June 10, 2020 Testing and measurement
Brian Donohue

Test your visibility into the top 10 ATT&CK techniques

We’ve added Atomic Red Team tests to the 2020 Threat Detection Report so that analysts can readily evaluate their ability to observe and detect the most prevalent MITRE ATT&CK® techniques.

At the end of every year, we take a look at all of the data associated with the confirmed threats we detected in our customers’ environments to figure out what threats are occurring most often, why adversaries are leveraging specific techniques, and how security teams can detect those malicious behaviors. The product of this analysis is our annual Threat Detection Report.

Much to the dismay of maybe a dozen people on Twitter, we decided this year that we would no longer create a PDF version of the report. The reasons for this are many, but two stand out in particular:

1. We wanted to create a more dynamic user experience.
2. We wanted to be able to make updates to the report without worrying about version control.

Moving forward, the Threat Detection Report will continue to be recalibrated every year, as we update our prevalence rankings to reflect trends in our detection data. As techniques fall in and out of favor, however, each technique-specific analysis (like this one for T1055: Process Injection) will be preserved as part of a reference library that you can use to understand important threat techniques, what they look like behaviorally, and how you might detect them.

Threat Detection Report 2.1

For our first substantial update, we decided to add a new testing section to each technique-specific page. Along with analysis, definition, and detection sections, each technique page now includes simple instructions on how you can use Atomic Red Team tests to simulate an adversary leveraging that technique in your environment.

What’s Atomic Red Team?

For nearly three years, we’ve maintained an open source detection testing framework called Atomic Red Team. If you think of the MITRE ATT&CK framework as a taxonomy of threats that attempts to describe the many techniques that an adversary might use when attacking an organization, then you can think of Atomic Red Team as a collection of tests for emulating those techniques. It’s a free and agent-less alternative to commercial testing solutions that many security teams use to ensure that their security controls are working as intended or advertised.

There are different ways you can go about running atomics to test your detection coverage. In the testing sections of the Threat Detection Report, we use two:

Testing with Atomic Red Team may seem daunting at first, but it’s really quite simple—and easier than ever with all the recent improvements to Invoke-Atomic, the open source PowerShell module for executing tests. However, even if you don’t use Invoke-Atomic, testing is still as simple as cloning the Atomic Red Team repository and following simple instructions (mostly just copy and pasting command-line scripts) that are included with the tests you want to run. However you use it, the platform is a great resource for checking your visibility, validating assumptions about security controls, and learning about what suspicious or malicious behavior might look like in your endpoint telemetry.

You can find detailed information on how to test against the top 10 most prevalent threats on each of the technique pages in the Threat Detection Report. We’ll run through a quick test for our number one technique, Process Injection, to give you an idea of what you might expect to find in the report.

Testing Process Injection

Before you can test anything, you need to:

  1. Make sure you have permission to run these tests.
  2. Set up a non-production or lab environment in which to run these tests.
  3. Make sure you have PowerShell version 5.0 or later installed.
  4. Download Invoke-Atomic or the entire Atomic Red Team test repository.

Installing the framework

To keep things relatively simple, we’ll operate under the assumption that you want to install both the execution framework (Invoke-Atomic) and the entire atomic folders. You can find detailed instructions on your various installation options on the Invoke-Atomic wiki.

Run the following script in PowerShell and then wait (it may take a few minutes):

IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1');
Install-AtomicRedTeam -getAtomics

This will download Invoke-Atomic and the atomics folder from the Atomic Red Team repository and place it in: c:\atomicredteam\ .

Run the atomic test

Once Invoke-Atomic and the atomics folder are installed, you should be ready to run your first test.

The following video demonstrates how you can run this test using Invoke-Atomic:

 

If you want to use this method, then open PowerShell and run the following:

‘Invoke-AtomicTest T1055 -TestNumbers 1’

If you want to run the test manually, running following in PowerShell will produce the same result:

Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055.dll" -OutFile "$env:TEMP\T1055.dll"

$mypid = (get-process spoolsv).id
mavinject $mypid /INJECTRUNNING $env:TEMP\T1055.dll

This video demonstrates the manual testing method:

Now what?

If you ran the test correctly, then mavinject.exe will have performed process injection into T1055.dll. All of this will have happened pretty inconspicuously, unless you have access to:

  • A tool or data source that monitors processes, which should show you that powershell.exe and mavinject.exe ran
  • A tool or data source that monitors DLLs, which should have observed the load of T1055.dll
  • A tool or data source that monitors APIs, which should have observed the VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread APIs

Conclusion

The Threat Detection Report has always listed the techniques that adversaries are likely to use in your environment, providing intelligence about the malicious behaviors you might want to prioritize, where to look for them, and what they’ll look like when you find them. The atomic tests empower security teams to do two more things:

  1. Validate that your controls offer visibility into the top techniques.
  2. Ensure that the detection and collection guidance from the report worked as intended.

If you need any additional assistance on getting started with Atomic Red Team, then you should consider joining us in the Atomic Red Team Slack channel.

 

Introducing Chain Reactor

 

Testing initial access with “Generate-Macro” in Atomic Red Team

 

Testing the Top MITRE ATT&CK Techniques: PowerShell, Scripting, Regsvr32

 

Are You Using Tabletop Simulations to Improve Your Information Security Program?

Subscribe to our blog