Atomic Red Team - Detection Engineering & Purple Teaming
Bron: github.com/redcanaryco/atomic-red-team Auteur: Johan Beysen
1. Overzicht
Atomic Red Team is een open-source library van kleine, gefocuste security tests ontwikkeld door Red Canary. Het framework bevat honderden "atomic tests" die specifieke adversary techniques simuleren volgens het MITRE ATT&CK framework, waarmee je kunt valideren of je security controls (EDR, SIEM, XDR) daadwerkelijk aanvallen detecteren.
Ontwikkelaar: Red Canary Type: Adversary Emulation / Detection Validation Framework Licentie: MIT Open Source Repository: https://github.com/redcanaryco/atomic-red-team MITRE ATT&CK: Volledig gemapped
2. Doel en Filosofie
2.1 Het "Atomic" Concept
Elk test is: - Atomic: Klein, discrete test van één specifieke technique - Documented: Duidelijke uitleg wat de test doet - Portable: Makkelijk te delen en reproduceren - Mapped: Gekoppeld aan MITRE ATT&CK framework
2.2 Primaire Doelen
- Detection Validation: Verifieer of security tools aanvallen detecteren
- Purple Teaming: Faciliteer samenwerking tussen Red en Blue teams
- Gap Analysis: Identificeer blinde vlekken in detection
- SOC Training: Train analisten met realistische scenarios
- Continuous Testing: Geautomatiseerde validatie van security posture
2.3 Het Verschil met Andere Tools
| Tool | Focus | Use Case |
|---|---|---|
| Atomic Red Team | Detection validation | Test of controls werken |
| Metasploit | Exploitation | Daadwerkelijk exploiten |
| Caldera | Full attack chains | Automated adversary emulation |
| Cobalt Strike | Red team operations | Volledige offensive campaigns |
3. Installatie
3.1 Windows - PowerShell Method (Aanbevolen)
# Set Execution Policy (als admin)
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
# Installeer Invoke-AtomicRedTeam module
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
# Installeer atomic tests library
Install-AtomicRedTeam -getAtomics
# Optioneel: Installeer op custom locatie
Install-AtomicRedTeam -InstallPath C:\AtomicRedTeam -getAtomics
# Verify installatie
Get-Command Invoke-AtomicTest
Standaard Locatie: C:\AtomicRedTeam\
3.2 Linux Installation
# Via Docker (aanbevolen voor Linux)
docker pull redcanary/invoke-atomicredteam:latest
# Of manual installation
git clone https://github.com/redcanaryco/atomic-red-team.git
cd atomic-red-team
# Installeer PowerShell Core op Linux
wget https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo apt update
sudo apt install -y powershell
# Run PowerShell en installeer module
pwsh
Install-Module -Name invoke-atomicredteam,powershell-yaml -Scope CurrentUser
3.3 macOS Installation
# Installeer PowerShell
brew install --cask powershell
# Open PowerShell
pwsh
# Installeer Atomic Red Team
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1');
Install-AtomicRedTeam -getAtomics
4. Basis Commands
4.1 Core Commands Overzicht
| Command | Beschrijving |
|---|---|
Invoke-AtomicTest |
Voer atomic test uit |
Invoke-AtomicTest -ShowDetails |
Toon test details |
Invoke-AtomicTest -CheckPrereqs |
Check vereisten |
Invoke-AtomicTest -GetPrereqs |
Installeer vereisten |
Invoke-AtomicTest -Cleanup |
Cleanup na test |
4.2 Syntax
5. Praktische Voorbeelden
5.1 Level 1: Basis Gebruik
# Lijst alle beschikbare techniques
Invoke-AtomicTest All -ShowDetails
# Toon details van specifieke technique
Invoke-AtomicTest T1003.001 -ShowDetailsBrief
# Run single test
Invoke-AtomicTest T1003.001
# Run specifieke test number
Invoke-AtomicTest T1003.001 -TestNumbers 1
# Run multiple tests
Invoke-AtomicTest T1003.001 -TestNumbers 1,2,3
5.2 Level 2: Pre-requisites en Cleanup
# Check of prerequisites aanwezig zijn
Invoke-AtomicTest T1003.001 -CheckPrereqs
# Installeer ontbrekende prerequisites
Invoke-AtomicTest T1003.001 -GetPrereqs
# Run test met automatische cleanup
Invoke-AtomicTest T1003.001 -Cleanup
# Cleanup zonder test uit te voeren
Invoke-AtomicTest T1003.001 -Cleanup -CheckPrereqs
5.3 Level 3: Custom Parameters
# Test met custom parameters
Invoke-AtomicTest T1059.001 -TestNumbers 1 -InputArgs @{
"command" = "whoami"
}
# Meerdere parameters
Invoke-AtomicTest T1021.001 -InputArgs @{
"target" = "192.168.1.100"
"username" = "testuser"
"password" = "TestPass123!"
