Atomic Red Team
MITRE ATT&CK Framework
The MITRE ATT&CK framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations of cyberattacks. This framework is used by cybersecurity professionals to understand and categorize the behavior of cyber adversaries, helping them to identify and prepare defenses against various cyber threats.
Atomic Red Team
Atomic Red Team is a library of simple, automatable tests designed to execute on an organization’s network, mimicking the activities of advanced persistent threats (APTs) as outlined in the MITRE ATT&CK framework. Each test within Atomic Red Team is linked to a specific technique in the ATT&CK framework, providing a practical method for security teams to test their defenses against a broad spectrum of attacks.
The project is open-source and maintained by Red Canary. SenseOn has made several contributions to improve the tests and resolve bugs found in the framework.
A heatmap of the capabilities of Atomic Red Team overlaid on the MITRE ATT&CK framework is shown below.
The latest version of the coverage is available at: Atomic Red Team Coverage
Testing Requirements
Before running tests using Atomic Red Team, you should have:
- A system that can be reinstalled after the tests. As testing artifacts may be left on the system.
- The SenseOn endpoint sensor installed and confirmed reporting into the SenseOn platform. Please confirm the host appears under
Digital Estate
->Devices
. - EPP features are disabled on the host which the tests will be run on. To do this create a segment with just the host in and disable EPP for that segment. Click here for additional configuration details. If EPP is not disabled it will stop the tests before they execute.
- Local admin rights on the system being tested.
Installation
Start PowerShell by searching for PowerShell, right-clicking, and selecting "Run as Administrator."
Enable script execution on the system by running the following command:
powershell -exec bypass
Before downloading the Atomic Tests, ensure that the existing AV, including real-time scanning in Defender, is disabled, or the downloads of the atomics may be blocked.
Then run the following commands to install Atomic Red Team and download the tests.
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics
You may need to press Enter twice, if prompted to install any PowerShell modules type Y
and press enter
The installation will take several minutes to complete.
For reference and to verify installation the Atomic tests are downloaded to the following location C:\AtomicRedTeam\atomics
Detail an attack
What an attack involves can be detailed with the command
Invoke-AtomicTest T1003 -ShowDetails
Execute an attack
Invoke-AtomicTest T1218.010
Running all tests: Please do not invoke all of the tests with the
Invoke-AtomicTest All
command as it will cause an exceptionally high volume of cases to be created on the platform as thousands of tests will be run in a short period of time.
Executing Tests for Specific Threat Actors
No security product can detect every single technique and many of the techniques below are suspicious events rather than a 'smoking gun' so may not generate a priority case on their own. Therefore its important that any tests you perform show activity across the kill chain from initial access, execution, lateral movement, command and control, etc. This will allow SenseOn to bring together a wide range of suspicious activity into a coherent case. To assist with this I have created some test scripts which take the activity of known groups and campaigns and we will run through others on the call. Any group or campaign of your choosing can be emulated.
Operation Dust Storm
Operation Dust Storm was a persistent cyber espionage campaign active from January 2010 to February 2016. It targeted multiple industries across Japan, South Korea, the United States, Europe, and Southeast Asia, focusing on critical infrastructure sectors such as electricity generation, oil and natural gas, finance, transportation, and construction. The threat actors utilized various techniques, including spearphishing, exploitation of vulnerabilities, and the use of Android backdoors, to exfiltrate sensitive information and maintain access to compromised systems.
For more detailed information, you can visit: MITRE ATT&CK Campaign Operation Dust Storm
Invoke-AtomicTest T1059.005 -TimeoutSeconds 15
Invoke-AtomicTest T1059.007 -TimeoutSeconds 15
Invoke-AtomicTest T1140 -TimeoutSeconds 15
Invoke-AtomicTest T1036 -TimeoutSeconds 15
Invoke-AtomicTest T1027.002 -TimeoutSeconds 15
Invoke-AtomicTest T1566.002 -TimeoutSeconds 15
Invoke-AtomicTest T1518 -TimeoutSeconds 15
Invoke-AtomicTest T1218.005 -TimeoutSeconds 15
Invoke-AtomicTest T1204.002 -TimeoutSeconds 15
Operation Wocao
Operation Wocao, active from December 2017 to December 2019, was a cyber espionage campaign attributed to suspected Chinese actors. It targeted a wide array of sectors globally, including government, aviation, finance, healthcare, and energy. The group used techniques such as exploiting JBoss vulnerabilities, employing custom web shells, leveraging PowerShell and VBScript, and exfiltrating data via HTTP and HTTPS protocols. They also utilized tools like WinRAR for archiving data and various methods for credential theft and lateral movement.
