Performing Mitre Based Attack Simulations using Atomic Red Team

Testing your security tools can be a challenge.

Some effective ways to do this include:

  • Red Team – hire the pros who know how to do it.
  • Attack simulations – use tools that can safely simulate specific actions of an attacker and thus trigger your security tools to generate alerts.

Here’s a getting started guide to “Atomic Red Team“, a free tool from Red Canary which does an amazing job at generating simulated attacks which map directly to Mitre ATT&CK techniques.

This topic will focus on Windows based attack simulations along with Microsoft’s Defender for Endpoint EDR, however this will apply to any EDR you may use.

If you’d like a proper backround on using Atomic Red Team, see this presentation from Red Canary – the creators of this tool. Note there are links in this presentation to a lot of other related docs, so the information available is excellent.

WARNING: This tool will attempt to make changes to your local system, so please only use this on a lab workstation. None of the changes are harmful but they may weaken the workstation’s security posture (eg. Disable logging or EDR).

Steps to install and use AtomicRedTeam on a Windows workstation/server running Microsoft Defender for Endpoints:

(Tip: You may need the Sysinternals Suite from Microsoft for some of your tests.)

  • In your windows configuration, stop Defender from enforcing during the installation.
  • Run this command from and administrator PowerShell window. It will install the AtomicRedTeam framework:
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
  • Configure Defender with an exception for the folder c:\AtomicRedTeam
  • Install the AtomicRedTeam ‘atomic’ files:
Install-AtomicRedTeam -getAtomics

That’s it! Try it out: Run these commands from your powershell window:

Invoke-AtomicTest T1003.002 – Attempt to dump SAM secrets
Invoke-AtomicTest T1548.002 – Bypass UAC
Invoke-AtomicTest T1562.001 – Attempt to disable security features
Invoke-AtomicTest T1218.011 – Attempt to disable Windows Defender Tamper

Tip: after running each of the above commands, re-run them with the -Cleanup option   (eg. Invoke-AtomicTest T1003.002 -Cleanup)

Tip: after you leave your powershell window you may need to re-install AtomicRedTeam again with the commands above.

Tip: if you’re installing on linux, it is recommended to install powershell, then you can run the same commands as above. However linux supports a more limited set of test so run this command to see what’s available:

Invoke-AtomicTest All -ShowDetailsBrief

AtomicRedTeam Installation Reference:

https://onedrive.live.com/view.aspx?resid=5EFC811CDEC9D7F0!5852&ithint=file%2cdocx&authkey=!ADF-HMh-2ZA55KA

Tip: Another way to easily test your security tools is by setting up ‘Active Defenses’, also referred in part as ‘Deception’ techniques. Read my blog here.

Acknowledgements: Red Canary

2 thoughts on “Performing Mitre Based Attack Simulations using Atomic Red Team”

  1. Pingback: Validating your SIEM Rules – Simple-Security
  2. Pingback: Blue Teaming – My Top 10 Solutions for a Successful SOC Defense Strategy – Simple-Security

Leave a comment