We covered conducting security testing and assessment using Atomic Red Team framework. Atomic Red Team is a library of techniques mapped off the MITRE ATT&CK framework along with a markup and yaml configuration file used to execute the technique testing file in the environment. This was part of TryHackMe Atomic Red Team room which is part of SOC level 2 track.
Blue Team Cyber Security & SOC Analyst Study Notes
What is Atmoic Red Team
Atomic Red Team is an open-source project that provides a framework for performing security testing and threat emulation. It consists of tools and techniques that can be used to simulate various types of attacks and security threats, such as malware, phishing attacks, and network compromise. The Atomic Red Team aims to help security professionals assess the effectiveness of their organization’s security controls and incident response processes and identify areas for improvement.
The Atomic Red Team framework is designed to be modular and flexible, allowing security professionals to select the tactics and techniques most relevant to their testing needs. It is intended to be used with other tools and frameworks, such as the MITRE ATT&CK framework, which provides a comprehensive overview of common tactics and techniques threat actors use.
Components of Atomic Red Team
Atomics refers to different testing techniques based on the MITRE ATT&CK Framework. Each works as a standalone testing mock-up that Security Analysts can use to emulate a specific Technique, such as OS Credential Dumping: LSASS Memory, for a quick example.
Each Atomic typically contain two files, both of which are named by their MITRE ATT&CK Technique ID:
- Markdown File (.md) – Contains all the information about the technique, the supported platform, Executor, GUID, and commands to be executed.
- YAML File (.yaml) – Configuration used by frameworks, such as Invoke-Atomic and Atomic-Operator, to do the exact emulation of the technique
The Markdown file is written to be self-explanatory, so let’s dive deep into the configuration files used to emulate commands.
Invoke-AtomicRedTeam
Invoke-AtomicRedTeam is a PowerShell module created by the same author (Red Canary) that allows Security Analysts to run simulations defined by Atomics. To avoid confusion, the primary cmdlet used in this module is Invoke-AtomicTest
and not Invoke-AtomicRedTeam
.
Scenario Case Study: Emulating APT37
To apply all items discussed in the previous tasks, let’s do a case study for the emulation of APT37.
APT37, also known as Reaper, is a cyber espionage group that has been active since 2012 and is believed to be operating out of North Korea. The group has been known to target a wide range of organisations, including government agencies, defence contractors, and media companies.
Check out the video below for detailed explanation.
Room Answers | TryHackMe Atomic Red Team
What type of executor is used for actions that cannot be automated?
manual
What is the field in an Atomic YAML file populated by a unique identifier to isolate a specific Atomic?
auto_generated_guid
What is the field in an Atomic YAML file populated by commands for deleting files used for emulation or reverting modified configurations?
cleanup_command
What is the library that provides technical emulation tests based on TTPs?
Atomic Red Team
How many atomic tests are under Atomic T1110.001 that are supported on Windows hosts?
4
What is the Atomic name of the second test under Atomic T1218.005?
Mshta executes VBScript to execute malicious command
How many prerequisites are not met for Atomic T1003?
4
WhWhat is the parameter used to execute the specific Atomic test via GUID?
TestGuids
What is the name of the scheduled task created after executing the 2nd test of Atomic T1053.005?
spawn
What is the registry key modified after executing the 2nd test of Atomic T1547.001?
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend
Using the ATT&CK Navigator, how many techniques are attributed to admin@338?
9
Using the mapping provided by the ATT&CK Navigator, what is the Technique ID of the phishing technique used by the threat group?
T1566.001
How many Atomic tests on Atomic T1083 are supported on Windows hosts?
4
What file should exist to satisfy the prerequisite of Atomic Test T1049-4?
Sharpview.exe
What is the echoed string upon executing Atomic Test T1059.003-3?
Hello, from CMD!
What is the hostname of the machine based on Atomic Test T1082-6?
ATOMIC
How many accounts are disabled based on Atomic Test T1087.001-9?
3
How many Sysmon events are generated after executing Atomic Test T1547.001-4?
14
Based on the same events from Q1, what is the file name created by the test?
vbsstartup.vbs
Based on the Registry Value Set event generated after executing Atomic Test T1547.001-13, what is the value of the TargetObject field?
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\atomictest
Excluding the WHOAMI detection, what is the title of the first rule triggered on Aurora EDR after executing Atomic Test T1547.001-7?
PowerShell Writing Startup Shortcuts
Excluding the WHOAMI detection, what is the title of the first rule triggered on Aurora EDR after executing Atomic Test T1547.001-8?
Registry Persistence Mechanisms in Recycle Bin
What parameter should you use to customise the input arguments interactively?
PromptForInputArgs
What parameter should you use in conjunction with InputArgs/PromptForInputArgs to revert the changes made by the test?
Cleanup
What is the default port used by the Atomic GUI?
8487
Using the ATT&CK Navigator, how many techniques are attributed to APT37?
29
Using the mapping provided by the ATT&CK Navigator, what is the phishing technique used by the threat group?
Spearphishing Attachment
How many techniques attributed to APT37 have an existing Atomic file?
21
Based on the results of Q3, which Atomic has no tests supported on Windows?
T1059.006
What is the description of the prerequisite needed for Atomic Test T1055-1?
The 64-bit version of Microsoft Office must be installed
How many Atomic tests have met the prerequisites for Atomic T1082?
15
What are the three event IDs logged based on the execution of Atomic Test 1547.001-3? Provide the IDs in ascending order (e.g. 1,2,3).
1,11,13
What command is executed (with default input value) by Atomic Test T1529-1? Do not run without the ShowDetails parameter.
shutdown /s /t 1
What is the value of the TargetFilename inside the File Creation log (Event ID 11) generated by Atomic Test T1106-1?
C:\Users\Administrator\AppData\Local\Temp\2\T1106.exe
How many events are generated by executing the cleanup actions of Atomic T1105?
28
Video Walkthrough | TryHackMe Intro to Threat Emulation