Atomic Red Team

Atomic Red Team is a library of tests mapped to the MITRE ATT&CK framework. Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their environments.

• Official Documentation (GitHub)

❗ ALWAYS read and understand commands from the atomic tests before executing them. They may leave your system in an undesirable state.

Before Starting

Each technique directory contains the following: a YAML test file, a human-readable test file (.md), an optional src directory for source file dependencies, and an optional bin directory for binary dependencies.

• Set up a test machine that mimics the build of your environment. Make sure your security solution is active.
• Take a snapshot or your virtual machine (if applicable) before running the tests.

💡 T1140 is a good test to start. It has few dependencies and is not disruptive to the system.

Option 1: Execute tests manually

*** NO INSTALLATION REQUIRED ***

You can execute atomic tests directly from the command line. Test files are located in the atomics directory.

• Choose a test to execute: All | Linux | Windows | MacOS
• Open the test definition file, e.g. T1040.md
• Install dependencies : run commands from the Get Prereq Commands subheading.
• Copy/Paste commands from the Attack Commands subheading.

Option 2: Execute tests with Invoke-AtomicRedTeam

Automatically run atomic tests using an execution framework like Invoke-AtomicRedTeam – a PowerShell module to execute tests as defined in the atomics folder of Red Canary’s Atomic Red Team project.

Prerequisites

If using on MacOS or Linux you must install PowerShell Core first.

Install on Kali Linux

💡 By default, installing Invoke-AtomicRedTeam does not download the repository of atomic test definitions – often flagged by AV.
Add “-getAtomics”.

pwsh

IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);

Install-AtomicRedTeam -getAtomics -InstallPath "~/" -Force

Default installation path is ~/AtomicRedTeam. For more details, see Installing Invoke AtomicRedTeam.

Execute tests

pwsh

Import Module

Import-Module "~/AtomicRedTeam/invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force

Set path to atomics (default path: ~/AtomicRedTeam/atomics)

$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="~/AtomicRedTeam/atomics"}

Show test details

Invoke-AtomicTest T1140 -ShowDetailsBrief

Invoke-AtomicTest T1140 -ShowDetails

Check test prerequisites (locally)

Invoke-AtomicTest T1140 -TestNumbers 3 -CheckPrereqs

Invoke-AtomicTest T1140 -TestName "Base64 decoding with Python" -CheckPrereqs

Invoke-AtomicTest T1140 -CheckPrereqs

Execute tests locally

Documentation

Test 3 and 5 from T1140

Invoke-AtomicTest T1140 -TestNumbers 3,5

Invoke-AtomicTest T1140 -TestNames "Base64 decoding with Python","Base64 decoding with shell utilities"

All tests for technique T1140

Invoke-AtomicTest T1140

Execute tests remotely

Execute Atomic Tests (Remote)

# Install any required prerequisites on the remote machine before test execution
Invoke-AtomicTest T1140 -TestNumbers 3 -Session $sess -GetPrereqs

# Run atomic test T1140-3 on a remote machine
Invoke-AtomicTest T1140 -TestNumbers 3 -Session $sess

Test Detection

Note what information, if any, is collected by your security solution.

Cleanup

Run the commands in the Cleanup Commands subheading OR revert your virtual machine to the previous state (before test).