In today’s article, I will talk about what Atomic Red Team Tool is, how to install this tool and what can be done with this tool.
What Is Atomic Red Team Tool?
Atomic Red Team is an open source tool used specifically for red team testing. This tool is used to test an organization’s defense mechanisms and identify vulnerabilities.
Atomic Red Team includes tests consisting of a series of small steps to simulate a specific attack scenario. These tests reflect techniques that attackers can use in the real world. Tests usually aim to be caught and blocked by a defense mechanism.
Atomic Red Team is a tool used to test how effective organizations’ defense mechanisms are. Testing helps organizations identify any vulnerabilities of their defense mechanisms and fix them.
Atomic Red Team Tool addresses each attack it contains and made according to Mitre Att&ck Framework. In other words, when an attack is made, if we have a weak point against this attack and we are affected by it, we can actually see what the weak point of the company is by looking at the Mitre code addressed by Atomic Red Team.
For example, if the mitre address of the attack is T1552.002 and the attacked machine is affected by this attack, it can be easily understood from the mitre code that this endpoint;
“Credential access -> Unsecured Credentials -> Credentials in Registry” may indicate that your credentials in the registry are not very secure. The following commands allow them to find the registry keys related to the password information. In other words, you can write IOCs or rules in your products for such commands, and after watching for a while and excluding legitimate applications from this rule, you can put them into production.
- Local Machine Hive: reg query HKLM /f password /t REG_SZ /s
- Current User Hive: reg query HKCU /f password /t REG_SZ /s
Now let’s see how to set up Atomic Red Team together.
How To Install Atomic Red Team
1- First of all, download Atomic Red Team from the link below.
https://github.com/redcanaryco/atomic-red-team
2- If we don’t want windows defender to disturb us while extracting Atomic Red Team Tool from the zip, we can uninstall it. (If you are not using another security product, do not uninstall on your own computer.)
We can use the sc query windefend command to see if the Windows defender service is active on our computer.
The powershell command to Uninstall Windows Defender is as follows,
After this process is finished, we must restart the endpoint for the settings to be applied. After restarting, if we check the defender service again, we will see that this service is no longer available.
3- We run the following command to install the Execution framework,
Install-Module -Name invoke-atomicredteam,powershell-yaml -Scope CurrentUser
4- Then we run our next command.
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam
5- Then we go to the GitHub folder and copy the Atomics folder in the files we downloaded,
We paste the folder we just copied into the AtomicRedTeam folder, which consists of the C:\ directory. This folder contains the attacks that the Tool will make.
6- We are now ready to launch attacks. If we want all attacks to take place automatically in order, it is sufficient to run the following command.
Important Note: Although The Atomic Red Team tool is not designed to cause damage to the computer, but only to see our security pusture, it may delete some of your files or make config changes during testing. Therefore, I recommend that you try these tests in an isolated sandbox-style environment rather than your own PC.
Invoke-AtomicTest All
Then press Y.
And as you can see in the SS below, it will start to do all the attacks in its library in order (of course, as long as your computer can last :)).
If we want to run a specific attack type, for example, as I mentioned at the beginning of my article, if we want to see how safe the credentials that can be in our machines’ registery are, we can easily find the mitre code on the mitre’s own site (https://attack.mitre.org/matrices/enterprise/).
Now, let’s just do the T1552.002 coded attack of mitre that I mentioned above.
Invoke-AtomicTest T1552.002
Thus, with the help of this tool, we can see how ready we are for attacks in various tactics and techniques that our company or institution may be exposed to, and our security posture against these attacks with the help of this tool, and we may have an opportunity to close these security weaknesses before we experience a real attack.
Stay tuned.
Leave a Reply