Atomic Red Team is a library of tests mapped to the MITRE ATT&CK framework. Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their environments.
- Official Documentation (GitHub)
- Atomics (Atomic Red Team)
ALWAYS read and understand commands from the atomic tests before executing them. They may leave your system in an undesirable state.
Use MITRE Engenuity’s Center for Threat Informed Defense (CTID) plans. See Adversary Emulation Library (GitHub).
Before Starting
Each technique directory contains the following: a YAML test file, a human-readable test file (.md), an optional src directory for source file dependencies, and an optional bin directory for binary dependencies.
- Set up a test machine that mimics the build of your environment. Make sure your security solution is active.
- Take a snapshot or your virtual machine (if applicable) before running the tests.
T1140 is a good test to start. It has few dependencies and is not disruptive to the system.
Option 1: Execute tests manually
*** NO INSTALLATION REQUIRED ***
You can execute atomic tests directly from the command line. Test files are located in the atomics directory.
- Choose a test to execute: All | Linux | Windows | MacOS
- Open the test definition file, e.g. T1040.md
- Install dependencies : run commands from the Get Prereq Commands subheading.
- Copy/Paste commands from the Attack Commands subheading.
Option 2: Execute tests with Invoke-AtomicRedTeam
Automatically run atomic tests using an execution framework like Invoke-AtomicRedTeam – a PowerShell module to execute tests as defined in the atomics folder of Red Canary’s Atomic Red Team project.
Prerequisites
If using on MacOS or Linux you must install PowerShell Core first.
Install on Kali Linux
By default, installing Invoke-AtomicRedTeam does not download the repository of atomic test definitions – often flagged by AV.
Add “-getAtomics”.
pwshIEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);Install-AtomicRedTeam -getAtomics -InstallPath "~/" -ForceDefault installation path is ~/AtomicRedTeam. For more details, see Installing Invoke AtomicRedTeam.
Execute tests
pwshImport Module
Import-Module "~/AtomicRedTeam/invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -ForceSet path to atomics (default path: ~/AtomicRedTeam/atomics)
$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="~/AtomicRedTeam/atomics"}Show test details
Invoke-AtomicTest T1140 -ShowDetailsBriefInvoke-AtomicTest T1140 -ShowDetailsCheck test prerequisites (locally)
Invoke-AtomicTest T1140 -TestNumbers 3 -CheckPrereqsInvoke-AtomicTest T1140 -TestName "Base64 decoding with Python" -CheckPrereqsInvoke-AtomicTest T1140 -CheckPrereqsExecute tests locally
Test 3 and 5 from T1140
Invoke-AtomicTest T1140 -TestNumbers 3,5Invoke-AtomicTest T1140 -TestNames "Base64 decoding with Python","Base64 decoding with shell utilities"All tests for technique T1140
Invoke-AtomicTest T1140Execute tests remotely
# Install any required prerequisites on the remote machine before test execution
Invoke-AtomicTest T1140 -TestNumbers 3 -Session $sess -GetPrereqs# Run atomic test T1140-3 on a remote machine
Invoke-AtomicTest T1140 -TestNumbers 3 -Session $sessTest Detection
Note what information, if any, is collected by your security solution.
Cleanup
Run the commands in the Cleanup Commands subheading OR revert your virtual machine to the previous state (before test).