This webcast was originally published on April 21st, 2022.
In this video, Carrie Roberts delves into the intricacies of the Atomic Red Team project. He explains how to use the library of scripted cyber attacks to enhance security testing and training, demonstrating practical applications and configurations. Throughout, Kerry also highlights the community-driven nature of the project and encourages participation to contribute new tests and improve existing ones.
- Atomic Red Team is a library of scripted cyber attacks useful for emulating attacks and validating security measures in an environment.
- The webinar covers practical applications of the Atomic Red Team and how to utilize execution frameworks to automate the testing of scripted attacks.
- Emulating attacks helps organizations validate their security posture and prepare better against actual cyber threats.
Highlights
Full Video
Transcript
Jason Blanchard
All right, everybody, welcome to today’s Black Hills information security webcast. We have a special guest with us, my cat. My cat’s the special guest. We have Carrie Roberts with us. If you have any questions, please, ask them at any time.
But if you have questions about when will the labs be available? When can I actually do the labs? When can we do the labs? Am I available to do the labs? If it has anything to do with the labs, please wait until Carrie tells you about them because if we don’t go over the instruction first, then we can’t get to the labs.
And if you’re wondering with that noise, it’s my cat in the background. So I’m going to go on, mute now. Carrie, it’s all yours, and if you need anything, I’ll be here for you.
Carrie Roberts
Well, thank you. I’m, excited to go over atomic red team. We have lots of stuff to cover. Yes, the labs, you’ll be able to rdp into a lab environment, which makes it really easy where you can complete the labs and all that instructions I review at the end of this webcast, you’ll be able to use your lab time, your, 2 hours of lab time, anytime within the next 24 hours.
So if you’re busy now, you can do that tonight or tomorrow morning. And so that’s pretty flexible for you. So just a little introduction. I told you a little bit about how I started as a mechanical engineer, but I, eventually ended up as a web app developer, which was super fun.
And in 2010, when we were about to release my web app that I was the primary developer on, we had a pen test or security test done on my web app and it failed miserably because, it had SQL injection and cross site scripting everywhere is what the report said.
And in 2010, I’d never even heard these words before. I never heard of SQL injection or cross site scripting, which and clearly didn’t know, what it was or, even how to fix it at that time.
So after being discouraged to find out that my application was no good in its current state because of security reasons, I pouted about that for a while and then ultimately decided to embrace the idea of learning about information security.
Some great training from the Sans Technology Institute. I was privileged to join black Hills for my first pen testing job and did that for three years. And then I moved on to be able to do full time red teaming for Walmart and did that for a few years.
And now learning the other side at Walmart on the blue team. So that’s my history. I’m also a maintainer of, the atomic Red team project. So if you have done anything with it, you’ve probably seen me in there approving pull requests or making comments, disseminating, information, writing wikis.
So I, really like the atomic Red team project, which is what we get to talk about today. So you’ll hear me say this multiple times during the webcast. The atomic red team is a library of scripted cyber attacks.
So it’s basically, it’ll say, if you want to run this kind of attack, run these three commands, or if you want to run it in a different way, maybe Powershell versus command prompt, use these three commands.
And that’s what atomic red team is, is that library. So you can use that library in a variety of ways. You could, copy and paste the commands into your computer and try it, and that’s one way you could do it.
Or you could use a tool to say, I want to run this one, this one, this one, this one, and I’ll do it for you. there’s many commercial tools and free open source tools, freely available tools that can do that.
So the library is very valuable. It was started back in 2017, originally as an open source project by the folks at Red Canary. They’re a, managed detection and response company out of Colorado, and they’re awesome because they support this project.
They started this project. they have a community that they sponsor over in Slack where we can all talk about ATT and CK emulation things.
So we appreciate Red Canary for their support, but it’s actually an open source community project. So, you can contribute and everyone can benefit from this project.
today this webcast is really a subset of a larger 16 hours class that I teach. So you can see here that the webcast covers atomic red team, the basic topics of atomic red team.
If you’re interested in the bigger class, we’ll also go in depth on Mitre, ATT and CK and ATT and CK navigator, vector, Prelude and Caldera, which are execution frameworks, tools that know how to read the atomic Red team library and follow the instructions in the library to execute and emulate attacks for you.
Today we have 1 hour of lecture and then you get 2 hours of lab time. Actually, I gave you three this time. just because I was feeling nice and because the pre show banter was so fun.
I guess that’s why I did that. So, actually you’ll have up to 3 hours that you can use anytime within the next 24 hours, hours, you’ll access that through an RDB connection to a computer in the cloud.
So it’s very safe environment because it’s not your own and you can blow it up and you don’t have to worry about any repercussions of that. We’re also on discord, which is maybe an easier way to keep the discussion organized than Zoom.
But we’ll also try on Zoom. And we’ve got links to the slides here and also posted in the channels. So real quick, let’s talk about some benefits of emulating attacks.
So maybe imagine that your boss comes up to you and says, hey, we’ve heard that this certain threat group is targeting our organization and we know that they do this technique and this technique and this technique.
if that’s tried against us, how will we do? Will we block it? Will we defend against it? Will we alert? If we alert, would our analysts know what to do with it?
Would it end up being resolved? Well that’s a hard question to answer if you’ve never tried that yourself. So if you’ve never actually emulated that attack in your environment, then you’re really just operating on hope, hope that your products that you pay a lot of money for are doing their things and that everything else in your environment that could go wrong from capturing events to sending those to your central logging, all the way up through your alerts and your people are all working right.
So if you want to confidently answer a question like that, you really need to emulate these attacks yourself in a safe way where you confirm like definitely if that attack is tried, this is what’s going to happen in our environment.
And we can also use these emulated attacks to compare security projects products. So like inside that black circle, we’ve got this huge space of attack techniques.
So maybe you have, you emulate a bunch of attacks and you find that product a detects or blocks this stuff versus product b. And maybe you find out product C is just giving you overlap where a and B already covered.
So you can definitively decide that maybe you don’t need product C anymore. So those are examples of the value of ATT and Ck emulation.
