LimaCharlie vs Atomic Red Team
Author: Stefan Waldvogel
Gaining hands-on experience with the evaluation of an EDR
--all things in this area are under construction--
This area is all about LimaCharlie vs. Atomic Red Team.
What is LimaCharlie?
LimaCharlie is a professional and cloud-based EDR. This EDR offers two free companies and each of them has two free agents.
What is Atomic Red Team?
Atomic Red Team is an open-source framework for red team engagements. It is based on MITRE and offers a wide variety of tests.
Why?
Usually, it is hard to get hands-on experience with a professional EDR. If you have hands-on with e.g. vmware's Carbon Black (it is a different cloud-based EDR) your value on the job market is high. With this test, I will gain a wide variety of skills:
- learn how to set up a working lab environment with Active Directory
- activate logging on the client and the server
- learn how to use an EDR
- learn how to use Atomic Red Team
- better understanding of what happens if I execute an Atomic -> very useful to understand real attacks
- I will not install SIEMs like Splunk or ELK, but I see the impact (artifacts) in the log files so I can use any SIEMs with the help of SIGMA. I keep it simple, I can add Security Onion later.
Should you do this or something similar in your home lab?
It depends on your goal. If you are targeting a SOC Analyst position, setting up a lab, install EDR agents, activate all the logging, try to find all the bugs (logging, setup, configuration), use tools to see the attack and so on is definitively not something you do in a SOC 1 position.
In a real company, we have Security Architects (they design the structure and take care of the configuration), we have Security Engineers (they see the problems and try to understand the bigger picture and stop the attack), we have a red team member or a pen tester who runs the Atomics, we have many more people on the blue side, we have the sysadmins (they take care of the servers and clients) and we have the network admins.
During this test, we are a bit all of them.
-> In small companies you might work in a multi-hat role, but as a beginner this is not where you can start.
Can you follow the steps?
Yes, but I will not show how you get an IP address or such a basic thing. I show things like installing and configuring a Domain Controller, joining machines to a domain, and change logging settings but you should have basic knowledge. I do not show each step, but if you understand the logic, you are fine.
Structure
This area is all about LimaCharlie vs. Atomic Red Team.
What is LimaCharlie?
LimaCharlie is a professional and cloud-based EDR. This EDR offers two free companies and each of them has two free agents.
What is Atomic Red Team?
Atomic Red Team is an open-source framework for red team engagements. It is based on MITRE and offers a wide variety of tests.
Why?
Usually, it is hard to get hands-on experience with a professional EDR. If you have hands-on with e.g. vmware's Carbon Black (it is a different cloud-based EDR) your value on the job market is high. With this test, I will gain a wide variety of skills:
- learn how to set up a working lab environment with Active Directory
- activate logging on the client and the server
- learn how to use an EDR
- learn how to use Atomic Red Team
- better understanding of what happens if I execute an Atomic -> very useful to understand real attacks
- I will not install SIEMs like Splunk or ELK, but I see the impact (artifacts) in the log files so I can use any SIEMs with the help of SIGMA. I keep it simple, I can add Security Onion later.
Should you do this or something similar in your home lab?
It depends on your goal. If you are targeting a SOC Analyst position, setting up a lab, install EDR agents, activate all the logging, try to find all the bugs (logging, setup, configuration), use tools to see the attack and so on is definitively not something you do in a SOC 1 position.
In a real company, we have Security Architects (they design the structure and take care of the configuration), we have Security Engineers (they see the problems and try to understand the bigger picture and stop the attack), we have a red team member or a pen tester who runs the Atomics, we have many more people on the blue side, we have the sysadmins (they take care of the servers and clients) and we have the network admins.
During this test, we are a bit all of them.
-> In small companies you might work in a multi-hat role, but as a beginner this is not where you can start.
Can you follow the steps?
Yes, but I will not show how you get an IP address or such a basic thing. I show things like installing and configuring a Domain Controller, joining machines to a domain, and change logging settings but you should have basic knowledge. I do not show each step, but if you understand the logic, you are fine.
Structure
© 2021. This work is licensed under a CC BY-SA 4.0 license