}
# Run met timeout
Invoke-AtomicTest T1003.001 -TimeoutSeconds 300
5.4 Level 4: Batch Testing
# Test hele ATT&CK tactic
$CredentialAccess = @("T1003.001","T1003.002","T1003.003","T1110.001")
foreach ($test in $CredentialAccess) {
Write-Host "Testing $test"
Invoke-AtomicTest $test
Start-Sleep -Seconds 5
}
# Run alle tests in een technique
Invoke-AtomicTest T1003 -TestNumbers All
# Run met logging
Invoke-AtomicTest T1003.001 | Tee-Object -FilePath C:\Logs\atomic_test.log
6. ATT&CK Techniques Coverage
6.1 Meest Gebruikte Techniques
Credential Access (TA0006)
# T1003.001 - LSASS Memory Dump
Invoke-AtomicTest T1003.001
# T1003.002 - Security Account Manager (SAM)
Invoke-AtomicTest T1003.002
# T1003.003 - NTDS.dit
Invoke-AtomicTest T1003.003
# T1110.001 - Password Guessing
Invoke-AtomicTest T1110.001
# T1555.003 - Credentials from Web Browsers
Invoke-AtomicTest T1555.003
Defense Evasion (TA0005)
# T1055 - Process Injection
Invoke-AtomicTest T1055
# T1562.001 - Disable/Modify Tools (AV/EDR)
Invoke-AtomicTest T1562.001
# T1070.001 - Clear Windows Event Logs
Invoke-AtomicTest T1070.001
# T1218.011 - Rundll32 Proxy Execution
Invoke-AtomicTest T1218.011
# T1027 - Obfuscated Files/Information
Invoke-AtomicTest T1027
Persistence (TA0003)
# T1547.001 - Registry Run Keys
Invoke-AtomicTest T1547.001
# T1053.005 - Scheduled Task
Invoke-AtomicTest T1053.005
# T1136.001 - Create Local Account
Invoke-AtomicTest T1136.001
# T1098 - Account Manipulation
Invoke-AtomicTest T1098
# T1543.003 - Windows Service
Invoke-AtomicTest T1543.003
Privilege Escalation (TA0004)
# T1134 - Access Token Manipulation
Invoke-AtomicTest T1134
# T1068 - Exploitation for Privilege Escalation
Invoke-AtomicTest T1068
# T1548.002 - Bypass UAC
Invoke-AtomicTest T1548.002
Lateral Movement (TA0008)
# T1021.001 - RDP
Invoke-AtomicTest T1021.001
# T1021.002 - SMB/Windows Admin Shares
Invoke-AtomicTest T1021.002
# T1021.003 - DCOM
Invoke-AtomicTest T1021.003
# T1021.006 - WinRM
Invoke-AtomicTest T1021.006
# T1047 - WMI
Invoke-AtomicTest T1047
Command and Control (TA0011)
# T1071.001 - Web Protocols (HTTP/HTTPS)
Invoke-AtomicTest T1071.001
# T1095 - Non-Application Layer Protocol
Invoke-AtomicTest T1095
# T1573 - Encrypted Channel
Invoke-AtomicTest T1573
Exfiltration (TA0010)
# T1020 - Automated Exfiltration
Invoke-AtomicTest T1020
# T1048.003 - Exfiltration Over Unencrypted Protocol
Invoke-AtomicTest T1048.003
# T1567.002 - Exfiltration to Cloud Storage
Invoke-AtomicTest T1567.002
7. Purple Team Workflows
7.1 Workflow 1: Detection Validation
Doel: Valideer of EDR/SIEM specifieke aanval detecteert
# STAP 1: Identificeer technique om te testen
$Technique = "T1003.001" # LSASS Memory Dump
# STAP 2: Review test details
Invoke-AtomicTest $Technique -ShowDetailsBrief
# STAP 3: Check prerequisites
Invoke-AtomicTest $Technique -CheckPrereqs
# STAP 4: Notify Blue Team
Write-Host "Starting test $Technique at $(Get-Date)"
