.

Open up a PowerShell terminal and navigate to the above directory. I first had to edit PowerShell's execution policy (You can read more about that in this post).

This will allow me to run the scripts. The next step is to run Install-Module -Name powershell-yaml and then Import-Module .\Invoke-AtomicRedTeam.psm1 .

Since we're on a lab machine... we might as well go ahead and run all the things! Simply execute Invoke-AllAtomicTests , set the path and tell it to get started.

This of course is the sloppy and lazy way to do things, so instead we can execute a specific test by taking a few steps:

  • Find a test you want to run. For example, lets run "T1207 DCShadow"
  • Set up a variable to hold the test we want to perform: $T1207 = Get-AtomicTechnique -Path \path\to\atomics\T1207\T1207.yaml.
  • Then run Invoke-AtomicTest $T1207.

Looks like it ran without issue. Of course, we still have Defender disabled. So let's turn it back on.

The moment we turn Defender back on:

Of course, in this case that's a good thing. We are testing the strength of our controls after all. This means Defender "ate" several tests without even having to run them.

Now we will re-run the same tests with Defender on. Again, since its a lab machine we'll run all the tests just to speed up the process. In reality, I really recommend just selecting a single test. Or better yet, set up a lab of your own to test against.

As each test runs, we will see a snippet of info on what test is being performed:

We will also see the errors:

Looks like something worked as the calculator popped up.

Some of the tests even speak to why the test is being run:

Looking in Defender, we can see that a few tests have been flagged:

We can also scroll back through the PowerShell history to see the various errors. Once again, it really works out better when you run specific tests and can view the results of the tests that could be a risk for your environment.

Hopefully the above gives you an idea of how to utilize this tool if you are in a situation where no Red Team is available or if you simply want to quickly test a new control.

Thanks for reading!