Zum Inhalt

Atomic Red Team

generieren

Atomic Red Team ist eine Bibliothek von Tests, die dem MITRE ATT&CK;-Framework zugeordnet sind, mit denen Sicherheitsteams schnell, portabel und reproduzierbar ihre Umgebung testen können.

Installation und Inbetriebnahme

| | Command | Description | | | --- | --- | | | git clone https://github.com/redcanaryco/atomic-red-team.git | Clone Atomic Red Team repository | | | | cd atomic-red-team | Navigate to repository | | | | Install-Module -Name invoke-atomicredteam,powershell-yaml -Scope CurrentUser | Install PowerShell modules | | | | Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force | Import PowerShell module | | | | Invoke-AtomicTest T1003.001 -ShowDetails | Show test details | |

Basisnutzung

| | Command | Description | | | --- | --- | | | Invoke-AtomicTest T1003.001 | Execute specific atomic test | | | | Invoke-AtomicTest T1003.001 -TestNumbers 1 | Execute specific test number | | | | Invoke-AtomicTest T1003.001 -ShowDetails | Show test details without executing | | | | Invoke-AtomicTest T1003.001 -CheckPrereqs | Check prerequisites | | | | Invoke-AtomicTest T1003.001 -GetPrereqs | Install prerequisites | | | | Invoke-AtomicTest T1003.001 -Cleanup | Run cleanup for test | |

Test Discovery

| | Command | Description | | | --- | --- | | | Get-AtomicTechnique | List all available techniques | | | | Get-AtomicTechnique -Path "C:\AtomicRedTeam\atomics" | List techniques from specific path | | | | Get-AtomicTechnique \ | Where-Object {$_.DisplayName -match "credential"} | Search techniques by keyword | | | | Get-AtomicTechnique T1003 | Get details for specific technique | |

MITRE ATT&CK; Techniken

Erster Zugang

| | Command | Description | | | --- | --- | | | Invoke-AtomicTest T1566.001 | Spearphishing Attachment | | | | Invoke-AtomicTest T1566.002 | Spearphishing Link | | | | Invoke-AtomicTest T1190 | Exploit Public-Facing Application | | | | Invoke-AtomicTest T1133 | External Remote Services | | | | Invoke-AtomicTest T1200 | Hardware Additions | |

Durchführung

| | Command | Description | | | --- | --- | | | Invoke-AtomicTest T1059.001 | PowerShell execution | | | | Invoke-AtomicTest T1059.003 | Windows Command Shell | | | | Invoke-AtomicTest T1059.004 | Unix Shell | | | | Invoke-AtomicTest T1059.006 | Python execution | | | | Invoke-AtomicTest T1053.005 | Scheduled Task/Job | |

Persistenz

| | Command | Description | | | --- | --- | | | Invoke-AtomicTest T1547.001 | Registry Run Keys | | | | Invoke-AtomicTest T1053.005 | Scheduled Task | | | | Invoke-AtomicTest T1543.003 | Windows Service | | | | Invoke-AtomicTest T1136.001 | Local Account creation | | | | Invoke-AtomicTest T1098 | Account Manipulation | |

Vorrechte Eskalation

| | Command | Description | | | --- | --- | | | Invoke-AtomicTest T1548.002 | Bypass User Account Control | | | | Invoke-AtomicTest T1055 | Process Injection | | | | Invoke-AtomicTest T1134 | Access Token Manipulation | | | | Invoke-AtomicTest T1068 | Exploitation for Privilege Escalation | |

Verteidigung Eva

| | Command | Description | | | --- | --- | | | Invoke-AtomicTest T1027 | Obfuscated Files or Information | | | | Invoke-AtomicTest T1070.004 | File Deletion | | | | Invoke-AtomicTest T1562.001 | Disable or Modify Tools | | | | Invoke-AtomicTest T1218.010 | Regsvr32 | | | | Invoke-AtomicTest T1036 | Masquerading | |

Zugang zu Informationen

| | Command | Description | | | --- | --- | | | Invoke-AtomicTest T1003.001 | LSASS Memory dump | | | | Invoke-AtomicTest T1003.002 | Security Account Manager | | | | Invoke-AtomicTest T1003.003 | NTDS.dit | | | | Invoke-AtomicTest T1110.001 | Password Spraying | | | | Invoke-AtomicTest T1555.003 | Credentials from Web Browsers | |