Before we jump into the library of scripted cyber attacks, we really need to have a really quick intro to Mitre, ATT and CK because this is a common framework and language for talking about the whole ATT and CK emulation space that’s known to be used by adversaries in the wild.
So real adversaries against real companies and what tactics and techniques they’re using. the Mitre organization has published this framework, or it’s really like a spreadsheet, a grid across the top.
They break everything down into a few categories, which are the tactics. So attackers have some general overall goals. They try to get access initially to your network or your computer, and maybe they do that through phishing or whatever.
And once they have access, they want to execute code so that they can continue to try to gain their goals, which is maybe stealing credit cards or the secret sauce recipe or whatever.
they typically take steps. they use the tactic of persistence so that if the computer that they’ve gotten access to ends up going off the network, getting restarted and started back up, which is likely to happen, then they want to not have to go start back over, they want to maintain that access that they have.
So they’ll do things like create some scheduled tasks that run and give them access again every time the computer restarts. so that’s another tactic. So you can see you have all these tactics across the top that define the categories that our attackers are using and then going down from a tactic.
So we’re looking at the tactic of credential access. So in blue, each of these cells in the spreadsheet is a technique. So you got the tactic of credential access.
And some of the techniques that are used to accomplish that tactic is the attackers can brute force credentials. They can look in, password stores on your computer like chrome saving passwords.
They can extract those and hold onto those. they could do the technique of input capture, which is, installing a keylogger so that everything you type on your computer, including passwords, gets sent to them.
And that’s how they can end up getting extra credentials once they’ve gotten access to your system and can execute code. So those are tactics.
If you actually go to the Mitre website, you can click on each of these and you can find out a lot of great information about them. You have examples of groups that use these techniques and ideas, for how you can make this not a problem in your environment, maybe disable something, and it’s a lot of really valuable information.
But one thing that it doesn’t have is really detailed procedures like, okay, attackers might brute force my password or do a password spring attack.
Well, I want to, as a defender, I want to make sure that we’re prepared against that. So I want to try that. Well, within mitre, you’re not going to find those detailed procedures that go along with these tactics and techniques.
So there might be ten different ways to do a password spray that you want to make sure that you defend against. But the mitre ATT and CK framework isn’t going to tell you those ten ways in detailed enough way that you could actually emulate it.
And that’s where Mitre Att and CK comes in. I mean sorry, that’s where atomic red team comes in. They’re filling in the procedures for these ttps mitres, the tactics and techniques. Atomic red team is the procedures for actually emulating the attacks.
So it’s important to note that each of these techniques within mitre ATT and Ck mitre assigns a technique number or I’ll call them a t number because they all start with t. So technique number, they’re of this form t and then four digits.
Sometimes they have dot zero zero one or zero zero two. Those are sub techniques so you have the major technique and sometimes they break it down into sub techniques. So here’s an example. Technique number t 10030 zero one.
And everything in atomic red team ties back to this technique number. So you can always see for every procedure which technique it falls in under the mitre ATT and Ck framework.
So that’s important to know and remember. So let’s look at this library. So now we’re looking at some information from the atomic Red team project.
It’s a procedure that falls under technique fifteen forty eight point zero zero two. And it’s called disable UAC user access control using reg Exe.
So user access control is that thing when you like try to install something or right click and say run as administrator you get the little pop up that says do you want to allow such and such to make changes to your computer?
Yes or no. And so attackers often like to disable this because they want their code to run without waiting for a user to click yes or worrying that the user will click no and find out that they’re hacked.
So this is one technique that they use. There’s many ways to get around the UAC control. One of those ways is just to turn off the feature.
And so if we want to check if we’re prepared for attackers to do funny business with our UAC then we might want to run. Here’s test number eight, disabling UAC using reg.
So an attacker might run this command reg exe add registry key that says to disable. So setting this key to zero disables UAC and then to revert that we could set it back to one here and the cleanup command.
So this library, besides just providing you procedures for how to emulate the attack, it gives you some helpful stuff for how to kind of clean up after you emulate that. So if we wanted to just use this library in its most fundamental way, we could literally highlight this line from the atomic Ret team project and go, it says we should run it on the command prompt with elevated privileges.
So we could go startup command prompt as an admin and we could paste in this command. And now we’ve just emulated an adversary turning UAC off and we could go see what happens.
does that get blocked? does an alert show up in system a, b or c? When that alert shows up, what do our analysts do with it? Does it end up getting escalated to the incident response team for resolution?
So you can validate everything by emulating this, and then afterwards you could clean up, basically setting that back to its, default and safer value there.
So that’s example one of a procedure from atomic red team. And in atomic red team we call each procedure an atomic test. So this is atomic test number eight.
So, and you can imagine that there’s at least one through seven before that of different ways for that attackers get around. user access control.
You’ll also hear it referred to as an atomic. So in short, instead of saying atomic test, we’ll call these atomic. So this is atomic number one under the category technique t zero zero three, which is credential access sub technique number two.
and this is dumping credential information from three registry hives again using reg. So if you wanted to emulate that you could run these three commands and afterwards you could run the cleanup commands to get rid of that credential information that you’ve just saved out to the temp directory just so you don’t leave that stuff laying around.
but again, you could validate that you have detections or preventions in place and that, all parts in your system are working. Let’s look at a little different category. So now we’re over in technique 1078, which we could read about on Mitre, ATT and Ck.
but it refers, to using valid accounts. So in this example, this atomic test is enabling the guest user account. So the guest users is always exist by default on Windows, but it’s disabled.
So an attacker who may be trying to avoid getting an alert for creating a new account might just enable the guest account to avoid being detected for making a new account.
And then in order for them to get onto the system and do their hacking. they may turn on remote desktop access as that guest user.
So here’s an atomic test that says if you run these commands that’ll enable the guest count and allow you to rdp with that. So definitely something you want to keep an eye on in your environment.
If you don’t expect people to be turning the guest account on, then it’s a great idea to alert if something like that happens as an unexpected action that could be an attacker.
