Threat Emulation with Atomic Red Team
Modern organizations face cyber threats on a daily basis. Black hat hackers do not show any indication that they are going to stop. New hacking techniques appear regularly. According to multiple information security reports, the number of APT attacks is increasing in a notable way, targeting national defenses, manufacturing, and the financial industry. Thus, classic protection techniques are, in many cases, useless. Deploying suitable platforms and solutions can help organizations and companies defend against cyber attacks, especially APTs. Some of these platforms are attack simulation tools. In this article we are going to learn how to deploy a red teaming simulation platform called Atomic Red Team
But first what is Red teaming?
Techtarget defines red teaming as follows:
“Red teaming is the practice of rigorously challenging plans, policies, systems and assumptions by adopting an adversarial approach. A red team may be a contracted external party or an internal group that uses strategies to encourage an outsider perspective.”
Red Teamers usually perform the following steps:
- Recon
- Initial compromise
- Establish persistence
- Escalate privileges
- Internal Recon
- Lateral movement
- Data analysis
- Exfiltrate and complete mission
Atomic Red Team
According to its official Github repository
Atomic Red Team allows every security team to test their controls by executing simple "atomic tests" that exercise the same techniques used by adversaries (all mapped to Mitre's ATT&CK). Atomic Red Team is a library of simple tests that every security team can execute to test their controls. Tests are focused, have few dependencies, and are defined in a structured format that can be used by automation frameworks.
MITRE ATT&CK is a framework developed by the Mitre Corporation. The comprehensive document classifies adversary attacks, in other words, their techniques and tactics after observing millions of real-world attacks against many different organizations. This is why ATT&CK refers to "Adversarial Tactics, Techniques & Common Knowledge". A tactic is the highest level of attack behaviour. Techniques are used to execute an attack successfully
MITRE framework present the tactics as the following:
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
- Exfiltration
- Command and Control
Let's explore how to install and use Atomic Red Team:
First you need to download the project from here: https://github.com/redcanaryco/atomic-red-team
Disable Windows defender
Extract the zip file:
The techniques can be found in the "atomics" folder:
Now Open powershell and type:
powershell -ExecutionPolicy bypass
Install a required module:
Install-Module -Name powershell-yaml
Now go and download Invoke-atomicreadteam from: https://github.com/redcanaryco/invoke-atomicredteam
Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the atomics folder of Red Canary's Atomic Red Team project. The "atomics folder" contains a folder for each Technique defined by the MITRE ATT&CK™ Framework. Inside of each of these "T#" folders you'll find a yaml file that defines the attack procedures for each atomic test as well as an easier to read markdown ( md ) version of the same data.
Enter the project folder and then type:
Import-Module ./Invoke-AtomicRedTeam.psm1
Now you can run any test you want by simply run the following commands:
$TXXXX = Get-AtomicTechnique -Path \path\to\atomics\TXXXX\TXXXX.yaml
Invoke-AtomicTest $TXXXX
The techniques can be found in the first downloaded project
