Carrie Roberts
24549e3866
* Initial transfer of atomics to MITRE subtechniques * Add GUIDs back in, attack_technique to string (#1019) * technique to string and add guids back in * technique to string and add guids back in * technique to string and add guids back in * technique to string and add guids back in * Subtechnique transfer T1220-T1546.005 (#1020) * Create T1222.001.yaml * Create T1222.002.yaml * Create T1505.002.yaml * Update T1543.003.yaml * Update AtomicService.cs * Update T1546.005.yaml * Delete T1222.yaml * Update T1482.yaml * Update T1485.yaml * Update T1220.yaml * Update T1489.yaml * Update T1490.yaml * Update T1496.yaml * Update T1505.003.yaml * Update T1505.yaml * Update T1518.001.yaml * Update T1518.yaml * Update T1529.yaml * Update T1543.004.yaml * Update T1546.001.yaml * Update T1546.002.yaml * Update T1546.002.yaml * Update T1546.001.yaml * Update T1543.004.yaml * Update T1543.002.yaml * Update T1543.001.yaml * Update T1518.001.yaml * Update T1546.004.yaml * Update T1546.003.yaml * Update T1531.yaml * Update T1222.001.yaml * Update T1222.002.yaml * Update T1505.002.yaml * Update T1505.003.yaml * Update T1518.001.yaml * Update T1543.001.yaml * Update T1546.005.yaml * Update T1546.004.yaml * Update T1546.003.yaml * Update T1546.002.yaml * Update T1546.001.yaml * Update T1543.004.yaml * Update T1543.003.yaml * Update T1543.002.yaml * added auto_generated_guid 1220 * added T1222.001 auto_generated_guid * Update T1222.002.yaml added auto_generated_guid entries * Update T1482.yaml auto_generated_guid added * Update T1485.yaml added auto_generated_guids * Update T1489.yaml added auto_generated_guids * Update T1490.yaml added auto_generated_guids * Update T1496.yaml added auto_generated_guid * Update T1505.002.yaml added auto_generated_guid from old T1505 same atomic * Update T1505.003.yaml added auto_generated_guid from previous atomic 1100 * Delete T1505.yaml no longer needed, moved to 1505.002 * Update T1518.yaml added auto_generated_guids * Update T1529.yaml added auto_generated_guids * Update T1531.yaml added auto_generated_guids * Update T1543.001.yaml added auto_generated_guid * Update T1543.002.yaml added auto_generated_guid * Update T1543.004.yaml added auto_generated_guid * Update T1546.001.yaml added auto_generated_guid * Update T1546.002.yaml added auto_generated_guid * Update T1546.003.yaml * Update T1546.004.yaml added auto_generated_guid * Update T1546.005.yaml added auto_generated_guid * add guids back in * fix spacing issue * fix spacing * fix spacing Co-authored-by: Carrie Roberts <clr2of8@gmail.com> * Sub-techniques T1053-T1113 - Updates (#1022) * Sub-techniques T1053-T1113 - Updates Updated techniques for sub-techniques. * minor fixes format fixing * Added GUIDs - Added GUIDs back - Fixed typo (T1054) - Fixed attack_technique from an array to a string * Sub-technique updates T1546.008 through T1574.011 (#1024) * sub technique updates * sub technique updates * sub technique updates * Carrie updates (#1017) * updated T1110,12,13 * updated T1114 * updated T1114 * updated T1115 * updated T1119 * updated T1123,24 * updated T1127 * updated T1114 * updated T1127 * updated T1132 * T1134.004 * T1134.004 * updated T1135 * updated T1136 * updated T1137 * updated T1140 * remove depracted T1153 * updated T1176 * updated T1197 * updated T1201 * updated T1202 * updated T1204 * updated T1207 * updated T1216 * updated T1204 * updated T1217 * updated T1218 * updated T1218 * updated T1219 * updated T1218 * attack_technique to string * Subtechnique transfer (#1025) * T1003 review * T1005 manual review changes * T1027.002 sub-technique review * T1027.004 sub-technique review * T1036 sub-technique review * T1037 sub-technique review * T1048 sub-technique review * YAML bugfixes * Adding auto-generated GUIDs back to tests * merging with Mike's PR * Merging with Carrie's PR * fix spacing Co-authored-by: Carrie Roberts <clr2of8@gmail.com> * Subtechnique fix (#1026) * add atomic_tests: element * add atomic_tests: element * more fixes * more fixes * more fixes * sub technique minor fixes 1 (#1027) * fixes * fixes * more fixes * more fixes * display name fix (#1028) * remove some deprecated stuff. reorganize a little (#1031) * Gendocs fix (#1033) * gendocs updates for subtechniques * add folders * ignore auto generated markdown files * remove tmp files * add tmp files * Generate docs from job=validate_atomics_generate_docs branch=subtechnique_transfer * navigator layer v3.0 * Generate docs from job=validate_atomics_generate_docs branch=subtechnique_transfer Co-authored-by: Matt Graeber <60448025+mgraeber-rc@users.noreply.github.com> Co-authored-by: Tsora-Pop <35981510+Tsora-Pop@users.noreply.github.com> Co-authored-by: Michael Haag <mike@redcanary.com> Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Atomic Red Team
Atomic Red Team allows every security team to test their controls by executing simple "atomic tests" that exercise the same techniques used by adversaries (all mapped to Mitre's ATT&CK).
Philosophy
Atomic Red Team is a library of simple tests that every security team can execute to test their controls. Tests are focused, have few dependencies, and are defined in a structured format that be used by automation frameworks.
Three key beliefs made up the Atomic Red Team charter:
-
Teams need to be able to test everything from specific technical controls to outcomes. Our security teams do not want to operate with a “hopes and prayers” attitude toward detection. We need to know what our controls and program can detect, and what it cannot. We don’t have to detect every adversary, but we do believe in knowing our blind spots.
-
We should be able to run a test in less than five minutes. Most security tests and automation tools take a tremendous amount of time to install, configure, and execute. We coined the term "atomic tests" because we felt there was a simple way to decompose tests so most could be run in a few minutes.
The best test is the one you actually run.
-
We need to keep learning how adversaries are operating. Most security teams don’t have the benefit of seeing a wide variety of adversary types and techniques crossing their desk every day. Even we at Red Canary only come across a fraction of the possible techniques being used, which makes the community working together essential to making us all better.
Having trouble?
Join the community on Slack at https://atomicredteam.slack.com
Getting Started
- Getting Started With Atomic Tests
- Automated Test Execution with the Execution Frameworks
- Peruse the Complete list of Atomic Tests (md, csv) and the ATT&CK Matrix
- Using ATT&CK Navigator? Check out our coverage layers (All, Windows, MacOS, Linux)
- Fork and Contribute your own modifications
- Have questions? Join the community on Slack at https://atomicredteam.slack.com
- Need a Slack invitation? Grab one at https://slack.atomicredteam.io/
Code of Conduct
In order to have a more open and welcoming community, Atomic Red Team adheres to a code of conduct.
License
See the LICENSE file.