Post 64 - Third time's the charm

08 Dec 2024

Task 10, Day 4 `Atomic Red Team` I’m all atomic inside!

There will be gaps in your defenses, but they don’t have to be huge, they can be minimized. Two main reasons for Detection gaps:

Security is a cat and mouse game. As defenders detect more, attackers find new ways around. Defenders study new techniques and adjust rules/alerts to suit and cycle begins again.
Line between anomalous and expected behavior is often very thin or non-existent. 99.9% of logins may come from the US until someone goes on EU vacation and logs in. Anomalous behavior, but not malicious, and possibly predictable/expected. Sometimes hard to create rules that don’t make too much noise.

Cyber Attacks and the Kill Chain

All cyber attacks follow fairly standard process refered to as Unified Cyber Kill chain:
Initial Recon > Initial Compromise > Establish Foothold > Escalate Privileges > either Internal Recon or GOTO 80 > Move Laterally > Maintain Presence > Escalate Privileges > Complete Mission (80)

MITRE ATT&CK and Atomic Red Team

Blue team dream to detect and prevent all attacks at step 1, but unpractical. Need to try to detect at each step so any one miss along the chain isn’t disasterous. Real goal is to detect before the last phase of goal execution. MITRE ATT&CK framework is collection of tactics, techniques, and procedures (TTPs) seen to be implemented in the wild. Has navigator tool to investigate TTPs. All information is theoretical. Atomic Red Team library is collection of test cases mapped to MITRE Att&CK framework.

Drop atomics in powershell by using invoke-atomictest. Parameters:

Parameter	Explanation	Example
-AtomicTechnique	Defines technique to emulate. Can use complete name or “TXXXX” value. Can be omitted.	invoke-atomictest -atomictechnique T1566.001
-ShowDetails	Shows details of each test in the Atomic.	invoke-atomictest T1566.001 -showdetails
-ShowDetailsBrief	Shows the title of each test in the Atomic.	invoke-atomictest T1566.001 -showdetailsbrief
-CheckPrereqs	Checks if all necessary components are present for testing.	invoke-atomictest T1566.001 -checkprereqs
-TestNames	Sets tests to execute using Atomic Test name.	invoke-atomictest T1566.001 -testnames “Download Macri-Enabled Phishing Attachment”
-TestGuids	Sets test to be executed using test id.	invoke-atomictest T1566.001 -testguids 114ccff9-ae6d-4547-9ead-4cd69f687306
-TestNumbers	Sets test to be executed using test number. Limited to the Atomic Technique.	invoke-atomictest T1566.001 -testnumbers 2,3
-Cleanup	Run the cleanup commands configured to revert machine to normal.	invoke-atomictest T1566.001 -testnumbers 2 -cleanup

Detecting the Atomic

Can use Windows Event Logs/Sysmon to find actions that take place during testing.

Alerting on the Atomic

Detecting the Atomic doesn’t matter if you don’t do anything about it. Can create custom alerting rules once we know what artefacts were created during attack. Look for things that don’t often run from scripts in the background, i.e. Invoke-WebRequest.

The Task

Identify the atomic test that will take advantage of a command and scripting interpreter, conduct the test, extract artefacts, and grab the flag.

Recommended Stuff

Atomic Red Team room.