So when we look at this one we see actually there’s this table of inputs. So here we have an input called guestuser and an input called guest password and they have a default value.
So the guest user name by default is guest and the default password is password 123. And we see the same guest user we see that referred to here.
So actually what this is telling us in the library is we need anytime you see this hashtag squiggly and then input name, that really should be replaced by the default values you see here.
So if we’re going to run this, we need to replace hash guestuser with guest anywhere we see that, or here hash guest password with that. So we could choose to use the default so we could change them.
Maybe in our environment we don’t want to have a guest user enabled with password 123 during our testing. So we may change that. So we can see that copy and pasting this atomic test into the command line is a little bit more of a pain because we maybe have to copy it out into wordpad.
We have to substitute in our values for the guest user. And so this is where the idea of an execution framework comes in. As these atomic tests get more involved they have maybe some prerequisites we have to install.
They have cleanup commands, they have input arguments that can vary. then it’s advantageous to not copy and paste these out, but actually use an execution framework that says please run this one, this one, this one.
And it can do things like substitute those input arguments in for you. So we just want to be sure and keep this straight in our minds that atomic red team itself is a library.
Scripted attacks. It really, it’s just words, text commands. It doesn’t do anything by itself. Like if you downloaded this atomic red team project, it would just sit there with a bunch of files that says to emulate this, do this, to emulate this, do this, do this.
But it doesn’t actually do anything in and of itself. If you want to emulate the attack, you either have to copy and paste those commands out or use an execution framework that can read that library of scripted attacks and execute them according to the instructions in the library.
So if the library says run it as Powershell admin, it does that. It says run it as command. If it says input these arguments with default values, it does all that for you.
So execution frameworks, make emulating the attacks very automatable and very easy. So remember the real value in atomic red team is this library.
It’s not so much the execution framework. There’s a bunch of different execution frameworks and they each have their pros and cons and it really doesn’t matter so much which execution framework you use.
but the value is here in the library itself. So today we’re going to be playing with an execution framework called invoke atomic red team. It’s a Powershell execution framework, but it works cross platform on Windows, Linux and macOS.
If you install Powershell core on Linux and macOS, there’s also atomic red team tests that target windows, Mac, Linux as well as cloud, several cloud providers.
So it is very multifunction cross platform. But as we go through this, don’t get caught up in the fact that we’re using this Powershell execution framework because it could easily be different framework like Mitre caldera or Prelude operator or commercial product like scythe all can read this atomic red team library scripted attacks again where the real value is not so much the execution framework.
So just, just remember that this is one of many execution frameworks. You’re not tied to this one. and kind of focus where the real value is on the scripted cyber attacks and the knowledge that’s in there.
Okay, we’re going to skip out of the presentation here and do a live kind of demo. What I’m presenting from here is actually one of the lab environments.
This is what it’s going to look like when you rdp to your lab VM that you’ll be assigned at the end of class. So what it is is just a Windows VM. It’s very vanilla windows install.
The only thing I’ve done to it is install a few apps like Chrome and notepad and then put some shortcuts on the desktop. So you could actually go through these labs on your own Windows VM.
because there’s really nothing special about this other than it’s just super convenient for you to be able to RDP into a VM and use it without any, any fears of setting off alerts at your network or breaking something, if you don’t understand what you’re doing.
So it’s just a safe environment for us to test in here. So within this lab environment that you’ll be logging into, you have a shortcut to Google Chrome and that’s the best browser to use for this because that’s where I put the bookmarks.
So you’ll have these same bookmarks. So you have this labs bookmark which I have here. So these are the labs for today that you’ll be doing. It’s got a link to the slides, it’s got a link to the seven labs you’ll do from installing atomic red team all the way through, setting your custom input arg’s and cleaning up after your tests.
And so you have that there, you can click on each of these labs. We can open this first one. These lab documents are very verbose and they walk you through all the problems you’re likely to see in your own environment.
It talks about the execution framework and different ways you can execute and then it has you install atomic red team. So these are great resources. You can also download each of these labs so that you maintain long term access to these documents for later reference.
let’s see, where was I going with this? We’re going to talk about Tom credit teams. Okay? So with these shortcuts you also have this art which is short for atomic red team. Under art we can click on.
Actually I do this in another tab. Under art we’ll click on atomic red team, GitHub. so atomic red team is, let me zoom in a little here.
Atomic red team is a project hosted in GitHub. GitHub is a great place to put code like projects. and since these have a lot of command line commands, it’s a great place to put this project where a community can work on it together so that if you submit something and I submit something, we don’t overwrite each other’s changes.
So that’s the beauty of having it in GitHub. you can see there’s over 237 contributors so it really is a community developed project. When you come in here you’re on the Red Canary Co.
GitHub company. But then we’re here in atomic Red team, the library of scripted cyber text. So when you first come here you’re going to see, see what you see here and a little read me down here.
But it’s a little overwhelming because you’re like what in the world is all this stuff, there’s a lot of stuff there and I can’t really make sense of it. Well it’s really not as bad as it looks because number one, you’re going to want to go over to this wiki, and this wiki tells you lots of great information about how to get started.
Frequently asked questions, even points you over to the execution framework if you want to use that. So a lot of good information there. So remember there’s this wiki here, but if we go back to the main project, you see all these files that are in the project, but a lot of this is just supporting automation that you don’t have to concern yourself with.
So really the only thing you care about in this list of things is this atomics folder. This is where the library lives, you can ignore everything else. So you come into this project, you click the atomics folder and with the exception of these, this index folder, everything is named after a mitre technique number.
So if you’re wanting to emulate things that mitre defines as technique 1003, which is credential dumping sub technique number one, you could look in here for what procedures are in the atomic red team library that you could emulate for that technique.
so you can see we scroll down, there are a lot of atomic tests for mitre, ATT and CK technique numbers.
And actually one thing that we don’t have time to go over in the webcast but I will show you real quick, is under mitre, ATT and CK we can load up an interactive mitre, ATT and CK matrix called the Navigator.
And on that we can display every technique that has at least one atomic test. So here we have the entire tactics and techniques space.
