Skip Navigation
Request Demo
Resources Webinars
Atomic Red Team
Casey Smith Michael Haag

How to Test Your Security Controls Using Atomic Red Team


Learn an easy way to start testing your defenses across MITRE ATT&CK.

Watch an in-depth training on Atomic Red Team, a suite of small, highly portable detection tests mapped to MITRE ATT&CK.

Attendees will learn how to:

  • Run a basic atomic test (Regsvr32)
  • Test defenses against a chained attack
  • Measure progress and impact

00:14 Presenter Introduction

00:56 Webinar Agenda

02:49 Lab 1 – Regsrv32

06:17 “This has become a fairly popular ATT&CK technique over the last year.” -Casey

06:22 “Regsrv32 is a default tool inside of Windows so it’s been with Windows since Windows XP all the way through to Windows 10” -Casey

08:47 “/i is simply a parameter to regsrv32 and this is where we actually pass the URL that we want to be executing into the system.” -Casey

14:51 Lab 1 – Questions & Answers

15:03 Question 1: How is regsrv32 different from rundll32?

15:58 “I would again drive you back to the MITRE framework. This framework has good distinctions about different techniques.” – Casey

17:29 Question 2: In any other security event logs, is there anything else within there that would trigger some kind of event that we could potentially correlate with Sysmon?

17:49 “I haven’t seen anything in any other logs at this point.” -Casey

18:15 Question 3: Is there a big difference when trying to detect this Sysmon versus EDR solutions?

19:02 “There are multiple ways to do it with both of these products.” -Mike

19:40 Lab 2 – Chain Reaction

19:45 “Rarely does a technique occur in isolation.” -Casey

21:18  “The next phase of this test would be the attack enumerates a bunch of different things in your environment.” -Casey

22:00 “The second chain the attacker is going to run is a long sequence of discovery commands. The next chain of attack would be line 21 where we can actually schedule attack tasks for example.” -Casey

25:29  “We have regsrv32 chained with a discovery chained with a persistence.” -Casey

25:50 Lab 2 – Questions & Answers

27:00  Question 1: Is the chaining technique effective over the long term? 

27:05  “Depending on scale, probably not… we’re really trying to get people started and batch files are the most simple way to do that.” -Casey

27:32  Question 2: Is there too much data to store across the full stack?

28:03 “Especially with Sysmon, you either collect everything or you filter out a lot of things and collect specific tasks that you’re executing.” -Mike

29:40 Lab 3 – Measuring Progress and Impact

32:49  “If I’m hunting one endpoint at a time, I’m not being completely effective.” -Mike

35:15  “You can pop over to the trends tab, and this is now where you can begin to see over time how you’ve been progressing.” -Mike

37:00 Lab 3 – Questions and Answers

37:05 Question 1: Have we automated the metrics with a SIM to automatically generate metrics?

37:19  “That’s going to depend on all of the different SIM platforms. I don’t know the best way to do that for everyone all at once.” -Mike

38:24  Question 2: Has there been any analytics ran against the MITRE framework?

38:39 “There probably has, but I’m not sure. That is something I will have to follow up with.” -Casey

38:53 Question 3: What are things coming down the pipe on this project?

39:00 “One of the things we have looked at is expanding our ATT&CK chains. Maybe we want to provide some ATT&CK chains that model after a particular actor.” -Casey

39:50  “We would also like to look to the community and provide feedback on things they would like to see or where we could add additional techniques.” -Casey

41:29  Question 4: Any other recommendations other than Carbon Black?

41:40  “This framework is designed to test multiple different products.” -Casey

42:04  Question 5: In terms of testing solutions, how does the heat map allow you to differentiate between the threat blocked, threat detected, and threat information available and gathered for hunting?

42:30  “You will need to build out the other sections of the spreadsheet or just use it as a way to validate.” -Mike

42:53  Question 6: Are we looking at the possibility of some techniques to show the value of disrupting chains so that the deception techniques and disruption logs detection capabilities?

43:05  “As an adversary, if you land in your environment and know your telemetry is being studied, there is certainly value in disrupting and degrading the performance of that telemetry.” -Casey

43:35  Question 7: With certain APTs focusing on certain verticals, are there cases based upon those verticals?

43:47  “We hope you would be able to build these chain reactions that are specific to your industry.” -Casey

Explore the new Atomic Red Team website
Explore the new Atomic Red Team website
Adventures in community management
Adventures in community management
Introducing Atomic Operator: a cross-platform Atomic Red Team execution framework
Introducing Atomic Operator: a cross-platform Atomic Red Team execution framework
Run Atomic Red Team tests with Microsoft Defender for Endpoint
Run Atomic Red Team tests with Microsoft Defender for Endpoint
Back to Top