Atomic Red Team is a library of tests that any security team can execute to mimic adversarial activity and validate their defences. It allows the security team to test their controls by executing simple “atomic tests” that exercise the same techniques used by adversaries (all mapped to Mitre’s ATT&CK). This helps organizations identify weaknesses and improve their overall cybersecurity posture.
Why emulate attacks?
To understand the attacks.
To develop detections.
To validate people, process, and technology.
To tune configurations.
Atomic Red Team Repo:
Atomic red team’s repository is maintained by Red canary. You can find it here. Under the atomic folder you can find all the atomics as per the mitre attack techniques.
Indexes folder also helps us in finding atomics as per OS, cloud, containers. It is suggested to do the testing in a separate test environment to know if the security tools can detect the attack simulation, as the saying goes, “Prevention is ideal but detection is a must”.
Under each technique we can find both md and yaml files. Markdown is much easier to read and understand the atomics.
Invoke-atomicredteam:
Invoke-atomicredteam is an execution framework that is used to read the library and execute the atomics according to specifications. This is a Powershell module also maintained by redcanary. You can find it here.
How to execute the atomics?
For this demo, we will execute the atomics in linux.
Clone the atomic red team repository using the command:
Make sure that git is already installed to do the cloning.
Then proceed with installing invoke-atomic red team using the command:
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);Install-AtomicRedTeamInvoke-atomic red team is a PowerShell module so before installing it we must install the PowerShell core.
Once the installation is done, to check if everything is done correctly we will execute the command: Invoke-AtomicTest All -ShowDetailsBrief. This command shows all the tests that can be performed respective to the OS.
Note: Atomics folder from the atomic red team folder must be inside the same folder as invoke-atomic red team.
For this demo let’s test the technique T1222.002 test number 1. Here the file or folder’s permission is being modified using numeric mode with the chmod command.
It is also mentioned the folder it is going to change the permissions under command (with inputs).
After creating the folder in the mentioned path, manually change the file permissions to read only.
To explain the numeric mode:
First Digit (7): Permissions for the file's owner.
Second Digit (5): Permissions for the group that the file belongs to.
Third Digit (5): Permissions for others (everyone else)
4: Read permission (r)
2: Write permission (w)
1: Execute permission (x)
It means the owner will have rwx permission while the others will have rw permission.
To execute the atomic we will use the command
Invoke-AtomicTest T1222.002 -TestNumber 1 After the execution the read only mode is revoked.
Similarly there are multiple atomics that can be used to test the defences. This is just a short demo on how to get you started with exploring the atomic red team. Red canary also maintains a good documentation and community. Feel free to comment if there are any questions.
References:
Comentários