Atomic Red Team



Atomic Red Team is an open source collection of small, highly portable tests mapped to the corresponding techniques in the MITRE ATT&CK framework. These tests can be used to validate detection and response technology and processes.

Get the repo: https://github.com/redcanaryco/atomic-red-team

Browse popular Atomic Red Team resources below to learn more.


Atomic Red Team Videos



Atomic Red Team Regsvr32 Lab

VIDEO

Lab 1  – Regsvr32 to Check Detection and Logging


Watch

VIDEO

Lab 2 – Chain Reaction, Using Multiple Commands


Watch
Automating Response With Carbon Black Response

VIDEO

Lab 3 – Measure Progress and Impact


Watch




This webinar shows defenders how to take endpoint atomic testing to the proving grounds by:

  • Building “chain reactions” by combining multiple MITRE ATT&CK™ techniques and executing them simultaneously
  • Customizing sequences based on your specific attack surface and threat risks
  • Use Carbon Black telemetry to create detections AND
  • Measure endpoint detection tools and expose gaps

Atomic Red Team Articles



An Introduction


An introduction to Atomic Red Team Tests with a mapping to the MITRE ATT&CK Framework. We cover the major test phases: execution, evidence collection, and detection. https://redcanary.com/blog/atomic-red-team-testing



How to Test with the Atomic Red Team

Q&A with Casey Smith and Michael Haag comparing Sysmon with EDR products, using the heatmap created by Roberto Rodriquez, answering questions about the Regsvr32 lab, and more. https://redcanary.com/blog/how-to-test-your-defenses-atomic-red-team



The Dragon’s Tail

Focus on post-exploitation behavior by simulating the variety of techniques chained together by a well-known threat actor.

“The Dragon’s Tail” is designed to test for the following MITRE techniques:
1. The script sets up persistence by creating, executing, and removing a scheduled task that uses the Regsvr32.exe payload. (Technique 1053, 1117)
2. The next phase pulls down a credential stealing tool. In this example, Invoke-Mimikatz is used. (Technique 1086, 1003)
3. A file and technique known as Timestomping modifies the time attributes on the file. (Technique 1099)
4. The file is deleted.

By chaining these activities together, teams can assess their ability to detect and respond to not just one technique, but a known pattern of attack leveraging many techniques in sequence. https://redcanary.com/blog/atomic-red-team-tests-catching-dragon-tail



Testing Detection and Prevention Tools With Atomic Red Team “Chain Reactions”

Learn how to test endpoint solutions by building an Atomic Red Team chain reaction.

Customize sequences based on specific attack surfaces and threat risks to confirm detection and prevention coverage on the MITRE ATT&CK matrix.
https://redcanary.com/blog/testing-endpoint-solutions-atomic-red-team