Entdeckung

| | Command | Description | | | --- | --- | | | Invoke-AtomicTest T1087.001 | Local Account Discovery | | | | Invoke-AtomicTest T1087.002 | Domain Account Discovery | | | | Invoke-AtomicTest T1018 | Remote System Discovery | | | | Invoke-AtomicTest T1083 | File and Directory Discovery | | | | Invoke-AtomicTest T1057 | Process Discovery | |

Spätere Bewegung

| | Command | Description | | | --- | --- | | | Invoke-AtomicTest T1021.001 | Remote Desktop Protocol | | | | Invoke-AtomicTest T1021.002 | SMB/Windows Admin Shares | | | | Invoke-AtomicTest T1021.003 | Distributed Component Object Model | | | | Invoke-AtomicTest T1021.006 | Windows Remote Management | | | | Invoke-AtomicTest T1550.002 | Pass the Hash | |

Erhebung

| | Command | Description | | | --- | --- | | | Invoke-AtomicTest T1005 | Data from Local System | | | | Invoke-AtomicTest T1039 | Data from Network Shared Drive | | | | Invoke-AtomicTest T1113 | Screen Capture | | | | Invoke-AtomicTest T1123 | Audio Capture | | | | Invoke-AtomicTest T1115 | Clipboard Data | |

Befehl und Kontrolle

| | Command | Description | | | --- | --- | | | Invoke-AtomicTest T1071.001 | Web Protocols | | | | Invoke-AtomicTest T1071.004 | DNS | | | | Invoke-AtomicTest T1090.003 | Multi-hop Proxy | | | | Invoke-AtomicTest T1573.002 | Asymmetric Cryptography | |

Exfiltration

| | Command | Description | | | --- | --- | | | Invoke-AtomicTest T1041 | Exfiltration Over C2 Channel | | | | Invoke-AtomicTest T1048.003 | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | | | | Invoke-AtomicTest T1567.002 | Exfiltration to Cloud Storage | |

Auswirkungen

| | Command | Description | | | --- | --- | | | Invoke-AtomicTest T1485 | Data Destruction | | | | Invoke-AtomicTest T1486 | Data Encrypted for Impact | | | | Invoke-AtomicTest T1490 | Inhibit System Recovery | | | | Invoke-AtomicTest T1498 | Network Denial of Service | |

Erweiterte Nutzung

Kundenspezifische Parameter

| | Command | Description | | | --- | --- | | | Invoke-AtomicTest T1003.001 -InputArgs @{"output_file"="C:\temp\lsass.dmp"} | Pass custom parameters | | | | Invoke-AtomicTest T1087.001 -InputArgs @{"username"="testuser"} | Specify username parameter | |

Batch Execution

| | Command | Description | | | --- | --- | | | Invoke-AtomicTest T1003.001,T1003.002,T1003.003 | Execute multiple tests | | | | Get-AtomicTechnique \ | ForEach-Object {Invoke-AtomicTest $_.Technique} | Execute all available tests | |

Protokollierung und Ausgabe

| | Command | Description | | | --- | --- | | | Invoke-AtomicTest T1003.001 -LoggingModule "Attire-ExecutionLogger" | Enable logging | | | | Invoke-AtomicTest T1003.001 -ExecutionLogPath "C:\logs\atomic.log" | Specify log path | | | | Invoke-AtomicTest T1003.001 -TimeoutSeconds 60 | Set execution timeout | |

