Atomic red team

_ Equipo Rojo Atómico

__HTML_TAG_103_ Todos los comandos

Atomic Red Team es una biblioteca de pruebas mapeadas al marco MITRE ATT plagaCK que los equipos de seguridad pueden utilizar para probar sus entornos de forma rápida, portable y reproducible.

Instalación > Configuración¶

Command	Description
INLINE_CODE_3	Clone Atomic Red Team repository
INLINE_CODE_4	Navigate to repository
INLINE_CODE_5	Install PowerShell modules
INLINE_CODE_6	Import PowerShell module
INLINE_CODE_7	Show test details

Uso básico¶

Command	Description
INLINE_CODE_8	Execute specific atomic test
INLINE_CODE_9	Execute specific test number
INLINE_CODE_10	Show test details without executing
INLINE_CODE_11	Check prerequisites
INLINE_CODE_12	Install prerequisites
INLINE_CODE_13	Run cleanup for test

Test Discovery¶

Command	Description
INLINE_CODE_14	List all available techniques
INLINE_CODE_15	List techniques from specific path
INLINE_CODE_16	Search techniques by keyword
INLINE_CODE_17	Get details for specific technique

MITRE ATT limitadaCK Técnicas¶

Initial Access¶

Command	Description
INLINE_CODE_18	Spearphishing Attachment
INLINE_CODE_19	Spearphishing Link
INLINE_CODE_20	Exploit Public-Facing Application
INLINE_CODE_21	External Remote Services
INLINE_CODE_22	Hardware Additions

Execution¶

Command	Description
INLINE_CODE_23	PowerShell execution
INLINE_CODE_24	Windows Command Shell
INLINE_CODE_25	Unix Shell
INLINE_CODE_26	Python execution
INLINE_CODE_27	Scheduled Task/Job

Persistence¶

Command	Description
INLINE_CODE_28	Registry Run Keys
INLINE_CODE_29	Scheduled Task
INLINE_CODE_30	Windows Service
INLINE_CODE_31	Local Account creation
INLINE_CODE_32	Account Manipulation

Privilege Escalation¶

Command	Description
INLINE_CODE_33	Bypass User Account Control
INLINE_CODE_34	Process Injection
INLINE_CODE_35	Access Token Manipulation
INLINE_CODE_36	Exploitation for Privilege Escalation
_
### Defense Evasion_
Command	Description
---------	-------------
INLINE_CODE_37	Obfuscated Files or Information
INLINE_CODE_38	File Deletion
INLINE_CODE_39	Disable or Modify Tools
INLINE_CODE_40	Regsvr32
INLINE_CODE_41	Masquerading
_
## Credential Access
Command	Description
---------	-------------
INLINE_CODE_42	LSASS Memory dump
INLINE_CODE_43	Security Account Manager
INLINE_CODE_44	NTDS.dit
INLINE_CODE_45	Password Spraying
INLINE_CODE_46	Credentials from Web Browsers

Discovery¶

Command	Description
INLINE_CODE_47	Local Account Discovery
INLINE_CODE_48	Domain Account Discovery
INLINE_CODE_49	Remote System Discovery
INLINE_CODE_50	File and Directory Discovery
INLINE_CODE_51	Process Discovery

Lateral Movement¶

Command	Description
INLINE_CODE_52	Remote Desktop Protocol
INLINE_CODE_53	SMB/Windows Admin Shares
INLINE_CODE_54	Distributed Component Object Model
INLINE_CODE_55	Windows Remote Management
INLINE_CODE_56	Pass the Hash

Collection¶

Command	Description
INLINE_CODE_57	Data from Local System
INLINE_CODE_58	Data from Network Shared Drive
INLINE_CODE_59	Screen Capture
INLINE_CODE_60	Audio Capture
INLINE_CODE_61	Clipboard Data

Command and Control¶

Command	Description
INLINE_CODE_62	Web Protocols
INLINE_CODE_63	DNS
INLINE_CODE_64	Multi-hop Proxy
INLINE_CODE_65	Asymmetric Cryptography

Exfiltration¶

Command	Description
INLINE_CODE_66	Exfiltration Over C2 Channel
INLINE_CODE_67	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
INLINE_CODE_68	Exfiltration to Cloud Storage
_
## Impact
Command	Description
---------	-------------
INLINE_CODE_69	Data Destruction
INLINE_CODE_70	Data Encrypted for Impact
INLINE_CODE_71	Inhibit System Recovery
INLINE_CODE_72	Network Denial of Service

