Workload Security Evaluator provides tooling to simulate runtime attacks and test default runtime detections from Datadog Cloud Security Management. Tests are completed using Atomic Red Team.
Read the corresponding blog post for more details.
- Requirements
- Getting started
- Atomic test organization
- Test against real-world threats
- Techniques not relevant to production workloads
Workload Security Evaluator runs on Docker. For the most accurate results, Datadog recommends launching a compute instance in your preferred cloud provider. Alternatively, use a virtual machine or Docker Desktop. Apple silicon is not supported.
- Build and run the containers with the following commands.
export DD_API_KEY="<api-key>" # Found at https://app.datadoghq.com/organization-settings/api-keys
docker compose build
docker compose up -d
- Enter the evaluator container and run atomics.
docker exec -it atomicredteam /usr/bin/pwsh
Invoke-AtomicTest T1105-27 -ShowDetails
Invoke-AtomicTest T1105-27 -GetPrereqs # Download packages or payloads
Invoke-AtomicTest T1105-27
- Check for a signal in the Datadog Signals Explorer page. Signals from Workload Security Evaluator are tagged with
env:emulationto differentiate them from real security threats. - Revert the changes made by the atomic.
Invoke-AtomicTest T1053.003-2 -Cleanup
- Repeat with a different atomic.
- Shutdown the containers.
docker compose down
Atomic Red Team often contains multiple tests for the same ATT&CK technique. For example, the test identifier T1136.001-1 refers to the first test for MITRE ATT&CK technique T1136.001 (Create Account: Local Account). This test creates an account on a Linux system. The second test, T1136.001-2, creates an account on a MacOS system.
The following atomics are recommended as a starting point. They emulate techniques that were observed in real attacks targeting cloud workloads.
| Atomic ID | Atomic Name | Datadog Rule | Source |
|---|---|---|---|
| T1105-27 | Linux Download File and Run | Executable bit added to new file | Source |
| T1046-2 | Port Scan Nmap | Network scanning utility executed | Source |
| T1574.006-1 | Shared Library Injection via /etc/ld.so.preload | Suspected dynamic linker hijacking attempt | Source |
| T1053.003-2 | Cron - Add script to all cron subfolders | Cron job modified | Source |
| T1070.003-1 | Clear Bash history (rm) | Shell command history modified | Source |
For a full list of Datadog's runtime detections, visit the Out-of-the-box (OOTB) rules page. MITRE ATT&CK tactic and technique information is provided for every rule.
The MITRE ATT&CK Linux Matrix contains techniques for Linux hosts with a variety of purposes. Testing the techniques located in notrelevant.md is not recommended, because they are focused on Linux workstations or are unlikely to be detected using operating system events.