And what you see in red, it means that there’s an atomic test, at least one atomic test for that technique. So out of this entire atomic and this entire mitre, ATT and CK space, you can see the atomic red team has a lot of procedures for the majority of the techniques that mitre documents.
So that’s pretty cool. there’s some indexes here that if you wanted to have all the lists, all that, all the atomic tests in a CSV file or a markdown file or in a JSON file that you can import to the navigator, you would look in the indexes, but for the most part it’s all these technique numbers.
So let’s look at techniques, technique t 1016. so in here t 1016, every one of these technique number folders that comes from Mitre ATT and Ck has at least two files, so it’s always going to have a YAML file and a markdown file, and then it’ll optionally have a source and a bin directory, for supporting files.
Like maybe there’s a script that the atomic runs like doit bat, and that would be found in the source directory. So you may or may not have supporting files for a particular technique number, but you’ll at least have this YAML file in the markdown.
So the official source for where atomic tests are defined in this library is this YAML file. But YAML is a very machine readable language, but it’s no fun to look at as a human.
So here we have a YAML, you can kind of get an idea. It says this is the technique number, these are the atomic tests, here’s the first one. Test number one is system network configuration discovery on Windows, and if we scroll down, test number two is system network configuration discovery.
Let me zoom in trickbot style. So that does some other things. Here’s the command you run, but again this isn’t fun as a human to read. So in this project there’s some automation that builds a much more readable version of the same information for you that’s easier to look through and understand.
Although the official source of all tests is this YAML file, the execution frameworks will read this YAML file, but you don’t need to read it because there’s always this easier to read version here in the Markdown file.
So let’s do the markdown. So in this markdown file we see that t 1016 is system network configuration discovery, that’s the name of the technique as assigned by Mitre.
And we actually have copied in from Mitre, ATT and CK website, the description, and so it says adversaries may look for details as they orient themselves in the network.
And then we have a list of the atomic tests. So see this, we can see right off the bat there’s eight procedures written for this technique, and we don’t have to scroll through that hard to read YAML and we can jump to any of these.
So if we look at the first atomic test, we recognize this from the slides we went over at the beginning. We’ve got atomic test number one, it’s meant for windows. And to emulate this attack you should run these commands in a command prompt.
So like I said, we could copy these commands out, we could open a command prompt and we could run them and then we’ve emulated that attack. This very basic, simple example.
so then we also have test number two. It lists windows firewall rules, another reconnaissance activities that attackers do when they’re doing, discovery.
So we have all these examples. so if, so, that’s the library where you’re looking at it.
It says run the, run these commands, from this location with these privileges and you will have emulated the attack in different ways, way one way two way three way four, so you can, test your coverage.
What if an attacker tries this? What if they try it in a little different way? Would I catch it then? So that’s really awesome. So instead of copying and pasting these commands out, because we know they get more complicated over time, we’re going to look at an execution framework that can read that library for us and execute it.
So I’m going to back up one level and go back to the Red Canary company and instead of clicking on the library of scripted cyber attacks atomic red team, I’m going to click on invoke atomic red team.
That’s the execution framework that knows how to read that library. And again, lots of stuff here that doesn’t really make sense at a glance, but there’s excellent wiki here.
So also on invoke atomic red team, we can go to the wiki. On the wiki there’s a little introduction, but over on the right there’s an outline of pretty much everything you want to know about executing atomic tests using this execution framework.
So it talks about how you install and import the module, how you can list the test, how you can check whether you meet the prerequisites for running that test and if you don’t, how to get them, how to execute tests locally, like on the machine where you installed atomic red team, or even remotely against another machine where you haven’t installed atomic red team, how to specify your input arguments if you don’t want to use the defaults, where the logging goes, and even gui for making your own atomic test.
So definitely check out that wiki here. You’ll notice that actually these first several items, correlate directly to the lab. So we’ve got installation, importing the module, listing the test.
So really these are just lab walkthroughs of what you find in that wiki. Over. I’ve already installed atomic red team and imported the module so that I can use it here.
But don’t worry, that’s your first two labs is installing, importing the module, so you’ll know how to do that. But in the interest of time, I’ve already done that. So this is how we use invoke atomic red team.
You say invoke atomic test. So we give that and then we just specify a technique number so maybe t 1016. And then for starters we could add this flag that says show details brief which basically just says tell me the names of the test in this technique number.
So here we have test number one, system network configuration discovery on Windows. That’s the one we looked at that ran those recon commands then listing Windows firewall rules.
So if we come over here, let’s go back to our browser and put this over here, we’ll go back into our atomic red team project, our library scripted attacks and we’ll look at atomics t 1016.
So you can see atomic test number one matches this system network configuration discovery on Windows. Atomic test number two, Windows firewall rows. We got that, but look, test number three is missing.
But it’s here, we have it over here on a markdown file. Let’s click on test number three. If we look on test number three we see that these commands for this test are actually intended for macOS or Linux.
So the execution framework knows that we’re currently on Windows so it’s not showing us tests that don’t apply to our current operating system. So that’s why sometimes you see some numbers missing here because they’re intended for a different OS.
But if we were using the same invoke atomic test execution framework on Linux and we, we asked it to show the details brief, it would show us a test number three and everything else that works on Mac OS or Linux.
Okay so that shows us the brief details, but if we take up the brief we can have our x. Whoops. That showed us all. Actually before we do that I want to just look at test number one.
Test number and we can do like one, four, five like that. But for now I just want to look at test number one. Instead of showing the brief details I’m going to take off the word brief and say show me the details which is the full details.
So here we’re basically looking at a kind of command line version of this markdown file. So we’ve got the name of the test here, we’ve got the guid which is a unique id for this test which comes in handy when you’re automating execution is to refer to these things by their unique id.
But that’s the only thing that’s for, and it says we should run it on the command prompt. It says here, here’s the commands right here.
And we have the same commands here. So basically it’s like a command line version of this markdown information. But then what we can do afterwards, we can say okay, don’t show me the details, actually run it.
