CYBERSECURITY JOB HUNTING GUIDE
  • Home
  • Introduction
    • Things you should know
    • The strategy
  • Paths into Cybersecurity
    • First steps
    • SWOT Analysis
    • How much time do you need?
    • Calculate& Evaluate Knowledge
    • Imposter syndrome
    • Time Management
    • Cybersecurity Domains
    • Cloud Security
    • Financial advice >
      • Credit score
    • The salary
    • Advocacy for underrepresented groups
  • Goal Setting & Career paths
    • Find your career in 5 steps
    • Cybersecurity career options
    • Career finding with LinkedIn
    • Transferable Skills (general)
    • Transferable IT Skills
    • Find a path with job descriptions
    • The I do not know path
    • Do you know “garbage” jobs?
    • “Bonus” knowledge
    • Learning & Motivation
    • Particular vs. any job
    • Pentester path (start)
    • Pen Testing as Career
    • SOC Analyst as career
    • Security Engineer as career
    • Compliance & Risk as career
    • How to find a career (IAM Engineer)
    • Find a company
  • Networking
    • Networking like a pro
    • LinkedIn
    • Referrals & Skills
    • LinkedIn Recruiters >
      • Working with a recruiter
    • Cyber Community
    • Networking University
    • Mentoring
    • Build your personal brand
    • Goal of Networking
  • Hands-on
    • The home lab >
      • Designing a home lab
      • Ways to create a home lab
      • Hypervisors >
        • VirtualBox
        • VMWare Player
        • QEMU/KVM
      • Docker
      • Operating Systems >
        • Kali Linux >
          • Installing Kali with VirtualBox
        • Parrot
        • BlackArch
        • Red Hat Enterprise Linux >
          • RHCSA
        • Security Onion >
          • Installation Security Onion
        • Metasploitable2
        • Ubuntu
        • Windows >
          • Windows in a VM
          • Windows with Virtual Machine Manager
          • Preparing Windows logging
          • John Strand's ADHD VM
      • Firewalls >
        • pfSense Installation
        • pfSense configuration for Security Onion
    • Volunteer Work
    • Note Taking
    • Red labs >
      • Cyberseclabs
      • HackTheBox >
        • HackTheBox Academy
      • INE red side
      • RangeForce
      • Offensive Security
      • TryHackMe
      • Virtual Hacking Labs
    • Red tools & techniques >
      • Atomic Red Team
      • DVWA
      • Metasploit
      • OSINT tools
      • OWASP Juice Shop
    • Blue labs >
      • Blue Team Labs Online
      • DetectionLab (free)
      • INE
      • Letsdefend >
        • LetsDefend password stealer
      • Opensecuritytraining (free)
      • PurpleLabs
      • RangeForce
    • Blue tools >
      • Install a Canary Token
      • CyberChef
      • EDR Lima Charlie installation
      • EDR LimaCharlie configuration
      • EDR Velociraptor (free)
      • EDR Bluespawn (free)
      • DeepBlueCLI (logs Powershell, free)
      • Raccine (ransomware protection, free)
      • Install RITA (detects C2 traffic, free)
      • Sandboxes >
        • Joe's Sandbox
      • SIEM ELK Stack
      • SIEM Graylog >
        • Getting started with Graylog
        • Install Graylog
        • Graylog Windows agent
        • Graylog Linux agent
        • Graylog as application
      • Suricata with RangeForce
      • Identifying IoCs with RangeForce
      • What2Log
  • Certifications, Degree & Courses
    • Overview
    • Free & Affordable Resources
    • Pick your cert
    • Skill Assessment
    • Get a cheap degree
  • (Employment) fraud & scams
    • Suspicious Offer
    • Second Offer
    • Certification Scams
    • Fraud with courses
  • Analyzing a job ad
    • The Header
    • Building a Bridge
    • The Responsibilities
    • Desired Skills
    • Preferred Qualification
    • Benefits
    • Own skills vs job ad
    • Dealing with poorly written job ads
  • Resume writing
    • Templates
    • Building a draft
    • Resume in Detail
    • Understand the company
    • ATS and tailoring
    • Last Step
  • Cover letter
    • Writing a cover letter
  • Preparation & Interview
    • Organize your job hunt
    • SWOT Again (interview)
    • Twitter
    • The interview
    • Interview Questions Designed To Trick You
    • Post interview tasks
  • I did it all, but...
    • You are not alone
    • Try Something New
    • Why You'll Fail in Cyber Security
  • Yes, I got a job!
    • Two, or more offers?
    • Continued learning
    • Moving up
    • Lessons learned
  • Conclusion
  • Additional things
    • Reviews (labs, courses, certs) >
      • CompTIA A+
      • CompTIA Network+
      • CompTIA Security+
      • CompTIA Server+
      • CompTIA PenTest+
      • DroneSec DSOC
      • Defensive-Security Purple Labs
      • FAA Part 107
      • INE eCPPT & PTP
      • Letsdefend review
      • Microsoft AZ-500
      • RangeForce SOC 1
      • RangeForce SOC 2
    • Work In A Different Country >
      • The Work Permit
      • Working in the US
      • Studying in the US
      • Studying in Germany
      • Work in a different country
    • Other Resources >
      • Useful Links >
        • All about careers
        • Red resources
        • Blue resources
      • YouTube
      • Twitch
      • Podcasts
      • Books
      • Udemy
      • Thanks
    • Contributors
  • Stefan Waldvogel, where can I help?
