dwhite9
0f77fd91fb
* Adding T1086 Alternate Data Stream atomic * Added newline T1086 * Syncing changes with updstream and origin. * Added Cleanup to Logon Scripts Atomic T1037 * Added timout to allow time for detection logic to register change. * Fixed issue with upstream sync, Re-added timout to allow time for detection logic. * Fixed cleanup command. Yaml tag not working to allow it to run. * Update T1158 test 11. Corrected ADS syntax. Added loop to run embedded ADS command from shell. Also added cleanup code. * Update T1037.yaml Moved Reg delete command under the cleanup_command tag for consistency. * Update T1037.yaml Moved reg removal command under cleanup_command tag for consistency. * Update T1086.yaml Bug Fix: Updated Base64 encoded command in T1086-12 with correct syntax and environment variables for power shell compatibility (was for cmd.exe only). Original decoded payload referenced %SystemRoot%, whereas PowerShell uses $env:SystemRoot. Also replaced single quotes with double quotes to prevent PowerShell from interpreting it as a literal string. Enhancement: Added Cleanup_commands for T1086-12. Added comments for what the Base64 encoded payload is. * Update T1036.yaml Added Cleanup commands for the windows tests
Atomic Red Team
Atomic Red Team allows every security team to test their controls by executing simple "atomic tests" that exercise the same techniques used by adversaries (all mapped to Mitre's ATT&CK).
Philosophy
Atomic Red Team is a library of simple tests that every security team can execute to test their controls. Tests are focused, have few dependencies, and are defined in a structured format that be used by automation frameworks.
Three key beliefs made up the Atomic Red Team charter:
-
Teams need to be able to test everything from specific technical controls to outcomes. Our security teams do not want to operate with a “hopes and prayers” attitude toward detection. We need to know what our controls and program can detect, and what it cannot. We don’t have to detect every adversary, but we do believe in knowing our blind spots.
-
We should be able to run a test in less than five minutes. Most security tests and automation tools take a tremendous amount of time to install, configure, and execute. We coined the term "atomic tests" because we felt there was a simple way to decompose tests so most could be run in a few minutes.
The best test is the one you actually run.
-
We need to keep learning how adversaries are operating. Most security teams don’t have the benefit of seeing a wide variety of adversary types and techniques crossing their desk every day. Even we at Red Canary only come across a fraction of the possible techniques being used, which makes the community working together essential to making us all better.
Having trouble?
Join the community on Slack at https://atomicredteam.slack.com
Getting Started
- Getting Started With Atomic Tests
- Peruse the Complete list of Atomic Tests and the ATT&CK Matrix
- Using ATT&CK Navigator? Check out our coverage layer
- Fork and Contribute your own modifications
- Doing more with Atomic Red Team
- Have questions? Join the community on Slack at https://atomicredteam.slack.com
- Need a Slack invitation? Grab one at https://slack.atomicredteam.io/
Code of Conduct
In order to have a more open and welcoming community, Atomic Red Team adheres to a code of conduct.
License
See the LICENSE file.