October 22, 2021
Atomic Red Team Part 2: Using Atomic Red Team for Adversary Attack Emulation
In a previous blog post, we discussed using adversary emulation inside your environment to validate and improve your cyber defenses. We will walk through how to use an open-source tool to emulate attack techniques in your environment. Our open-source tool of choice is Atomic Red Team by Red Canary. Individual tests, referred to as atomics, can be manually executed directly on a system or through the PowerShell framework, Invoke-Atomic.
Atomic Red Team allows you to test over 200 different attack techniques. This tool is mapped to the MITRE ATT&CK framework, making it easy to pivot from threat profiles to emulation.
Before testing, note that it is not recommended to use Atomic Red Team on a production system as it may cause damage. Using a test system with production security controls and configurations will yield the best results.
Selecting and Manually Running Atomics
Since Atomic Red Team is mapped to the MITRE ATT&CK framework, you can emulate adversary behavior from each of the 14 enterprise tactics listed in the framework.
To emulate adversary behavior without installation, simply navigate to the Atomics directory of the Atomic Red Team GitHub repository and select a listed technique. Every technique in the “atomics” directory is labeled with an ID that corresponds to MITRE ATT&CK. These folders all have a markdown file that contains descriptions of the technique, the atomics available, and the associated commands.
You can execute the attack technique by running the listed Attack Commands on a supported Operating System with the specified account permissions. Running the atomic will either result in a successful execution or show an error indicating that security controls have prevented the technique from succeeding.
Automating and Installing Atomics
Atomic Red Team can also run via its execution framework, Invoke-Atomic, which is compatible with all operating systems that support PowerShell. The execution framework can be installed standalone or with a copy of the “atomics” folder.
Installing the Invoke-Atomic framework and atomic tests makes it easier to execute multiple atomics in quick succession.
This command will install Invoke-Atomic and download all Atomic tests to your test device:
“IEX (IWR 'https://raw.githubusercontent....' -UseBasicParsing); Install-AtomicRedTeam -getAtomics“
For more installation information, refer to the wiki on the Invoke Atomic Red Team GitHub page.
For this example, we have selected atomics mapped to the techniques outlined in the Datto Threat Management team’s threat profile on the LockBit ransomware group.
(Image shows the Execution stage ATT&CK IDs from Datto’s LockBit threat profile)
Reading through the markdown file for Scheduled Task/Job: Scheduled Task (T1053.005), it lists six atomics. For this post, we will be using test number 2.
First, you will want to launch PowerShell to execute the Invoke-Atomic module using the following command. It is important to note that all atomics will be referenced using the MITRE ATT&CK ID associated with the various tactics and techniques.
Invoke-AtomicTest T1053.005 -ShowDetailsBrief
Using the `-ShowDetailsBrief` flag will list out the individual tests inside this atomic. As mentioned above, we will be using test 2, which can be accessed by removing `-ShowDetailsBrief` and adding `-TestNumbers` and `-ShowDetails`
Invoke-AtomicTest T1053.005 -TestNumbers 2 -ShowDetails
Using the `-ShowDetails` flag will display information about the atomic test you are about to execute. Here, you can verify the description to understand the test and verify supported operating systems and prerequisites. Once ready, simply remove the flag `-ShowDetails` and execute the command.
Invoke-AtomicTest T1053.005 -TestNumbers 2
That simple command has emulated one technique that an adversary might run inside your environment. Depending on the outcome, you may want to reset and retest this technique. Resetting can easily be done by adding the `-cleanup` flag to the above command, which will revert the previous activity to allow for retesting.
Invoke-AtomicTest T1053.005 -TestNumbers 2 -cleanup
Once the clean-up is completed for your Atomics, you have successfully emulated an attack on your device and reset it to be ready for future attack emulations.
Hopefully, this walk-through has helped you see how easy it is to use attack technique emulation to validate your security controls and detection tools. Using attack technique emulation is an essential tool for making you and your customers more cyber resilient.