  • Home
  • Introduction
    • Things you should know
    • The strategy
  • Paths into Cybersecurity
    • First steps
    • SWOT Analysis
    • How much time do you need?
    • Calculate& Evaluate Knowledge
    • Imposter syndrome
    • Time Management
    • Cybersecurity Domains
    • Cloud Security
    • Financial advice >
      • Credit score
    • The salary
    • Advocacy for underrepresented groups
  • Goal Setting & Career paths
    • Find your career in 5 steps
    • Cybersecurity career options
    • Career finding with LinkedIn
    • Transferable Skills (general)
    • Transferable IT Skills
    • Find a path with job descriptions
    • The I do not know path
    • Do you know “garbage” jobs?
    • “Bonus” knowledge
    • Learning & Motivation
    • Particular vs. any job
    • Pentester path (start)
    • Pen Testing as Career
    • SOC Analyst as career
    • Security Engineer as career
    • Compliance & Risk as career
    • How to find a career (IAM Engineer)
    • Find a company
  • Networking
    • Networking like a pro
    • LinkedIn
    • Referrals & Skills
    • LinkedIn Recruiters >
      • Working with a recruiter
    • Cyber Community
    • Networking University
    • Mentoring
    • Build your personal brand
    • Goal of Networking
  • Hands-on
    • The home lab >
      • Designing a home lab
      • Ways to create a home lab
      • Hypervisors >
        • VirtualBox
        • VMWare Player
        • QEMU/KVM
      • Docker
      • Operating Systems >
        • Kali Linux >
          • Installing Kali with VirtualBox
        • Parrot
        • BlackArch
        • Red Hat Enterprise Linux >
          • RHCSA
        • Security Onion >
          • Installation Security Onion
        • Metasploitable2
        • Ubuntu
        • Windows >
          • Windows in a VM
          • Windows with Virtual Machine Manager
          • Preparing Windows logging
          • John Strand's ADHD VM
      • Firewalls >
        • pfSense Installation
        • pfSense configuration for Security Onion
    • Volunteer Work
    • Note Taking
    • Red labs >
      • Cyberseclabs
      • HackTheBox >
        • HackTheBox Academy
      • INE red side
      • RangeForce
      • Offensive Security
      • TryHackMe
      • Virtual Hacking Labs
    • Red tools & techniques >
      • Atomic Red Team
      • DVWA
      • Metasploit
      • OSINT tools
      • OWASP Juice Shop
    • Blue labs >
      • Blue Team Labs Online
      • DetectionLab (free)
      • INE
      • Letsdefend >
        • LetsDefend password stealer
      • Opensecuritytraining (free)
      • PurpleLabs
      • RangeForce
    • Blue tools >
      • Install a Canary Token
      • CyberChef
      • EDR Lima Charlie installation
      • EDR LimaCharlie configuration
      • EDR Velociraptor (free)
      • EDR Bluespawn (free)
      • DeepBlueCLI (logs Powershell, free)
      • Raccine (ransomware protection, free)
      • Install RITA (detects C2 traffic, free)
      • Sandboxes >
        • Joe's Sandbox
      • SIEM ELK Stack
      • SIEM Graylog >
        • Getting started with Graylog
        • Install Graylog
        • Graylog Windows agent
        • Graylog Linux agent
        • Graylog as application
      • Suricata with RangeForce
      • Identifying IoCs with RangeForce
      • What2Log
  • Certifications, Degree & Courses
    • Overview
    • Free & Affordable Resources
    • Pick your cert
    • Skill Assessment
    • Get a cheap degree
  • (Employment) fraud & scams
    • Suspicious Offer
    • Second Offer
    • Certification Scams
    • Fraud with courses
  • Analyzing a job ad
    • The Header
    • Building a Bridge
    • The Responsibilities
    • Desired Skills
    • Preferred Qualification
    • Benefits
    • Own skills vs job ad
    • Dealing with poorly written job ads
  • Resume writing
    • Templates
    • Building a draft
    • Resume in Detail
    • Understand the company
    • ATS and tailoring
    • Last Step
  • Cover letter
    • Writing a cover letter
  • Preparation & Interview
    • Organize your job hunt
    • SWOT Again (interview)
    • Twitter
    • The interview
    • Interview Questions Designed To Trick You
    • Post interview tasks
  • I did it all, but...
    • You are not alone
    • Try Something New
    • Why You'll Fail in Cyber Security
  • Yes, I got a job!
    • Two, or more offers?
    • Continued learning
    • Moving up
    • Lessons learned
  • Conclusion
  • Additional things
    • Reviews (labs, courses, certs) >
      • CompTIA A+
      • CompTIA Network+
      • CompTIA Security+
      • CompTIA Server+
      • CompTIA PenTest+
      • DroneSec DSOC
      • Defensive-Security Purple Labs
      • FAA Part 107
      • INE eCPPT & PTP
      • Letsdefend review
      • Microsoft AZ-500
      • RangeForce SOC 1
      • RangeForce SOC 2
    • Work In A Different Country >
      • The Work Permit
      • Working in the US
      • Studying in the US
      • Studying in Germany
      • Work in a different country
    • Other Resources >
      • Useful Links >
        • All about careers
        • Red resources
        • Blue resources
      • YouTube
      • Twitch
      • Podcasts
      • Books
      • Udemy
      • Thanks
    • Contributors
  • Stefan Waldvogel, where can I help?
  CYBERSECURITY JOB HUNTING GUIDE

