Atomic Red Team – Lisandre

Atomic Red Team is a library of tests mapped to the MITRE ATT&CK framework. Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their environments.

Official Documentation (GitHub)
Atomics (Atomic Red Team)

Before Starting

Installation

Testing Manually

Testing with Invoke-AtomicRedTeam

Setup for Remote Execution

AtomicTestHarnesses

ALWAYS read and understand commands from the atomic tests before executing them. They may leave your system in an undesirable state.

Use MITRE Engenuity’s Center for Threat Informed Defense (CTID) plans. See Adversary Emulation Library (GitHub).

Before Starting

Each technique directory contains the following: a YAML test file, a human-readable test file (.md), an optional src directory for source file dependencies, and an optional bin directory for binary dependencies.

Set up a test machine that mimics the build of your environment. Make sure your security solution is active.
Take a snapshot or your virtual machine (if applicable) before running the tests.

T1140 is a good test to start. It has few dependencies and is not disruptive to the system.

Installation

Installing Invoke AtomicRedTeam (GitHub)

By default, installing Invoke-AtomicRedTeam does not download the repository of atomic test definitions – often flagged by AV.
Add “-getAtomics”.

Kali Linux

If using on MacOS or Linux you must install PowerShell Core first.

mkdir ~/AtomicRedTeam

pwsh
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics -InstallPath "~/AtomicRedTeam" -Force

Windows

Add an exclusion in your antivirus software for folder “C:\Users\Public\AtomicRedTeam”.

pwsh -exec bypass

# Create installation folder
New-Item -Path "C:\Users\Public" -Name "AtomicRedTeam" -ItemType Directory

# IMPORTANT!!!
# ADD AN EXCLUSION FOR THIS FOLDER IN YOUR ANTIVIRUS SOFTWARE:
# C:\Users\Public\AtomicRedTeam

Install-Module -Name powershell-yaml -Scope AllUsers

IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);

Install-AtomicRedTeam -getAtomics -InstallPath "C:\Users\Public\AtomicRedTeam" -Force

Docker image

Docker Containers (Atomic Red Team)

You can use the Docker container. See Docker.

docker run -it redcanary/invoke-atomicredteam:latest

Testing Manually

*** NO INSTALLATION REQUIRED ***

You can execute atomic tests directly from the command line. Test files are located in the atomics directory.

Choose a test to execute: All | Linux | Windows | MacOS
Open the test definition file, e.g. T1040.md
Install dependencies : run commands from the Get Prereq Commands subheading.
Copy/Paste commands from the Attack Commands subheading.
Do the cleanup steps.

Testing with Invoke-AtomicRedTeam

Automatically run atomic tests using an execution framework like Invoke-AtomicRedTeam – a PowerShell module to execute tests as defined in the atomics folder of Red Canary’s Atomic Red Team project.

Execute Atomic Tests (Local) (GitHub)
Execute Atomic Tests (Remote) (GitHub)

Import module – Kali Linux

pwsh

Import-Module "~/AtomicRedTeam/invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force

# Set path to atomics (default path: ~/AtomicRedTeam/atomics)
$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="~/AtomicRedTeam/atomics"}

Import module – Windows

powershell

Import-Module "C:\Users\Public\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force

# Set path to atomics
$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="C:\Users\Public\AtomicRedTeam\atomics"}

Create PowerShell sessions (remote tests only)

$sessUser = New-PSSession -HostName MYCOMPUTERNAME -UserName "myuser"

$sessAdmin = New-PSSession -HostName MYCOMPUTERNAME -UserName "Administrator"

Show test details

# Locally
Invoke-AtomicTest T1140 -ShowDetailsBrief
Invoke-AtomicTest T1140 -ShowDetails

# Remotely
Invoke-AtomicTest T1140 -ShowDetailsBrief -Session $sessUser
Invoke-AtomicTest T1140 -ShowDetails -Session $sessUser

Check test prerequisites

# Locally
Invoke-AtomicTest T1140 -CheckPrereqs
Invoke-AtomicTest T1140 -TestNumbers 3 -CheckPrereqs
Invoke-AtomicTest T1140 -TestName "Base64 decoding with Python" -CheckPrereqs

# Remotely
Invoke-AtomicTest T1140 -CheckPrereqs -Session $sessUser
Invoke-AtomicTest T1140 -TestNumbers 3 -CheckPrereqs -Session $sessUser
Invoke-AtomicTest T1140 -TestName "Base64 decoding with Python" -CheckPrereqs -Session $sessUser

Install prerequisites

# Locally
Invoke-AtomicTest T1140 -TestNumbers 3 -GetPrereqs

# Remotely, install prerequisites on the remote machine
Invoke-AtomicTest T1140 -TestNumbers 3 -GetPrereqs -Session $sessUser

Execute tests

Test 3 and 5 from T1140

# Locally
Invoke-AtomicTest T1140 -TestNumbers 3,5
Invoke-AtomicTest T1140 -TestNames "Base64 decoding with Python","Base64 decoding with shell utilities"

# Remotely
Invoke-AtomicTest T1140 -TestNumbers 3,5 -Session $sessUser

All tests for technique T1140

# Locally
Invoke-AtomicTest T1140

# Remotely
Invoke-AtomicTest T1140 -Session $sessUser

Cleanup

Run the commands in the Cleanup Commands subheading OR revert your virtual machine to the previous state (before test).