So here we take off the show details and now it just ran these five commands and spit out all the output to the screen. So now we have emulated this procedure under this attack technique, t 1016.
And so as easy as that, not much easier than copy and pasting this ourselves, but it’s definitely scriptable. And as we are about to show in some other examples, when these tests get more complicated with input arguments and prerequisites, dependencies, cleanup commands, the execution framework is a lifesaver.
So for the next example we’re going to look at that disable UAC tests. So actually one thing I want to show before I do that is you can invoke all the atomic tests with the all keyword, although I don’t recommend you execute them all at once like that because you’ll kind of blow up your system with all the crazy interactions that happen with that many 800 tests running at once.
And also you can’t even make sense of your telemetry after that because so much went on. So it really doesn’t benefit you to run them all at once. But one nice thing you can do with the all keyword is if you wanted to just show all the names of the tests that apply to your current Os, you could show the brief details.
And here we have scrolling by every test that applies to windows. So you can see as it scrolls by that. There are a lot of atomic tests in this library of scripted attacks and I forget, but there’s probably about six, hundred.
But I’m going to cancel this so we don’t have to wait for all of that to go through. Let’s look at a different atomic test.
And this is t 1548.002 from our slides. I’ll show the brief details just to remind me what test I wanted. Test number eight, disable UAC using reg exe.
So now I want to fine tune into test number eight. If I don’t specify a test number, it’s going to run all of these tests. So if I just erase this and push enter, it would emulate all of these tests.
But I want to limit it here for this example to just test number eight. And I’m going to show the full details with show details. So I haven’t actually executed yet. I’m just reading about it.
So in here I can see it’s going to run this for and set this retch key to zero. And if I do the cleanup it’s going to set that.
So before I run that, I’m going to copy this command out to list the current registry key setting and that’s not pasting in.
So I’m going to ask it to tell me what this key is currently set to so we can confirm that it works.
So if I run this right now it doesn’t work, what am I doing?
Jason Blanchard
Oh.
Carrie Roberts
Okay, so this is a key enable Lua is the key that we’re about to change. It’s currently set to one that’s the default on windows. So an attacker may try to set this to zero to disable it.
So now we know we’ve confirmed that our key is one. Let’s go ahead and run this test. So we can run it by instead of asking it to show the details, actually run it.
and actually we have to be admin to run this if we read the details closer. But instead of reading the details closer, we could add in this check prerequisites to see if we have everything we need to successfully emulate this tech.
We run that and in red we see the prerequisites for this test aren’t met. Elevation is required but not provided. So if we really want to run this test, we’re going to have to start Powershell as an admin admin, which is what the library says, you would have to have admin privileges to run this test.
And then we could run this same test over there. Let’s make sure we’re set over here. And it says, no red message.
It says we’re checking the prerequisites for this test and they are met. So we’re good to go. So we can go ahead and take up the check prereqs and run this test.
And it says operation completed successfully, but you have to restart the computer for it to take effect, which we’re not going to do for the demo today. But we can check this registry key. Let’s go back and read this registry key again.
We see that now it’s zero where it was one before. So we’ve emulated the attack. well we’ve actually done the attack. We’ve disabled UAC on this computer which will take effect after restarting.
So that’s cool. Now at this point we could go check what happened? Did an alert go off or we could develop our alert to detect this because we have something to look for.
Now at the end we would want to run the cleanup command so we can just type on cleanup and then that’s going to reset this registry key.
So we read it again and it goes back to one. Now, we’ve emulated the test, we’ve set it back so that our system’s in a better state and so that we could run it again if we wanted to run it again, and we could see that event generated, that’s changing that register key from one to zero.
So that’s cool example. So let’s go on to another example that’s a little more complex. Let’s look at invoke, t 1548.002.
Test number eight. Let’s show the details of this one. Okay.
15480, two, I think the test numbers changed. Let me show the details. Brief.
Oh, I’m typing in the wrong number. Sorry.
Invok atomic test t 1485. Okay, this has two tests.
Overriding a file with sysinternals s delete. So there’s a tool to securely delete files. So normally when you delete files, they don’t actually go away from the disk, they just get marked like okay, to overwrite.
So if an attacker may desire to actually overwrite that file by putting stuff over the top of it, so that forensics investigator can’t go get the contents of that file after it’s been deleted.
So there’s a tool that Microsoft provides called sdelete. It doesn’t come on Windows by default, but it’s definitely a tactic that attackers use to cover their tracks.
So let’s look at test number one, see what it’s going to do. So we’ll show the details. So test number one, it has some dependencies here it says the secure delete tool from Sy’s internals must exist on the disk.
And here’s how to check it. If it is and if it’s not there, here’s how you can get it. You can download it from Microsoft, unzip it, and put it where it needs to go. So that would be a pain to run by hand, but this is all built into the automation of the library and defined with the library.
And so here we see how the test, the ATT and CK commands for emulating this test actually show up in the library.
And it says if the file to delete, this is an input argument. So if we’re looking at the markdown, you’d see that little input table? And there’d be some default values for the name of the file to delete and then the location of where your s delete executable is on your computer.
that’s the commands, the ATT and ck commands, but there’s also command with input. So we have all these red input arguments are replaced with their default values. So if we were to look at that table, we’d see the default value for file to delete.
Here is this environment temp, 1485. So we see that substituted in everywhere where that is. And then s delete executable the default location is going to look for that is in the template sdeletefolder, sdelete exe.
And I actually don’t have that sdelete tool on my computer. So if I tried to run this test right now I would get some errors. So let’s try to run this test.
It says s delete is not recognized as the name of a function we can call because it doesn’t exist on this computer. So if I was planning ahead, I would actually check my prerequisites before, for this test.
And I check my prerequisites and it says prerequisites not met because the secure delete tool must exist at the specified location and it doesn’t. And then it says try installing the prereqs with the get prereqs switch.
So all of this is automated into the execution framework so we don’t have to copy and paste from the library. Now we can say instead of check prereqs we could get pretty prereqs.