Atomic Red Team

Author: Stefan Waldvogel

Use Atomic Red Team to sharpen your skills

- in preparation-
Github:
https://github.com/redcanaryco/atomic-red-team/wiki
​https://github.com/redcanaryco/atomic-red-team
Atomic Red Team allows every security team to test their controls by executing simple "atomic tests" that exercise the same techniques used by adversaries (all mapped to MITRE ATT&CK).

Overview
Atomic Red Team is used to test EDR and their configuration and cover the following techniques (in red):
Picture
source: https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json

Each field has a specific number and Atomics have the same number.

First steps:
Please, if you follow this guide, use a test machine and not your main system.

​Installation​
​A lot of these files are/ or look malicious, and therefore you have to switch real-time protection off (Virus&threat protection). After a restart, you have to switch of it again.
Picture
Picture
Install Atomic on a Windows test machine with Powershell:
​IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing); Install-AtomicRedTeam -getAtomics
Picture
Depending on the Windows 10 version you might get an error with running scripts is not allowed. 
Picture
You can check your PowerShell Excecution policy with
Get-ExecutionPolicy -List
Picture
The command to change the setting is:
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser
Picture
The option undefined is in fact "Restricted" and scripts cannot run. Our script runs with "Bypass" or "Unrestricted". If you pick "Bypass", the script runs without asking, "Unrestricted" is with a prompted permission.
In you change this setting in a productive environment, know what you are doing. Tools like Empire (a remote control tool, C2) use Powershell and changing this setting will hurt your security posture a lot.

Small excursion (optional knowledge) how to log Powershell
Remember, Windows 10 might not log all PowerShell commands, a hacker can do anything with your system and you do not have an idea. 

Increasing the log size
wevtutil gl "Security"                # Print the current parameters of the Security log provider
wevtutil sl "Security" /ms:100000000  # Set the security log maximum size to 100MB
The standard size is about 20MB and might be a bit small.