Advanced Usage¶

Parámetros personalizados¶

Command	Description
INLINE_CODE_73	Pass custom parameters
INLINE_CODE_74	Specify username parameter

Batch Execution¶

Command	Description
INLINE_CODE_75	Execute multiple tests
INLINE_CODE_76	Execute all available tests
_
### Logging and Output
Command	Description
---------	-------------
INLINE_CODE_77	Enable logging
INLINE_CODE_78	Specify log path
INLINE_CODE_79	Set execution timeout
_
## Configuración

Config File (config.yaml)¶

# Atomic Red Team Configuration
atomics_folder: "C:\\AtomicRedTeam\\atomics"
log_folder: "C:\\AtomicRedTeam\\logs"
default_timeout: 120
check_prereqs: true
get_prereqs: false
cleanup: true

Environment Variables¶

Variable	Description
INLINE_CODE_80	Path to Atomic Red Team directory
INLINE_CODE_81	Path for execution logs
INLINE_CODE_82	Default timeout for tests
_
## Linux/macOS Usage

Instalación¶

Command	Description
INLINE_CODE_83	Clone repository
INLINE_CODE_84	Navigate to directory
INLINE_CODE_85	Make scripts executable

Execution¶

Command	Description
INLINE_CODE_86	Execute bash-based test
INLINE_CODE_87	Execute Python-based test
INLINE_CODE_88	Execute specific test variant
_
## Integración con SIEM

Splunk Integration¶

Command	Description
INLINE_CODE_89	Log to Splunk
INLINE_CODE_90	Search Splunk for test results

ELK Stack Integration¶

Command	Description
INLINE_CODE_91	Log to Elasticsearch
_
## Custom Test Development

Estructura de ensayo¶

attack_technique: T1003.001
display_name: "LSASS Memory"
atomic_tests:
- name: Dump LSASS.exe Memory using ProcDump
  auto_generated_guid: 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
  description: |
    The memory of lsass.exe is often dumped for offline credential theft attacks.
  supported_platforms:
  - windows
  input_arguments:
    output_file:
      description: Path where resulting dump should be placed
      type: Path
      default: C:\Windows\Temp\lsass_dump.dmp
  executor:
    command: |
      procdump.exe -accepteula -ma lsass.exe #{output_file}
    name: command_prompt

Custom Ejecución de prueba¶

Command	Description
INLINE_CODE_92	Execute custom test
_
## Reporting and Analysis

Command	Description
INLINE_CODE_93	Get execution results
INLINE_CODE_94	Export results to CSV
INLINE_CODE_95	Show MITRE ATT&CK coverage
INLINE_CODE_96	Display test matrix

Automatización y programación¶

Power Shell Scheduled Empleo¶

$trigger = New-JobTrigger -Daily -At "2:00 AM"
Register-ScheduledJob -Name "AtomicRedTeam" -Trigger $trigger -ScriptBlock {
    Import-Module Invoke-AtomicRedTeam
    Invoke-AtomicTest T1003.001 -Cleanup
}

Continuous Testing¶

Command	Description
INLINE_CODE_97	Run tests every hour

Security Considerations¶

Realizar pruebas en entornos aislados sólo
Asegurar una limpieza adecuada después de la ejecución de pruebas
Monitor de falsos positivos en herramientas de seguridad
Documentar todas las ejecuciones de prueba para el cumplimiento
Utilizar principios mínimos de privilegio
Realizar controles adecuados de acceso
Respaldo regular antes de probar
Coordinar con el centro de operaciones de seguridad

Buenas prácticas¶

Empieza con técnicas de bajo impacto
Realizar siempre los cheques previos primero
Use funciones de limpieza después de las pruebas
Resultados y observaciones de la prueba de documentos
Coordinar con actividades de equipo azul
Prueba en entornos no productivos primero
Implementar registros y monitoreo adecuados
Actualizaciones regulares para la biblioteca de pruebas
Capacidades de detección validadas
Crear pruebas personalizadas para entornos específicos

Troubleshooting¶

Command	Description
INLINE_CODE_98	Get detailed help
INLINE_CODE_99	Validate input arguments
INLINE_CODE_100	Check prerequisites
INLINE_CODE_101	Attempt to fix test issues

Common Issues¶

Interferencia antivirus en la ejecución de pruebas
Requisitos o dependencias perdidos
Prerrogativas insuficientes para la ejecución de pruebas
Cuestiones de conectividad de red para los recursos externos
Cuestiones relacionadas con el camino en diferentes sistemas operativos