Tag: mitre

Performing Mitre Based Attack Simulations using Atomic Red Team

Testing your security tools can be a challenge.

Some effective ways to do this include:

  • Red Team – hire the pros who know how to do it.
  • Attack simulations – use tools that can safely simulate specific actions of an attacker and thus trigger your security tools to generate alerts.

Here’s a getting started guide to “Atomic Red Team“, a free tool from Red Canary which does an amazing job at generating simulated attacks which map directly to Mitre ATT&CK techniques.

This topic will focus on Windows based attack simulations along with Microsoft’s Defender for Endpoint EDR, however this will apply to any EDR you may use.

If you’d like a proper backround on using Atomic Red Team, see this presentation from Red Canary – the creators of this tool. Note there are links in this presentation to a lot of other related docs, so the information available is excellent.

WARNING: This tool will attempt to make changes to your local system, so please only use this on a lab workstation. None of the changes are harmful but they may weaken the workstation’s security posture (eg. Disable logging or EDR).

Steps to install and use AtomicRedTeam on a Windows workstation/server running Microsoft Defender for Endpoints:

(Tip: You may need the Sysinternals Suite from Microsoft for some of your tests.)

  • In your windows configuration, stop Defender from enforcing during the installation.
  • Run this command from and administrator PowerShell window. It will install the AtomicRedTeam framework:
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
  • Configure Defender with an exception for the folder c:\AtomicRedTeam
  • Install the AtomicRedTeam ‘atomic’ files:
Install-AtomicRedTeam -getAtomics

That’s it! Try it out: Run these commands from your powershell window:

Invoke-AtomicTest T1003.002 – Attempt to dump SAM secrets
Invoke-AtomicTest T1548.002 – Bypass UAC
Invoke-AtomicTest T1562.001 – Attempt to disable security features
Invoke-AtomicTest T1218.011 – Attempt to disable Windows Defender Tamper

Tip: after running each of the above commands, re-run them with the -Cleanup option   (eg. Invoke-AtomicTest T1003.002 -Cleanup)

Tip: after you leave your powershell window you may need to re-install AtomicRedTeam again with the commands above.

Tip: if you’re installing on linux, it is recommended to install powershell, then you can run the same commands as above. However linux supports a more limited set of test so run this command to see what’s available:

Invoke-AtomicTest All -ShowDetailsBrief

AtomicRedTeam Installation Reference:

https://onedrive.live.com/view.aspx?resid=5EFC811CDEC9D7F0!5852&ithint=file%2cdocx&authkey=!ADF-HMh-2ZA55KA

Tip: Another way to easily test your security tools is by setting up ‘Active Defenses’, also referred in part as ‘Deception’ techniques. Read my blog here.

Acknowledgements: Red Canary

Creating a Cyber Deception Toolkit

With the passing of ‘Cyber Deception Day’ (appropriately held on April 1) there’s been some resurgence of interest in cyber deception tools and techniques (also known as ‘active detection‘). 

My approach: 

  • Know your enemy: Research Mitre ATT&CK to identify techniques used by your adversaries. 
  • Deceive your enemy: Use Mitre D3FEND to learn techniques to defend against your adversaries using deception techniques. 
  • Detect your enemy: Apply defensive tools/methods to detect and respond to the deception triggers you’ve laid out (endpoint detection, os and cloud event logging, SIEM, SOAR) 

Here are some ideas for ways to add ‘deceptions’ to your network w/o having to jump into a pro solution (I’m not against $$ but I suggest that as a next step) 

Note: most of these suggestions imply a “landmine” approach – i.e. don’t worry about clever deceptions, start with just triggering alarms on things people shouldn’t be touching. 

If you want to get to the ‘high interaction level‘ of deception, you’ll probably need a professional product. 

The toolkit list for cyber deception: 

  • fake documents 
  • user accounts – Microsoft suggest honey token accounts
  • Azure resources 
  • port listeners – could be a honeypot since this is the ‘landmine’ approach
  • random VMs with EDR 
  • random web server with a known vulnerability (that can be contained) 
  • standalone domain server 
  • keystore – Microsoft suggests honey token keys 
  • robots.txt – embed ‘breadcrumbs’ in common places where hackers will visit.

When you’re done with the homegrown stuff, and you’re ready to justify the need for a full-coverage and lower maintenance solution, here are some of the top product vendors for deception tools: 

https://cybertrap.com/en/deception-technology/

https://www.avesnetsec.com

https://illusive.com/

https://fidelissecurity.com/platforms/fidelis-deception/ 

https://www.attivonetworks.com/