So now it says attempting to satisfy the prereqs. So it’s downloading that zip file, unzipping it, putting the executable in the temp directory where it expects it.
So now if we run this test, it’s going to work. So it says securely deleted a file this temp 1485.
And so the test work, we’ve emulated that tack. We got our prerequisites. It was all easy to do with this execution framework. There’s also options for specifying and maybe our s delete tool is in a different location.
And then in the temp directory we could specify that instead of using the defaults you have a lab for how to do that, how to specify custom input arguments. But I’m not going to cover that live in the interest of time because there’s a few more things I want to cover from the slide presentation.
So you can imagine that maybe you emulate a bunch of attacks and then you want to compare what you emulated with the actions that took place, what got blocked, what got detected, what the analysts did with it, what the people did with it, what the processes did with it.
So you want to have this log of everything you emulated and when you emulated it. So by default invoke atomic red team execution comes with it.
Execution log, it’s CSV format, it’s very basic. It has the local and UTC execution times, what technique was run, the name of the test, what user and host it was run on, and the guid that ran.
But it doesn’t have anything about the output of the test like what got displayed on screen or whether it’s, we might want to say worked or not.
Did the attack work actually that the execution frameworks, none of them right now have any notion of or any full notion of whether the attack worked or not because that’s defined differently by a lot of people.
And it’s also very hard to do, very hard to automate. So no, you’re not going to get something like yes, the attack worked or no it didn’t. That’s left up to you by looking at your telemetry, looking at your defense to see what happened and did it work?
So sorry, no easy button there. but you can log in a more verbose format, in a JSON format. And that JSON format includes all the commands that were run and all the outputs.
So everything you saw flash on the screen would be in this JSON log. there’s a wiki here about how to do this added logging. And the nice thing about this JSON log, besides having a lot more information is that it can be imported into the vector purple team reporting tool.
So if you want to start keeping track of the campaigns you ran, what you emulated, maybe this quarter versus next quarter, and how your defenses did against it, and track that over time.
You may be interested in using vector, also a free tool. And you can import everything you emulated into vector easily with that format. Really cool.
So talking about how, how would I, how might I actually do all these emulations in my environment? So one suggestion is to use here in this top example we have a computer that’s a golden image.
So the g stands for golden image. So it’s like something representative of your environment. it’s something you may give to a new employee when they come in. It has the same security stack, it has the same applications the same configuration.
So it’s your golden image representative, something in your environment. So for that you may install atomic red team on that computer and then use invoke atomic red team or another execution framework to actually run different tests.
And then the key part of this is that you could take all the telemetry that’s recorded on your golden image and you could send it out to your production, logging system or detection where your detections run off.
And then you could, even though you’re on a test system here, you’re really testing your production capabilities to detect and also respawn. So this is a nice safe way to get started with doing this.
Most of the execution, actually all of the execution frameworks, including invoke atomic red team that you play with today in the labs have the capability to actually execute an atomic test against a remote machine.
And invoke atomic red team does that using a powershell remoting connection. So here, this blue arrow is a standard powershell remoting connection.
So if you’re able to powershell remote to another box from the box where you have atomic red team installed, then you could execute tests even against a real user system.
If you get to the point of being comfortable with that, with certain atomics that you trust, you could execute against real life systems to test the entire live environment on a real user system or a golden image.
And the benefit of this second way is it’s much lighter touch to your test system. So installing atomic red team, it downloads a whole folder full of simulated malware.
So it’s really going to set off alerts like crazy, hopefully in your environment for just putting this on a system like your golden image. so if you can do that on some maybe non monitored device where you install atomic red team and then only on your golden image, you only execute like those five commands for what you’re emulating.
And you don’t have to have a whole folder full of malware on there. You don’t need to install an execution framework. it’s very light touch for your golden image. and I also recommend that you test two different ways.
One with your blocking controls turned off and then you can also do that again with it turned on to see what emulations would be blocked. But as a red teamer, I’ve seen that there’s always a way around blocking controls, maybe an amsi bypass or something that lets something run that shouldn’t otherwise be able to run.
So it’s definitely you need to run these emulations with blocking controls turned off and still make sure that you can detect it. Say if they managed to execute this because they get around our blocking controls, would we still see that it would happen?
And so this isn’t my quote, but this is a saying you hear a lot in Sam’s classes is prevention is ideal, but detection is a must. So I definitely agree with that, that you want to turn off those blocking controls and ensure that if this, if these attack commands run these procedures, we’re going to know what happened and we can react to it.
So all of this can be very overwhelming because there’s over 800 atomic tests in the library. It’s really hard to know where to get started.
So I made a little spreadsheet for you called starter atomics, and they’re just a good small manageable list of things that might be good to start with specific to windows machines that typically aren’t blocked by default.
So there are things that are sysadmin type things that should be allowed to run, but maybe only by certain users and you want to know when they happen. And also they’re pretty straightforward and, and easy to understand and so it’s a good place to get started.
So my recommendation is to start playing on a test system with these atomics. Get familiar with some, find some that you trust, you understand everything that it does and you’re willing to try that from a golden image.
and just start slow. When I first started emulating attacks, I kept track of everything on a spreadsheet. So that’s how I started. I’ve since moved on to automation that compares what was run to what was detected and builds a dashboard for me.
But I definitely didn’t start that way on day one. It was very manual. also like I said, this is a community project and anyone can contribute.
So to do that you submit a pull request to the GitHub project. Pull request is really a, weirdly named feature of GitHub. I don’t think it’s very self explanatory, but basically a pull request is saying, hey, I would like to add this atomic test to this technique number.
Here’s my code, what do you think? And then maintainers will take a look at that and say, yeah, I like that. Or maybe it needs tweaked a little bit and give some feedback. Ultimately that will be merged in and become part of the atomic red team project after it’s approved.
besides contributing a whole atomic test, you could just maybe even come in and contribute a pull request that says I’m fixing typo in the test name or something. So any level of contribution on the atomic red team wiki there’s a whole page on contributing with lots of guidelines.