Konfiguration

Config File (config.yaml)

```yaml

Atomic Red Team Configuration

atomics_folder: "C:\AtomicRedTeam\atomics" log_folder: "C:\AtomicRedTeam\logs" default_timeout: 120 check_prereqs: true get_prereqs: false cleanup: true ```_

Umweltvariablen

| | Variable | Description | | | --- | --- | | | $env:ATOMIC_RED_TEAM_PATH | Path to Atomic Red Team directory | | | | $env:ATOMIC_LOG_PATH | Path for execution logs | | | | $env:ATOMIC_TIMEOUT | Default timeout for tests | |

Linux/macOS Nutzung

Installation

| | Command | Description | | | --- | --- | | | git clone https://github.com/redcanaryco/atomic-red-team.git | Clone repository | | | | cd atomic-red-team | Navigate to directory | | | | chmod +x atomics/*/src/* | Make scripts executable | |

Durchführung

| | Command | Description | | | --- | --- | | | bash atomics/T1059.004/src/T1059.004.sh | Execute bash-based test | | | | python3 atomics/T1059.006/src/T1059.006.py | Execute Python-based test | | | | ./atomics/T1083/src/T1083-1.sh | Execute specific test variant | |

Integration mit SIEM

Integration von Splunk

| | Command | Description | | | --- | --- | | | Invoke-AtomicTest T1003.001 -LoggingModule "Splunk" | Log to Splunk | | | | index=atomic_red_team technique=T1003.001 | Search Splunk for test results | |

ELK Stack Integration

| | Command | Description | | | --- | --- | | | Invoke-AtomicTest T1003.001 -LoggingModule "Elasticsearch" | Log to Elasticsearch | |

Individuelle Testentwicklung

Prüfstruktur

yaml attack_technique: T1003.001 display_name: "LSASS Memory" atomic_tests: - name: Dump LSASS.exe Memory using ProcDump auto_generated_guid: 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 description: | The memory of lsass.exe is often dumped for offline credential theft attacks. supported_platforms: - windows input_arguments: output_file: description: Path where resulting dump should be placed type: Path default: C:\Windows\Temp\lsass_dump.dmp executor: command: | procdump.exe -accepteula -ma lsass.exe #{output_file} name: command_prompt_

Kundenspezifische Testausführung

| | Command | Description | | | --- | --- | | | Invoke-AtomicTest -AtomicsFolder "C:\CustomAtomics" T9999.001 | Execute custom test | |

Reporting und Analyse

| | Command | Description | | | --- | --- | | | Get-AtomicTestResults | Get execution results | | | | Export-AtomicTestResults -Format CSV -Path "results.csv" | Export results to CSV | | | | Get-AtomicCoverage | Show MITRE ATT&CK; coverage | | | | Show-AtomicTestMatrix | Display test matrix | |

Automatisierung und Scheduling

PowerShell geplant Jobs

powershell $trigger = New-JobTrigger -Daily -At "2:00 AM" Register-ScheduledJob -Name "AtomicRedTeam" -Trigger $trigger -ScriptBlock { Import-Module Invoke-AtomicRedTeam Invoke-AtomicTest T1003.001 -Cleanup }_

Kontinuierliche Prüfung

| | Command | Description | | | --- | --- | | | Start-AtomicContinuousTesting -Techniques @("T1003.001","T1087.001") -Interval 3600 | Run tests every hour | |

Sicherheitsüberlegungen

  • Nur Tests in isolierten Umgebungen durchführen
  • Gewährleistung einer ordnungsgemäßen Reinigung nach der Testausführung
  • Monitor für falsche Positive in Sicherheitswerkzeugen
  • Dokumentieren Sie alle Testausführungen für die Einhaltung
  • Wenigstens Privilegien verwenden
  • Implementierung richtiger Zugriffskontrollen
  • Regelmäßige Sicherung vor dem Test
  • Koordination mit Sicherheitsdienststellen

Best Practices

  • Beginnen Sie mit Low-Impact-Techniken
  • Vorraussetzungsprüfungen durchführen
  • Reinigungsfunktionen nach dem Testen verwenden
  • Ergebnisse und Beobachtungen der Dokumente
  • Koordination mit blauen Teamaktivitäten
  • Test in Nicht-Produktionsumgebungen zuerst
  • Durchführung einer ordnungsgemäßen Protokollierung und Überwachung
  • Regelmäßige Aktualisierungen der Testbibliothek
  • Gültige Nachweisfähigkeiten
  • Erstellen Sie benutzerdefinierte Tests für bestimmte Umgebungen

Fehlerbehebung

| | Command | Description | | | --- | --- | | | Get-Help Invoke-AtomicTest -Full | Get detailed help | | | | Test-AtomicTestInputArgs T1003.001 | Validate input arguments | | | | Get-AtomicTestPrerequisites T1003.001 | Check prerequisites | | | | Repair-AtomicTest T1003.001 | Attempt to fix test issues | |

Gemeinsame Themen

  • Antivirenstörungen bei der Testausführung
  • Fehlende Voraussetzungen oder Abhängigkeiten
  • Unzureichende Privilegien für die Testausführung
  • Netzwerk-Konnektivität Probleme für externe Ressourcen
  • Pathbezogene Probleme bei verschiedenen Betriebssystemen