For more detailed information, you can visit: MITRE ATT&CK Campaign Wocao
Invoke-AtomicTest T1087.002 -TimeoutSeconds 15
Invoke-AtomicTest T1071.001 -TimeoutSeconds 15
Invoke-AtomicTest T1560.001 -TimeoutSeconds 15
Invoke-AtomicTest T1119 -TimeoutSeconds 15
Invoke-AtomicTest T1115 -TimeoutSeconds 15
Invoke-AtomicTest T1059.001 -TimeoutSeconds 15
Invoke-AtomicTest T1059.003 -TimeoutSeconds 15
Invoke-AtomicTest T1059.005 -TimeoutSeconds 15
Invoke-AtomicTest T1059.006 -TimeoutSeconds 15
Invoke-AtomicTest T1005 -TimeoutSeconds 15
Invoke-AtomicTest T1074.001 -TimeoutSeconds 15
Invoke-AtomicTest T1041 -TimeoutSeconds 15
Invoke-AtomicTest T1133 -TimeoutSeconds 15
Invoke-AtomicTest T1083 -TimeoutSeconds 15
Invoke-AtomicTest T1562.004 -TimeoutSeconds 15
Invoke-AtomicTest T1070.001 -TimeoutSeconds 15
Invoke-AtomicTest T1070.004 -TimeoutSeconds 15
Invoke-AtomicTest T1105 -TimeoutSeconds 15
Invoke-AtomicTest T1056.001 -TimeoutSeconds 15
Invoke-AtomicTest T1570 -TimeoutSeconds 15
Invoke-AtomicTest T1036.005 -TimeoutSeconds 15
Invoke-AtomicTest T1112 -TimeoutSeconds 15
Invoke-AtomicTest T1106 -TimeoutSeconds 15
Invoke-AtomicTest T1046 -TimeoutSeconds 15
Invoke-AtomicTest T1135 -TimeoutSeconds 15
Invoke-AtomicTest T1095 -TimeoutSeconds 15
Invoke-AtomicTest T1571 -TimeoutSeconds 15
Invoke-AtomicTest T1003.001 -TimeoutSeconds 15
Invoke-AtomicTest T1003.006 -TimeoutSeconds 15
Invoke-AtomicTest T1120 -TimeoutSeconds 15
Invoke-AtomicTest T1069.001 -TimeoutSeconds 15
Invoke-AtomicTest T1057 -TimeoutSeconds 15
Invoke-AtomicTest T1055 -TimeoutSeconds 15
Invoke-AtomicTest T1090.001 -TimeoutSeconds 15
Invoke-AtomicTest T1090.003 -TimeoutSeconds 15
Invoke-AtomicTest T1012 -TimeoutSeconds 15
Invoke-AtomicTest T1021.002 -TimeoutSeconds 15
Invoke-AtomicTest T1018 -TimeoutSeconds 15
Invoke-AtomicTest T1053.005 -TimeoutSeconds 15
Invoke-AtomicTest T1518.001 -TimeoutSeconds 15
Invoke-AtomicTest T1558.003 -TimeoutSeconds 15
Invoke-AtomicTest T1082 -TimeoutSeconds 15
Invoke-AtomicTest T1049 -TimeoutSeconds 15
Invoke-AtomicTest T1033 -TimeoutSeconds 15
Invoke-AtomicTest T1007 -TimeoutSeconds 15
Invoke-AtomicTest T1569.002 -TimeoutSeconds 15
Invoke-AtomicTest T1124 -TimeoutSeconds 15
Invoke-AtomicTest T1552.004 -TimeoutSeconds 15
Invoke-AtomicTest T1078.002 -TimeoutSeconds 15
Invoke-AtomicTest T1078.004 -TimeoutSeconds 15
Invoke-AtomicTest T1047 -TimeoutSeconds 15
Solar Winds Compromise
The SolarWinds Compromise, discovered in December 2020, was a sophisticated supply chain attack conducted by APT29, a group linked to Russia's SVR. They injected malicious code into the SolarWinds Orion software, which was distributed through a routine update. The attack affected approximately 18,000 organizations, including government agencies and private sector companies across North America, Europe, Asia, and the Middle East. The attackers used various methods, such as credential theft, API abuse, and spear-phishing, to gain access and exfiltrate data from compromised networks.