There’s a video walkthrough of me doing a pull request for atomic red team projects. So very specific pull request example for atomic red team. If you contribute you get this atomic red team shirt or one like it free after your first time contributors to that school.
And Red Canary puts that on, supplies those t shirts. So we appreciate that. let’s see, also going on right now, anti siphon training.
So kind of sister company of Black Hills offers these training classes. They’ve got over 30 training classes on many topics. anti siphon is sponsoring a bounty program to encourage contributions to atomic red team.
Which just means if you contribute a new atomic test between now it actually started a couple of weeks ago and may 18 you’ll be entered into a drawing for a $50 gift certificate to the black hills, store which includes t shirts and sweatshirts, and some other things.
So right now today there’s only three contributors of atomic tests since the bounty started. So there’s at this point a really good chance you’re going to be a winner of one of these $50 gift certificates.
If you contribute, between before May 18 and no catches you just get that gift certificate. If you get John out of the atomic test contributors.
There’s details here at this link but also there’s two large prizes, where you get a free class from anti siphon training which is also where I teach my 16 hours version of this class.
but you can pick any class you want. That’s a $545 value that’s going to be awarded to the two best contributions in certain categories. And those categories are listed on this document here.
Those categories are categories where the library is short on tests and we’d like to see more contributed. So you can also go for that.
Okay, now we’re going to talk about accessing the lab environment. So you’re going to go to controlpanel dcatrainingonline. I’m going to post these links in both channels here in a second.
but you go there. You enter in, let’s see, there’s the next page. Yeah, you enter in your email here and click submit. And then it will give you your ip address and your username and password.
And then there’s instructions if you need help with how to RDP either from Windows, Linux or Mac. There’s some detailed instructions there. And to use your lab, you’re just going to start the VM and once you start it your timer starts going for how long you’ve used it.
you can stop it, maybe you use it for an hour and then you stop it and you come back in 5 hours and use it for another hour. Anyways, you have 3 hours within the next 24 hours to use your lab.
So anybody who registered for this webcast up until 3 hours ago will already be in the system. So you enter your email, you’ll get ip assigned if you emailed within the last 3 hours or if you’re, if you register after because you want the lab access.
I’ll be adding those in periodically throughout the day if we get late registrations. yeah, so once you get to the lab, it’s the same Vm that I’m already peed into one of the lab vms right now.
You’re going to start chrome, you’re going to click on the labs, you get linked to all the labs here, you’re going to walk through those labs and you have all the same bookmarks so that, and you’ve also got a link to the lab walkthroughs here.
So you can hang on to that link and you’ll have access to these labs continuously. Or if you want to just be extra sure, you could actually download the word documents for each of these labs and hang on to them.
Let’s see the, oh, I have that slide next. Let’s see. So my 16 hours class from anti safe and training is coming up in June.
Is the next one, the next live class after that, live but virtual. online is October, but over the summer I’ll be releasing the on demand version of it where you can watch the video recordings and do the labs on your own time.
so you’ll have lots of options for taking that class. So there’s a link there if you’re interested. So that wraps it up for atomic red team. I hope you got it in your mind.
Atomic red team, this library of scripted cyber attacks so that you can emulate and validate things in your environment, invoke. Atomic red team is one of many execution frameworks.
whether you use that or a different one doesn’t matter, because the value is really in the fact that these attacks are scripted within the atomic red team library.
Also consider joining the slack workspace. There’s over 4000 people there that talk about ATT and CK emulation and atomic red team. And it’s a supportive community that I enjoy being part of where you can ask all things ATT and CK emulation related.
And there’s a link on the bottom of the labs document for how to join that slack workspace. And there’s a link there. That’s all I have for you. I hope you stay connected.
I’ll be monitoring discord throughout the next 24 hours for the most part. do answer questions and, if you have problems accessing your lab, I can help them.
that’s it.
Jason Blanchard
All right, Carrie. Hey, thanks so much. we are at the 02:00 time, eastern time. So officially the webcast is over. So what, we’re going to do is stick around for a few minutes to just answer, any of the quick questions people have as far as getting into labs or anything like that.
Kira, do you have like ten minutes?
Carrie Roberts
Yes.
Jason Blanchard
Okay, I’m also going to ask you some of the questions too. that came in. So one, can you share the competition link?
Carrie Roberts
Yes. Let me post. I’m, first going to post all the links which is how to connect to the labs, the slides, the lab index and the control panel.
So let me put that in here real quick. Oh, shoot. This is pasting weird. I got to paste in notepad first.
Okay.
Jason Blanchard
All right, so links are being posted.
Carrie Roberts
So we got all those labs.
Jason Blanchard
All right, so I’m also going to take the links for the labs and drop them into the webcast slides here in discord. So that way they don’t.
Carrie Roberts
I think you were asking about the link to the bounty.
Jason Blanchard
Yeah, the competition. Competition.
Carrie Roberts
Competition. Where’d it go? There it is.
Jason Blanchard
Also, everyone, thank you so much for joining us today. we’re not leaving just this moment, but if you do need to leave, we understand. Thank you for joining us for a Black Hills information security webcast, Carrie, and hopefully you learned something new about atomic road team and it’s something that you want to pursue and look more into because, ATT and ck emulation is really good.
I do a lot of tabletop exercises with organizations. I play backdoors and breaches with them all. And one of the things that we talk about a lot is can you defend against this? And a lot sounds like.
I don’t know.
Carrie Roberts
Okay, I’m copying the link to that and, putting it in zoom.
And.
Jason Blanchard
And if you do go to the Spearfish general store right now, everything looks sold out. We, just did that because we need to close the store for two weeks so that we can prepare for way west while west hack and fest, which is happening in San Diego.
The team can’t do both at the same time. They can’t prepare for the conference and mail out things that people buy. So we just removed everything from the store until, early May.
Carrie Roberts
That’s good to know because I’m like, shoot, they can only order two things. Yeah, I’ll just forget to mention that.
Okay. And what other questions? I. Sorry, I haven’t been reading questions as I talked.
Jason Blanchard
Can atomic red team be run against remote systems?