# Remotely
Invoke-Command -ScriptBlock { CLEANUP-COMMANDS } -Session $sessUser

Setup for Remote Execution

Execute Atomic Tests (Remote) (GitHub)
Enable-PSRemoting (Microsoft)
PowerShell remoting over SSH (Microsoft)
Get started with OpenSSH for Windows (Microsoft)

Setup remote computer (Windows)

Upgrade PowerShell to v7

PowerShell Remoting over SSH requires PowerShell version 6 or higher. Installation for v7 will be in “C:\Program Files\PowerShell\7”.

powershell $PSVersionTable

winget search Microsoft.PowerShell
winget install --id Microsoft.PowerShell --source winget

Enable PowerShell Remoting & WinRM

Open cmd.exe as Administrator.

powershell
Enable-PSRemoting -SkipNetworkProfileCheck -Force
Set-Service WinRM -StartMode Automatic
Restart-Service -Force WinRM
Get-Service -Name "*WinRM*" | select status

# Enable NTLM authentication, should be enabled by default
winrm get winrm/config/service/Auth
winrm set winrm/config/service/Auth @{Negotiate="true"}

Setup PowerShell Remoting over SSH

Open cmd.exe as Administrator.

powershell
Get-Service sshd

# If not installed
Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Set-Service -Name sshd -StartupType Automatic
Start-Service sshd
Get-Service sshd

Uncomment “PasswordAuthentication yes” in configuration file to enable password authentication.

notepad C:\ProgramData\ssh\sshd_config

PasswordAuthentication yes

Add this line to create the SSH subsystem that hosts a PowerShell process on the remote computer.

There is a bug with spaces in path, use “PROGRA~1” instead of “Program Files”.

Subsystem powershell C:/PROGRA~1/PowerShell/7/pwsh.exe -sshs -nologo

Save the changes and restart the ssh service.

Restart-Service sshd
Get-Service sshd

Setup Firewall rules

By default, firewall rules should be OK for WinRM and SSH services. Continue setup and configure firewall later only if blocked.

Open cmd.exe as Administrator.

netsh advfirewall show currentprofile

If profile says “BlockInbound”, enable inbound rules for WinRM and SSH.

powershell
Get-NetFirewallRule -Name "OpenSSH*"
Get-NetFirewallRule -Name "WINRM*"

New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 -RemoteAddress x.x.x.x

Setup Attacker (Kali Linux)

Install Atomic Red Team on Kali Linux. See installation steps above.

Setup WSMan

sudo pwsh
Install-Module -Name PSWSMan
Install-WSMan
exit

Test Connection

Do NOT put “WORKGROUP” in the username.

pwsh
Invoke-Command -HostName MYCOMPUTERNAME -UserName "myuser" -ScriptBlock { $PSVersionTable }

pwsh
$sess = New-PSSession -HostName MYCOMPUTERNAME -UserName "myuser"

Troubleshooting

If the OpenSSH service does not start on Windows: change the permissions of folder “C:\ProgramData\ssh\logs”. Remove everyone except SYSTEM and the administrators group. Service should start after that.

evil-winrm -i x.x.x.x -u WORKGROUP\\myuser # Escape backslash

ssh domain\username@servername
ssh myuser@servername # Do not put "WORKGROUP"
ssh myuser@x.x.x.x    # Do not put "WORKGROUP"

AtomicTestHarnesses

PowerShell module (Windows) and Python package (macOS and Linux) that simulate and validate attack technique execution.

AtomicTestHarnesses (GitHub)

Installation

Install latest version from GitHub. Some tests are missing from the PSGallery version.

List installations of AtomicTestHarnesses (PSGallery)

Get-Module -Name AtomicTestHarnesses -ListAvailable

Windows

Add an exclusion in your antivirus software for folder “C:\Users\Public\AtomicTestHarnesses”.

Using a web browser, download AtomicTestHarnesses (GitHub).
Open the ZIP file and copy content of AtomicTestHarnesses-master folder into C:\Users\Public\AtomicTestHarnesses.
The module will be marked as untrustworthy. Unmark the module:

pwsh -exec bypass
Get-ChildItem -Path C:\Users\Public\AtomicTestHarnesses -Recurse | Unblock-File

Usage

Import the module

pwsh -exec bypass
Import-Module C:\Users\Public\AtomicTestHarnesses\AtomicTestHarnesses.psd1

List of available functions

Get-Command -Module AtomicTestHarnesses

Help

Get-Help -Name <function name> -Full

Test example

Add “-Verbose” to troubleshoot.

Invoke-ATHCompiledHelp -InfoTechStorageHandler its -HHFilePath $env:windir\hh.exe -CHMFilePath C:\Users\Public\AtomicRedTeam\atomics\T1218.001\src\T1218.001.chm

Remote tests

Create PowerShell sessions

$sessUser = New-PSSession -HostName MYCOMPUTERNAME -UserName "myuser"

$sessAdmin = New-PSSession -HostName MYCOMPUTERNAME -UserName "Administrator"

Tests

Invoke-Command -ScriptBlock { Import-Module C:\Users\Public\AtomicTestHarnesses\AtomicTestHarnesses.psd1 } -Session $sessUser

Invoke-Command -ScriptBlock { Get-Command -Module AtomicTestHarnesses } -Session $sessUser