For more detailed information, you can visit: For more detailed information, you can visit: MITRE ATT&CK Campaign SolarWinds Compromise
Invoke-AtomicTest T1087.002 -TimeoutSeconds 15
Invoke-AtomicTest T1098.001 -TimeoutSeconds 15
Invoke-AtomicTest T1098.002 -TimeoutSeconds 15
Invoke-AtomicTest T1098.003 -TimeoutSeconds 15
Invoke-AtomicTest T1071.001 -TimeoutSeconds 15
Invoke-AtomicTest T1560.001 -TimeoutSeconds 15
Invoke-AtomicTest T1059.001 -TimeoutSeconds 15
Invoke-AtomicTest T1059.003 -TimeoutSeconds 15
Invoke-AtomicTest T1059.005 -TimeoutSeconds 15
Invoke-AtomicTest T1555.003 -TimeoutSeconds 15
Invoke-AtomicTest T1005 -TimeoutSeconds 15
Invoke-AtomicTest T1140 -TimeoutSeconds 15
Invoke-AtomicTest T1484.002 -TimeoutSeconds 15
Invoke-AtomicTest T1482 -TimeoutSeconds 15
Invoke-AtomicTest T1114.002 -TimeoutSeconds 15
Invoke-AtomicTest T1546.003 -TimeoutSeconds 15
Invoke-AtomicTest T1048.002 -TimeoutSeconds 15
Invoke-AtomicTest T1133 -TimeoutSeconds 15
Invoke-AtomicTest T1083 -TimeoutSeconds 15
Invoke-AtomicTest T1606.002 -TimeoutSeconds 15
Invoke-AtomicTest T1562.001 -TimeoutSeconds 15
Invoke-AtomicTest T1562.002 -TimeoutSeconds 15
Invoke-AtomicTest T1562.004 -TimeoutSeconds 15
Invoke-AtomicTest T1070.004 -TimeoutSeconds 15
Invoke-AtomicTest T1070.006 -TimeoutSeconds 15
Invoke-AtomicTest T1070.008 -TimeoutSeconds 15
Invoke-AtomicTest T1105 -TimeoutSeconds 15
Invoke-AtomicTest T1036.004 -TimeoutSeconds 15
Invoke-AtomicTest T1036.005 -TimeoutSeconds 15
Invoke-AtomicTest T1003.006 -TimeoutSeconds 15
Invoke-AtomicTest T1069.002 -TimeoutSeconds 15
Invoke-AtomicTest T1057 -TimeoutSeconds 15
Invoke-AtomicTest T1090.001 -TimeoutSeconds 15
Invoke-AtomicTest T1021.001 -TimeoutSeconds 15
Invoke-AtomicTest T1021.002 -TimeoutSeconds 15
Invoke-AtomicTest T1021.006 -TimeoutSeconds 15
Invoke-AtomicTest T1018 -TimeoutSeconds 15
Invoke-AtomicTest T1053.005 -TimeoutSeconds 15
Invoke-AtomicTest T1558.003 -TimeoutSeconds 15
Invoke-AtomicTest T1539 -TimeoutSeconds 15
Invoke-AtomicTest T1218.011 -TimeoutSeconds 15
Invoke-AtomicTest T1082 -TimeoutSeconds 15
Invoke-AtomicTest T1552.004 -TimeoutSeconds 15
Invoke-AtomicTest T1078.003 -TimeoutSeconds 15
Invoke-AtomicTest T1078.004 -TimeoutSeconds 15
FIN8
FIN8, also known as Syssphinx, is a financially motivated cyber threat group active since at least January 2016. They have targeted sectors including hospitality, retail, entertainment, insurance, technology, chemical, and financial industries. FIN8 is known for using sophisticated tactics such as spearphishing with malicious attachments, PowerShell for lateral movement, and deploying ransomware variants like Ragnar Locker and White Rabbit. Their campaigns have involved exfiltration of data, privilege escalation, and using tools like Impacket for various stages of their attacks.