Carrie Roberts
Yes, it can do that through Powershell remoting. And there’s a page on the wiki. Let’s bring it up here. If we go to the art, invoke atomic red team wiki, there’s a section here on the right.
Execute atomic test remote and it talks about how to configure your systems. Like if you’re executing from windows to Windows or from Windows to Linux and Mac and vice versa.
These are what you have to get installed to make that happen. And then it talks about how you do it, which is actually very simple. First you create a power shell session with this command.
So you tell it what computer and what user and optionally a password if it’s different than your current password. And then once you have your session variable, which here I’ve called dollar session, then you just invoke, where is it?
You just invoke an atomic test the same way we did in the labs. And in the examples with the addition of the, so you can say invoke atomic task, give it a technique number, you can say get prereqs cleanup or show details, whatever, execute.
but you just pass along that session and ends up going to that remote computer instead of locally.
Jason Blanchard
How do you cancel when a script is running?
Carrie Roberts
Push, the power button. No, just kidding. well if it’s in vocatomic red team m execution framework, locally you can just press control c in the window.
if it’s remote, don’t know. It’s a good question.
Jason Blanchard
Okay, this is one of my favorite questions and I’m just going to ask it myself. Can you run all the tests all at once?
Carrie Roberts
Yes, but you probably won’t get much out of it and you might break your system just because with the combination of everything being turned on and turned off and weird, some tests do really weird things.
Like every time a certain windows library is called, it pops calculator just as a benign example for the test. So when you get done running all these tests, suddenly your computer is practically unusable because every possible thing is being done and you’re getting, every time you move the mouse, command prompts popping up and calcs popping up, and every time you restart it, well, there’s a test that disables command prompt.
There’s a test that disables Powershell. There’s a test that disables just about everything. So you’re going to end up with this system where you can’t even start Powershell to fix something.
He can’t start command prompt. you got calculators popping everywhere. It’s just too much at once. but yeah, you can’t, you can say invoke atomic test all, and you can do it in this lab if you want.
And then you’re like, labium maybe broke after that.
Jason Blanchard
So you’re saying there’s a chance.
Carrie Roberts
There’s a chance, yes. so what’s the link for slack? Somebody asked, so if you go to your labs, there’s this section on joining the slack workspace.
It actually has, this isn’t clicking. It actually talks about more than just the slack workspace. There’s also, so it talks about the different channels you might be interested in the slack workspace and gives you the link to join Slack, which is Slack Atomicredteam IO, but it also talks about the, there’s a caldera slack workspace that you might be interested in.
And there’s also vector and prelude operator discord servers that you can join. So that’s helpful. any other questions?
Jason Blanchard
Yeah, Oscar just asked the course. The course length is 16 hours, five minutes, $145. how many? It’s the four days, 4 hours a day, right, Carrie?
Carrie Roberts
Yes.
Jason Blanchard
Yeah, we, when we started doing training, we were like, what can a human being comprehend and retain? And we thought like 4 hours a day, four days a week straight, is the way to do it.
And so like in your class, it’s content and then lab content and lab content and lab, correct?
Carrie Roberts
Yeah, yeah.
Jason Blanchard
and we just think that’s a good way for people to learn. Like, you hear it, you do it, you hear it, you do it, you hear it, you do it. And then you take some time off, and then you come back the next day, and the recordings are always available to people within 24 hours.
So if you are in that one session, you’re going to get a recording for that session before the next session starts. Or if you miss it, you can’t make it, you still get the recording and then you can catch up before the next live session.
All right?
Carrie Roberts
Yeah, so the I provide more lab walkthroughs than most people can do within the 16 hours of the course.
So they also, you can in the live class. You also have this option to use these live vms like you have today, where you can play with everything you have anytime during the four days of class and two days after to use your lab time.
And you get like 30 or 40 hours on each VM, Linux and windows. but you also have instructions and options for downloading local vms so that you can run these on your own computer even after the live lab environment goes away.
Jason Blanchard
Yeah, that was always a big thing for us. when the class ends you shouldn’t lose access to all the cool stuff. You lose access to some things but not all effects.
All right, last question for you Gary, and this one’s got a lot of parts to it so here we go. What is the best practice regarding avedr running on the system, executing the test from.
That’s step one.
Carrie Roberts
What is the best practice? So if I understand the question right, I think the best practice the way I would start is I would disable blocking controls. So I definitely collect all the telemetry like this process started, this thing ran this registry key was created, all of that and I, I would first make sure that I can detect that.
And if somebody maybe besides a system administrator is running bits admin, I want to know. That’s something that wouldn’t be blocked anyways by default.
But I would work on the detections first but then I would also run. Okay, let’s not disable anything. Let’s see how well our blocking controls work because potentially we could add some blocking controls to block additional things.
And if you can block it that’s great. but if you don’t block it you definitely need to detect it. So that’s like your minimum viable product is being able to detect.
So work on that first with blocking controls turned off and then come back around and look at what you’re blocking, what you’re not and what you could additionally block.
Jason Blanchard
All right everybody, thank you so much for joining us today. Carrie, do you have any final thoughts? And we’re going to stick around the discord for the next couple hours. So if you have questions about lab, is this not working or that’s not working or do I get access?
We’re going to anyone that registered in the last 3 hours. We’re going to get that information over to Carrie, so that way, if you want to do labs, you can do so. But, Carrie, any final thoughts before we wrap up for today?
Carrie Roberts
No. I appreciate you joining. consider contributing to atomic red team because it’s a good resume builder. and it’s good way to learn.
And it also, everything you contribute helps an entire community. there’s a lot of organizations using this library, so if you contribute a new cool test that emulates something attackers really do, then immediately we all have that test and can emulate that.
So it’s really cool project and free t shirts. So thanks for joining, and I hope you’ve enjoyed them.
Jason Blanchard
All right, everybody, thank you. This has been a Black Hills information security webcast. If you ever need a red team threat hunt, active soc, or anything like that, where to find us with that. Thank you so much, Carrie, Darrin, all of our guests that joined us, and to all the attendees, thank you for spending your time with us today.