Enable Module Logging
-> These are PowerShell commands. Copy the full block and run it.
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging -Force
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging -Name EnableModuleLogging -PropertyType DWORD -Value 1
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames -Name '*' -PropertyType String -Value '*'

--> generates Windows EventIDs with the code 4103

Enable Script Block Logging
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -Name ScriptBlockLogging -PropertyType DWORD -Value 1

--> generates Windows EventIDs with the code 4104

Enable Transcription
New-Item HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription -Name EnableTranscripting -PropertyType DWORD -Value 1
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription -Name EnableInvocationHeader -PropertyType DWORD -Value 1
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription -Name OutputDirectory -PropertyType String -Value C:\PSHTranscripts
New-Item 'C:\PSHTranscripts' -ItemType "directory"

The logs are under "Applications and Services Logs" and "Security"
Picture
​----Excursion done---
​

Install the yaml modules
​Install-Module -Name powershell-yaml
Picture
Import the modules
Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force
Picture
Check if  Atomic is installed:
Invoke-AtomicTest T1003 -ShowDetailsBrief​
Picture
The next step is to check the prerequisites with:
Invoke-AtomicTest T1003 -TestName 1 -CheckPrereqs

Picture
In this case, this prerequisite is not installed. PowerShell is weird, if you do not get anything back, everything is okay, here we see a line with text therefore this is not okay. We can use the command:
Invoke-AtomicTest T1003 -TestName 1 -GetPrereqs
to get it.
Picture
Now, we can run this test with::
​Invoke-AtomicTest T1003 -TestName 1
Picture
Without an EDR/SIEM, the test was successful, we couldn't see an alarm. The attacker run this technique and he/she was not caught. 
​
Two possible EDR's are Lima Charlie and Velociraptor, click the links to install the tools
EDR Lima Charlie
EDR Velociraptor
What of tests can we run?
Each platform is different, for Windows, we can use these tests:
github.com/redcanaryco/atomic-red-team/blob/master/atomics/Indexes/Indexes-Markdown/windows-index.md

The list is constantly growing.Now we can run some Atomics to see if we can see the attack.
​
For this part we have to think a deeper about the blue side. What is needed for an EDR to work successfully?
The answer is, each EDR is different. Some EDR watch logs other watch processes and others have a different approach. For the next tests, I use LimaCharlie and work together with Atomic Red Team. If you want to follow install a free LimaCharlie agent.

It is important to know, an EDR is very powerful and can detect much more then just Atomics. On my system, LimaCharlie (LC) was already installed and I changed the log file size.
This could be a malicious activity, because if the logs are very small, an attacker could hide his activity. LC detected this activity.
Picture
​How can we use this information for Atomic Red Team?
Atomic Red Team foundation is MITRE and each technique has a number. Changing the log size is a technique to delete log entries and therefore it has a number.
Picture
source: https://attack.mitre.org/techniques/T1070/001/

​The matching Atomic look like this (github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md): 
Picture
It looks exactly the same and we have three Atomics and we can use two of them. Word is not installed, something with VBA will not work.
The commands are:
Invoke-AtomicTest T1070.001 -ShowDetailsBrief
Invoke-AtomicTest T1070.001 -CheckPrereqs
Picture
As expected, I do not have Word installed, but I can run Test 1 and 2.
The command to run both tests is:
Invoke-AtomicTest T1070.001 -TestNumbers 1,2
Picture
We can we see:
The Security log has a size of 97K because we changed it before, but all entries are gone. If you run this test in your environment, save the logs before you run the test!
It was possible to delete the logs. Nothing stopped us.

Now we have to do housekeeping and clean our mess up.
Invoke-AtomicTest T1070.001 -Cleanup
Picture
If we go back to our EDR, we should see two matching entries.
Picture
Picture
Our EDR (LimaCharlie) detected both Atomics. In the real world, we would write a Detection and Response rule -> LC could write a message, and someone gets informed about this incident.

The main goal of Atomic Red Team
We can use Atomic Red Team in a very structured way and test all useful Atomics and do it over and over. Each time, we can improve our infrastructure and it could look like this:
Picture
source:​https://atomicredteam.io/testing

Reason:
In a complex infrastructure it is not possible to improve everything in a short amount of time.

​Mitigation
In our case, it was very easy to delete our logs. MITRE suggests three different ways to mitigate the problem:
Picture
We can move the logs to a different location, we change the permissions or we move all logs instantly to a different place, like a write-only drive

Conclusion

Atomic Red Team is a great way to test EDR's and a great way to improve your security.
I encourage you to do more tests. Play with your EDR and try to improve your security. This is called hardening.
​Have fun.
LimaCharlie vs. Atomic Red Team
Next: DVWA
© 2021. This work is licensed under a CC BY-SA 4.0 license​