Atomic Red Team
Author: Stefan Waldvogel
Use Atomic Red Team to sharpen your skills
- in preparation-
Github:
https://github.com/redcanaryco/atomic-red-team/wiki
https://github.com/redcanaryco/atomic-red-team
Atomic Red Team allows every security team to test their controls by executing simple "atomic tests" that exercise the same techniques used by adversaries (all mapped to MITRE ATT&CK).
Overview
Atomic Red Team is used to test EDR and their configuration and cover the following techniques (in red):
Github:
https://github.com/redcanaryco/atomic-red-team/wiki
https://github.com/redcanaryco/atomic-red-team
Atomic Red Team allows every security team to test their controls by executing simple "atomic tests" that exercise the same techniques used by adversaries (all mapped to MITRE ATT&CK).
Overview
Atomic Red Team is used to test EDR and their configuration and cover the following techniques (in red):
source: https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
Each field has a specific number and Atomics have the same number.
First steps:
Please, if you follow this guide, use a test machine and not your main system.
Installation
A lot of these files are/ or look malicious, and therefore you have to switch real-time protection off (Virus&threat protection). After a restart, you have to switch of it again.
Each field has a specific number and Atomics have the same number.
First steps:
Please, if you follow this guide, use a test machine and not your main system.
Installation
A lot of these files are/ or look malicious, and therefore you have to switch real-time protection off (Virus&threat protection). After a restart, you have to switch of it again.
|
|
Install Atomic on a Windows test machine with Powershell:
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing); Install-AtomicRedTeam -getAtomics
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing); Install-AtomicRedTeam -getAtomics
Depending on the Windows 10 version you might get an error with running scripts is not allowed.
You can check your PowerShell Excecution policy with
Get-ExecutionPolicy -List
Get-ExecutionPolicy -List
The command to change the setting is:
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser
The option undefined is in fact "Restricted" and scripts cannot run. Our script runs with "Bypass" or "Unrestricted". If you pick "Bypass", the script runs without asking, "Unrestricted" is with a prompted permission.
In you change this setting in a productive environment, know what you are doing. Tools like Empire (a remote control tool, C2) use Powershell and changing this setting will hurt your security posture a lot.
Small excursion (optional knowledge) how to log Powershell
Remember, Windows 10 might not log all PowerShell commands, a hacker can do anything with your system and you do not have an idea.
Increasing the log size
wevtutil gl "Security" # Print the current parameters of the Security log provider
wevtutil sl "Security" /ms:100000000 # Set the security log maximum size to 100MB
The standard size is about 20MB and might be a bit small.
Enable Module Logging
-> These are PowerShell commands. Copy the full block and run it.
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging -Force
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging -Name EnableModuleLogging -PropertyType DWORD -Value 1
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames -Name '*' -PropertyType String -Value '*'
--> generates Windows EventIDs with the code 4103
Enable Script Block Logging
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -Name ScriptBlockLogging -PropertyType DWORD -Value 1
--> generates Windows EventIDs with the code 4104
Enable Transcription
New-Item HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription -Name EnableTranscripting -PropertyType DWORD -Value 1
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription -Name EnableInvocationHeader -PropertyType DWORD -Value 1
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription -Name OutputDirectory -PropertyType String -Value C:\PSHTranscripts
New-Item 'C:\PSHTranscripts' -ItemType "directory"
The logs are under "Applications and Services Logs" and "Security"
In you change this setting in a productive environment, know what you are doing. Tools like Empire (a remote control tool, C2) use Powershell and changing this setting will hurt your security posture a lot.
Small excursion (optional knowledge) how to log Powershell
Remember, Windows 10 might not log all PowerShell commands, a hacker can do anything with your system and you do not have an idea.
Increasing the log size
wevtutil gl "Security" # Print the current parameters of the Security log provider
wevtutil sl "Security" /ms:100000000 # Set the security log maximum size to 100MB
The standard size is about 20MB and might be a bit small.
Enable Module Logging
-> These are PowerShell commands. Copy the full block and run it.
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging -Force
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging -Name EnableModuleLogging -PropertyType DWORD -Value 1
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames -Name '*' -PropertyType String -Value '*'
--> generates Windows EventIDs with the code 4103
Enable Script Block Logging
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -Name ScriptBlockLogging -PropertyType DWORD -Value 1
--> generates Windows EventIDs with the code 4104
Enable Transcription
New-Item HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription -Name EnableTranscripting -PropertyType DWORD -Value 1
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription -Name EnableInvocationHeader -PropertyType DWORD -Value 1
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription -Name OutputDirectory -PropertyType String -Value C:\PSHTranscripts
New-Item 'C:\PSHTranscripts' -ItemType "directory"
The logs are under "Applications and Services Logs" and "Security"
----Excursion done---
Install the yaml modules
Install-Module -Name powershell-yaml
Install the yaml modules
Install-Module -Name powershell-yaml
Import the modules
Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force
Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force
Check if Atomic is installed:
Invoke-AtomicTest T1003 -ShowDetailsBrief
Invoke-AtomicTest T1003 -ShowDetailsBrief
The next step is to check the prerequisites with:
Invoke-AtomicTest T1003 -TestName 1 -CheckPrereqs
Invoke-AtomicTest T1003 -TestName 1 -CheckPrereqs
In this case, this prerequisite is not installed. PowerShell is weird, if you do not get anything back, everything is okay, here we see a line with text therefore this is not okay. We can use the command:
Invoke-AtomicTest T1003 -TestName 1 -GetPrereqs
to get it.
