Post 64 - Third time's the charm
Task 10, Day 4 Atomic Red Team I’m all atomic inside!
There will be gaps in your defenses, but they don’t have to be huge, they can be minimized. Two main reasons for Detection gaps:
- Security is a cat and mouse game. As defenders detect more, attackers find new ways around. Defenders study new techniques and adjust rules/alerts to suit and cycle begins again.
- Line between anomalous and expected behavior is often very thin or non-existent. 99.9% of logins may come from the US until someone goes on EU vacation and logs in. Anomalous behavior, but not malicious, and possibly predictable/expected. Sometimes hard to create rules that don’t make too much noise.
Cyber Attacks and the Kill Chain
All cyber attacks follow fairly standard process refered to as Unified Cyber Kill chain:
Initial Recon > Initial Compromise > Establish Foothold > Escalate Privileges > either Internal Recon or GOTO 80 > Move Laterally > Maintain Presence > Escalate Privileges > Complete Mission (80)
MITRE ATT&CK and Atomic Red Team
Blue team dream to detect and prevent all attacks at step 1, but unpractical. Need to try to detect at each step so any one miss along the chain isn’t disasterous. Real goal is to detect before the last phase of goal execution. MITRE ATT&CK framework is collection of tactics, techniques, and procedures (TTPs) seen to be implemented in the wild. Has navigator tool to investigate TTPs. All information is theoretical. Atomic Red Team library is collection of test cases mapped to MITRE Att&CK framework.
Drop atomics in powershell by using invoke-atomictest. Parameters:
| Parameter | Explanation | Example |
|---|---|---|
| -AtomicTechnique | Defines technique to emulate. Can use complete name or “TXXXX” value. Can be omitted. | invoke-atomictest -atomictechnique T1566.001 |
| -ShowDetails | Shows details of each test in the Atomic. | invoke-atomictest T1566.001 -showdetails |
| -ShowDetailsBrief | Shows the title of each test in the Atomic. | invoke-atomictest T1566.001 -showdetailsbrief |
| -CheckPrereqs | Checks if all necessary components are present for testing. | invoke-atomictest T1566.001 -checkprereqs |
| -TestNames | Sets tests to execute using Atomic Test name. | invoke-atomictest T1566.001 -testnames “Download Macri-Enabled Phishing Attachment” |
| -TestGuids | Sets test to be executed using test id. | invoke-atomictest T1566.001 -testguids 114ccff9-ae6d-4547-9ead-4cd69f687306 |
| -TestNumbers | Sets test to be executed using test number. Limited to the Atomic Technique. | invoke-atomictest T1566.001 -testnumbers 2,3 |
| -Cleanup | Run the cleanup commands configured to revert machine to normal. | invoke-atomictest T1566.001 -testnumbers 2 -cleanup |
Detecting the Atomic
Can use Windows Event Logs/Sysmon to find actions that take place during testing.
Alerting on the Atomic
Detecting the Atomic doesn’t matter if you don’t do anything about it. Can create custom alerting rules once we know what artefacts were created during attack. Look for things that don’t often run from scripts in the background, i.e. Invoke-WebRequest.
The Task
Identify the atomic test that will take advantage of a command and scripting interpreter, conduct the test, extract artefacts, and grab the flag.
Recommended Stuff
Atomic Red Team room.