# STAP 5: Execute test
Invoke-AtomicTest $Technique
# STAP 6: Wait voor detection
Start-Sleep -Seconds 60
# STAP 7: Verify in SIEM/EDR
# Check FortiAnalyzer, Splunk, etc.
# STAP 8: Cleanup
Invoke-AtomicTest $Technique -Cleanup
# STAP 9: Document results
"Test: $Technique | Time: $(Get-Date) | Detected: YES/NO" |
Out-File -Append C:\Logs\purple_team_results.txt
7.2 Workflow 2: Coverage Assessment
Doel: Test coverage van hele ATT&CK tactic
# Define tactic to test (Credential Access)
$CredAccessTests = @(
"T1003.001", # LSASS
"T1003.002", # SAM
"T1110.001", # Password Guessing
"T1555.003" # Browser Credentials
)
# Initialize results
$Results = @()
foreach ($Test in $CredAccessTests) {
Write-Host "`n[*] Testing $Test" -ForegroundColor Cyan
# Check if test can run
$CanRun = Invoke-AtomicTest $Test -CheckPrereqs
if ($CanRun) {
# Execute test
Invoke-AtomicTest $Test
# Wait for detection
Start-Sleep -Seconds 30
# Log result (manual verification needed)
$Results += [PSCustomObject]@{
Technique = $Test
Executed = "YES"
Timestamp = Get-Date
DetectedInSIEM = "MANUAL_CHECK"
}
# Cleanup
Invoke-AtomicTest $Test -Cleanup
} else {
Write-Host "[!] Prerequisites not met for $Test" -ForegroundColor Yellow
}
Start-Sleep -Seconds 10
}
# Export results
$Results | Export-Csv -Path C:\Reports\coverage_test_$(Get-Date -Format yyyyMMdd).csv -NoTypeInformation
7.3 Workflow 3: Continuous Validation
Doel: Geautomatiseerde dagelijkse detection testing
# Script: daily_atomic_tests.ps1
# Schedule via Task Scheduler
$TestsToRun = @(
"T1003.001", # Credential Dumping
"T1055.001", # Process Injection
"T1070.001" # Log Clearing
)
$LogFile = "C:\Logs\atomic_daily_$(Get-Date -Format yyyyMMdd).log"
foreach ($Test in $TestsToRun) {
$StartTime = Get-Date
try {
Invoke-AtomicTest $Test -ErrorAction Stop
$Status = "SUCCESS"
} catch {
$Status = "FAILED: $($_.Exception.Message)"
}
$EndTime = Get-Date
$Duration = ($EndTime - $StartTime).TotalSeconds
# Log result
"$StartTime | $Test | $Status | Duration: ${Duration}s" |
Out-File -Append $LogFile
# Cleanup
Invoke-AtomicTest $Test -Cleanup
Start-Sleep -Seconds 120 # Wait between tests
}
# Send notification
Send-MailMessage -To "soc@company.com" -Subject "Daily Atomic Tests Complete" -Body "See log: $LogFile"
8. Detection Engineering
8.1 Scenario 1: Testing EDR Bypass
Doel: Verificeer of EDR evasion techniques gedetecteerd worden
# Test 1: Process Hollowing
Invoke-AtomicTest T1055.012
# Check EDR logs
# Expected: Alert for process hollowing
# Test 2: AMSI Bypass
Invoke-AtomicTest T1562.001 -TestNumbers 1
# Check EDR logs
# Expected: AMSI tampering alert
# Test 3: Obfuscated PowerShell
Invoke-AtomicTest T1059.001 -TestNumbers 5
# Check EDR logs
# Expected: Suspicious PowerShell execution
8.2 Scenario 2: Building Detection Rules
Proces:
-
Run Atomic Test
-
Analyze Telemetry
- Check Sysmon logs
- Review EDR telemetry
-
Examine network traffic
-
Build Detection Rule
-
Validate Rule
8.3 Scenario 3: Testing Sigma Rules
# Map Sigma rule to Atomic test
$SigmaRule = "proc_creation_win_lsass_dump.yml"
$AtomicTest = "T1003.001"
# Run corresponding atomic test
Invoke-AtomicTest $AtomicTest
# Check if Sigma rule triggered in SIEM
# Document coverage
9. Integration met Security Stack
9.1 FortiEDR / FortiClient Integration
Test FortiEDR Detection:
# Test 1: Credential Access
Write-Host "[*] Testing FortiEDR Credential Dumping Detection"
Invoke-AtomicTest T1003.001
# Expected FortiEDR behavior:
# - Block LSASS access
# - Generate alert
# - Quarantine process
# Test 2: Ransomware Simulation
Invoke-AtomicTest T1486 # Data Encrypted for Impact