Invoke-AtomicTest T1003 -TestName 1 -GetPrereqs
to get it.
Now, we can run this test with::
Invoke-AtomicTest T1003 -TestName 1
Invoke-AtomicTest T1003 -TestName 1
Without an EDR/SIEM, the test was successful, we couldn't see an alarm. The attacker run this technique and he/she was not caught.
Two possible EDR's are Lima Charlie and Velociraptor, click the links to install the tools
Two possible EDR's are Lima Charlie and Velociraptor, click the links to install the tools
What of tests can we run?
Each platform is different, for Windows, we can use these tests:
github.com/redcanaryco/atomic-red-team/blob/master/atomics/Indexes/Indexes-Markdown/windows-index.md
The list is constantly growing.Now we can run some Atomics to see if we can see the attack.
For this part we have to think a deeper about the blue side. What is needed for an EDR to work successfully?
The answer is, each EDR is different. Some EDR watch logs other watch processes and others have a different approach. For the next tests, I use LimaCharlie and work together with Atomic Red Team. If you want to follow install a free LimaCharlie agent.
It is important to know, an EDR is very powerful and can detect much more then just Atomics. On my system, LimaCharlie (LC) was already installed and I changed the log file size.
This could be a malicious activity, because if the logs are very small, an attacker could hide his activity. LC detected this activity.
Each platform is different, for Windows, we can use these tests:
github.com/redcanaryco/atomic-red-team/blob/master/atomics/Indexes/Indexes-Markdown/windows-index.md
The list is constantly growing.Now we can run some Atomics to see if we can see the attack.
For this part we have to think a deeper about the blue side. What is needed for an EDR to work successfully?
The answer is, each EDR is different. Some EDR watch logs other watch processes and others have a different approach. For the next tests, I use LimaCharlie and work together with Atomic Red Team. If you want to follow install a free LimaCharlie agent.
It is important to know, an EDR is very powerful and can detect much more then just Atomics. On my system, LimaCharlie (LC) was already installed and I changed the log file size.
This could be a malicious activity, because if the logs are very small, an attacker could hide his activity. LC detected this activity.
How can we use this information for Atomic Red Team?
Atomic Red Team foundation is MITRE and each technique has a number. Changing the log size is a technique to delete log entries and therefore it has a number.
Atomic Red Team foundation is MITRE and each technique has a number. Changing the log size is a technique to delete log entries and therefore it has a number.
source: https://attack.mitre.org/techniques/T1070/001/
The matching Atomic look like this (github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md):
The matching Atomic look like this (github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md):
It looks exactly the same and we have three Atomics and we can use two of them. Word is not installed, something with VBA will not work.
The commands are:
Invoke-AtomicTest T1070.001 -ShowDetailsBrief
Invoke-AtomicTest T1070.001 -CheckPrereqs
The commands are:
Invoke-AtomicTest T1070.001 -ShowDetailsBrief
Invoke-AtomicTest T1070.001 -CheckPrereqs
As expected, I do not have Word installed, but I can run Test 1 and 2.
The command to run both tests is:
Invoke-AtomicTest T1070.001 -TestNumbers 1,2
The command to run both tests is:
Invoke-AtomicTest T1070.001 -TestNumbers 1,2
We can we see:
The Security log has a size of 97K because we changed it before, but all entries are gone. If you run this test in your environment, save the logs before you run the test!
It was possible to delete the logs. Nothing stopped us.
Now we have to do housekeeping and clean our mess up.
Invoke-AtomicTest T1070.001 -Cleanup
The Security log has a size of 97K because we changed it before, but all entries are gone. If you run this test in your environment, save the logs before you run the test!
It was possible to delete the logs. Nothing stopped us.
Now we have to do housekeeping and clean our mess up.
Invoke-AtomicTest T1070.001 -Cleanup
If we go back to our EDR, we should see two matching entries.
Our EDR (LimaCharlie) detected both Atomics. In the real world, we would write a Detection and Response rule -> LC could write a message, and someone gets informed about this incident.
The main goal of Atomic Red Team
We can use Atomic Red Team in a very structured way and test all useful Atomics and do it over and over. Each time, we can improve our infrastructure and it could look like this:
The main goal of Atomic Red Team
We can use Atomic Red Team in a very structured way and test all useful Atomics and do it over and over. Each time, we can improve our infrastructure and it could look like this:
source:https://atomicredteam.io/testing
Reason:
In a complex infrastructure it is not possible to improve everything in a short amount of time.
Mitigation
In our case, it was very easy to delete our logs. MITRE suggests three different ways to mitigate the problem:
Reason:
In a complex infrastructure it is not possible to improve everything in a short amount of time.
Mitigation
In our case, it was very easy to delete our logs. MITRE suggests three different ways to mitigate the problem:
We can move the logs to a different location, we change the permissions or we move all logs instantly to a different place, like a write-only drive
Conclusion
Atomic Red Team is a great way to test EDR's and a great way to improve your security.
I encourage you to do more tests. Play with your EDR and try to improve your security. This is called hardening.
Have fun.
Conclusion
Atomic Red Team is a great way to test EDR's and a great way to improve your security.
I encourage you to do more tests. Play with your EDR and try to improve your security. This is called hardening.
Have fun.
© 2021. This work is licensed under a CC BY-SA 4.0 license