For more detailed information, you can visit: MITRE ATT&CK Group FIN8
Invoke-AtomicTest T1134.001 -TimeoutSeconds 15
Invoke-AtomicTest T1071.001 -TimeoutSeconds 15
Invoke-AtomicTest T1560.001 -TimeoutSeconds 15
Invoke-AtomicTest T1059.001 -TimeoutSeconds 15
Invoke-AtomicTest T1059.003 -TimeoutSeconds 15
Invoke-AtomicTest T1486 -TimeoutSeconds 15
Invoke-AtomicTest T1482 -TimeoutSeconds 15
Invoke-AtomicTest T1546.003 -TimeoutSeconds 15
Invoke-AtomicTest T1048.003 -TimeoutSeconds 15
Invoke-AtomicTest T1070.001 -TimeoutSeconds 15
Invoke-AtomicTest T1070.004 -TimeoutSeconds 15
Invoke-AtomicTest T1105 -TimeoutSeconds 15
Invoke-AtomicTest T1112 -TimeoutSeconds 15
Invoke-AtomicTest T1003.001 -TimeoutSeconds 15
Invoke-AtomicTest T1566.001 -TimeoutSeconds 15
Invoke-AtomicTest T1055.004 -TimeoutSeconds 15
Invoke-AtomicTest T1021.001 -TimeoutSeconds 15
Invoke-AtomicTest T1021.002 -TimeoutSeconds 15
Invoke-AtomicTest T1018 -TimeoutSeconds 15
Invoke-AtomicTest T1053.005 -TimeoutSeconds 15
Invoke-AtomicTest T1518.001 -TimeoutSeconds 15
Invoke-AtomicTest T1082 -TimeoutSeconds 15
Invoke-AtomicTest T1033 -TimeoutSeconds 15
Invoke-AtomicTest T1204.002 -TimeoutSeconds 15
Invoke-AtomicTest T1078 -TimeoutSeconds 15
Invoke-AtomicTest T1047 -TimeoutSeconds 15
WIRTE
WIRTE is a cyber espionage group active since at least August 2018, targeting government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe. Their techniques include spearphishing with malicious attachments, using PowerShell and VBScript for script execution, employing masquerading tactics, and leveraging non-standard ports for command and control communication. WIRTE's campaigns often involve the use of tools such as Empire for post-exploitation activities.
For more detailed information, you can visit: MITRE ATT&CK Group WIRTE
Invoke-AtomicTest T1071.001 -TimeoutSeconds 15
Invoke-AtomicTest T1059.001 -TimeoutSeconds 15
Invoke-AtomicTest T1059.005 -TimeoutSeconds 15
Invoke-AtomicTest T1140 -TimeoutSeconds 15
Invoke-AtomicTest T1105 -TimeoutSeconds 15
Invoke-AtomicTest T1036.005 -TimeoutSeconds 15
Invoke-AtomicTest T1571 -TimeoutSeconds 15
Invoke-AtomicTest T1566.001 -TimeoutSeconds 15
Invoke-AtomicTest T1218.010 -TimeoutSeconds 15
Invoke-AtomicTest T1204.002 -TimeoutSeconds 15
APT19
APT19, also known as Codoso, C0d0so0, Codoso Team, and Sunshop Group, is a Chinese cyber espionage group. They have targeted a wide range of industries, including defense, finance, energy, pharmaceuticals, telecommunications, high-tech, education, manufacturing, and legal services. Notably, in 2017, APT19 conducted a phishing campaign against seven law and investment firms. Their methods include spearphishing with malicious attachments, exploiting vulnerabilities, and employing advanced malware for command and control, persistence, and data exfiltration.
For more detailed information, you can visit: MITRE ATT&CK Group APT19
Invoke-AtomicTest T1071.001 -TimeoutSeconds 15
Invoke-AtomicTest T1547.001 -TimeoutSeconds 15
Invoke-AtomicTest T1059 -TimeoutSeconds 15
Invoke-AtomicTest T1059.001 -TimeoutSeconds 15
Invoke-AtomicTest T1543.003 -TimeoutSeconds 15
Invoke-AtomicTest T1132.001 -TimeoutSeconds 15
Invoke-AtomicTest T1140 -TimeoutSeconds 15
Invoke-AtomicTest T1564.003 -TimeoutSeconds 15
Invoke-AtomicTest T1574.002 -TimeoutSeconds 15
Invoke-AtomicTest T1112 -TimeoutSeconds 15
Invoke-AtomicTest T1566.001 -TimeoutSeconds 15
Invoke-AtomicTest T1218.010 -TimeoutSeconds 15
Invoke-AtomicTest T1218.011 -TimeoutSeconds 15
Invoke-AtomicTest T1082 -TimeoutSeconds 15
Invoke-AtomicTest T1016 -TimeoutSeconds 15
Invoke-AtomicTest T1033 -TimeoutSeconds 15
Invoke-AtomicTest T1204.002 -TimeoutSeconds 15