Anton Kutepov
c14c0357dc
* Updating T1016 to include macos firewall enumeration * Tests added * standardize display name * Add tests for T1134.001 Access Token Impersonation/Theft (#1236) * Generate docs from job=validate_atomics_generate_docs branch=oscd * adding socketfilterfw and cleaning up description formatting, adding description details * Changing to device manufacturer based test * Generate docs from job=validate_atomics_generate_docs branch=oscd * Add test for T1006 Direct Volume Access (#1254) * Generate docs from job=validate_atomics_generate_docs branch=oscd * [OSCD] T1036.004: Masquerade Task or Service - 2 tests (#1253) * T1036.004 - 2 tests added * Update T1036.004.yaml Co-authored-by: Carrie Roberts <clr2of8@gmail.com> * Generate docs from job=validate_atomics_generate_docs branch=oscd * T1136.002 - 2 tests added (#1252) * Generate docs from job=validate_atomics_generate_docs branch=oscd * [OSCD] Create atomic test for T1113 for Windows (#1251) * Generate docs from job=validate_atomics_generate_docs branch=oscd * update T1564.002 * update T1564.002 * add Gatekeeper disable; add cleanup for security tools disable; add another launchagent for carbon black defense; remove Gatekeeper disable command from Gatekeeper bypass technique * Added T1562.006 tests to emulate indicator blocking by modifying configuration files * split linux and macos tests for TT1518.001; update processes list * Update T1518.001.yaml * Removed prereq and fixed command endings * Indirect command execution - conhost (#1265) * Generate docs from job=validate_atomics_generate_docs branch=oscd * [OSCD] Office persiststence : Office test (#1266) * Office persiststence : Office test * Added technique details * Generate docs from job=validate_atomics_generate_docs branch=oscd * Generate docs from job=validate_atomics_generate_docs branch=oscd * Generate docs from job=validate_atomics_generate_docs branch=oscd * Generate docs from job=validate_atomics_generate_docs branch=oscd * Remove index files to avoid CI complaints. * Grr * Generate docs from job=validate_atomics_generate_docs branch=oscd * Generate docs from job=validate_atomics_generate_docs branch=oscd * Update T1518.001.yaml * [OSCD] Adding T1547.010 (#1264) * Port monitor addition * Rename T1547.010.yml to T1547.010.yaml * Generate docs from job=validate_atomics_generate_docs branch=oscd * Generate docs from job=validate_atomics_generate_docs branch=oscd * Generate docs from job=validate_atomics_generate_docs branch=oscd * Fixed typos in test names Co-authored-by: remotephone@gmail.com <remotephone@gmail.com> Co-authored-by: haresudhan <code@0x6c.dev> Co-authored-by: Carrie Roberts <clr2of8@gmail.com> Co-authored-by: gregclermont <580609+gregclermont@users.noreply.github.com> Co-authored-by: CircleCI Atomic Red Team doc generator <email> Co-authored-by: Carl <57147304+rc-grey@users.noreply.github.com> Co-authored-by: mrblacyk <kweinzettl@gmail.com> Co-authored-by: sn0w0tter <42819997+sn0w0tter@users.noreply.github.com> Co-authored-by: Yugoslavskiy Daniil <yugoslavskiy@gmail.com> Co-authored-by: yugoslavskiy <daniil@yugoslavskiy.com> Co-authored-by: omkargudhate22 <36105402+omkar72@users.noreply.github.com> Co-authored-by: Keith McCammon <keith@redcanary.com> Co-authored-by: Matt Graeber <60448025+mgraeber-rc@users.noreply.github.com>
Atomic Red Team
Atomic Red Team allows every security team to test their controls by executing simple "atomic tests" that exercise the same techniques used by adversaries (all mapped to Mitre's ATT&CK).
Philosophy
Atomic Red Team is a library of simple tests that every security team can execute to test their controls. Tests are focused, have few dependencies, and are defined in a structured format that can be used by automation frameworks.
Three key beliefs made up the Atomic Red Team charter:
-
Teams need to be able to test everything from specific technical controls to outcomes. Our security teams do not want to operate with a “hopes and prayers” attitude toward detection. We need to know what our controls and program can detect, and what it cannot. We don’t have to detect every adversary, but we do believe in knowing our blind spots.
-
We should be able to run a test in less than five minutes. Most security tests and automation tools take a tremendous amount of time to install, configure, and execute. We coined the term "atomic tests" because we felt there was a simple way to decompose tests so most could be run in a few minutes.
The best test is the one you actually run.
-
We need to keep learning how adversaries are operating. Most security teams don’t have the benefit of seeing a wide variety of adversary types and techniques crossing their desk every day. Even we at Red Canary only come across a fraction of the possible techniques being used, which makes the community working together essential to making us all better.
Having trouble?
Join the community on Slack at https://atomicredteam.slack.com
Getting Started
- Getting Started With Atomic Red Team
- Automated Test Execution with the Execution Frameworks
- Peruse the Complete list of Atomic Tests (md, csv) and the ATT&CK Matrix
- Using ATT&CK Navigator? Check out our coverage layers (All, Windows, MacOS, Linux)
- Fork and Contribute your own modifications
- Have questions? Join the community on Slack at https://atomicredteam.slack.com
- Need a Slack invitation? Submit an invite request via this Google Form
Code of Conduct
In order to have a more open and welcoming community, Atomic Red Team adheres to a code of conduct.
License
See the LICENSE file.