# Expected FortiEDR behavior:
# - Detect mass file encryption
# - Block ransomware process
# - Generate critical alert
# Test 3: Process Injection
Invoke-AtomicTest T1055.001
# Expected FortiEDR behavior:
# - Detect injection attempt
# - Block malicious process
# - Alert on technique
9.2 FortiAnalyzer / SIEM Integration
# Generate test traffic met timestamps
$TestStart = Get-Date
Invoke-AtomicTest T1003.001
Start-Sleep -Seconds 30
Invoke-AtomicTest T1059.001
Start-Sleep -Seconds 30
Invoke-AtomicTest T1055.001
Start-Sleep -Seconds 30
$TestEnd = Get-Date
# Build FortiAnalyzer query
Write-Host @"
FortiAnalyzer Query:
Time Range: $TestStart to $TestEnd
Log Type: FortiClient Telemetry
Search: LSASS OR PowerShell OR Injection
"@
# Verify logs in FortiAnalyzer dashboard
# Build correlation rules
9.3 Nessus Integration
# Run atomic tests
Invoke-AtomicTest T1068 # Privilege Escalation
# Follow up met Nessus scan
Start-Process "C:\Program Files\Tenable\Nessus\nessuscli.exe" -ArgumentList "scan new --name 'Post-Atomic-Validation'"
# Compare: What did Atomic exploit vs what Nessus detected
9.4 Metasploit Comparison
# Atomic Test (Detection focus)
Invoke-AtomicTest T1055.001
# vs.
# Metasploit (Exploitation focus)
msfconsole -x "use exploit/windows/local/ms16_075_reflection; set PAYLOAD windows/meterpreter/reverse_tcp; exploit"
# Use cases:
# - Atomic: Does my EDR detect process injection?
# - Metasploit: Can I actually exploit this vulnerability?
10. Lab Setup & Testing Environments
10.1 Proxmox Lab Configuration
VM Setup voor Atomic Testing:
VM1: Windows 10 (Target)
- FortiClient EDR installed
- Sysmon installed
- Attack simulation target
VM2: Windows Server 2019 (Domain Controller)
- Active Directory
- Test domain: lab.local
VM3: Kali Linux (Attack Platform)
- Invoke-AtomicRedTeam (via PowerShell Core)
- C2 servers for validation
VM4: Security Stack
- FortiAnalyzer
- Splunk / ELK
- Log aggregation
Network Segmentation:
VLAN 10: Management (192.168.10.0/24)
VLAN 20: Target Network (192.168.20.0/24)
VLAN 30: Security Tools (192.168.30.0/24)
FortiGate: Tussen alle VLANs
- IPS enabled
- Application Control
- Full logging naar FortiAnalyzer
10.2 Snapshot Strategy
Voor testing:
# 1. Maak clean snapshot
# In Proxmox: "Snapshot" > "Take Snapshot" > "clean_baseline"
# 2. Run atomic tests
Invoke-AtomicTest T1003.001
# 3. Analyze results
# 4. Rollback naar clean state
# In Proxmox: "Snapshot" > "Rollback" > "clean_baseline"
# 5. Repeat voor next test
Automation:
# Bash script voor automated snapshot/test/rollback
#!/bin/bash
VM_ID="100"
SNAPSHOT_NAME="clean_baseline"
# Take snapshot
qm snapshot $VM_ID $SNAPSHOT_NAME
# Run test (via API of SSH)
ssh administrator@192.168.20.10 "powershell.exe -Command 'Invoke-AtomicTest T1003.001'"
# Wait for analysis
sleep 300
# Rollback
qm rollback $VM_ID $SNAPSHOT_NAME
# Next test
11. Advanced Use Cases
11.1 Custom Atomic Tests
Create your own atomic test:
# File: T1003.001-custom.yaml
attack_technique: T1003.001
display_name: Custom LSASS Dump via Custom Tool
atomic_tests:
- name: Custom LSASS Memory Dump
auto_generated_guid: 12345678-1234-1234-1234-123456789abc
description: |
Dump LSASS memory using custom tool for testing
supported_platforms:
- windows
input_arguments:
dump_path:
description: Path to save dump
type: Path
default: C:\Temp\lsass_custom.dmp
executor:
command: |
C:\Tools\CustomDumper.exe -o #{dump_path}
name: powershell
elevation_required: true
cleanup_command: |
Remove-Item #{dump_path} -ErrorAction Ignore
Run custom test:
11.2 Chaining Attacks (Kill Chain Testing)
# Simulate complete attack chain
# Phase 1: Initial Access (Phishing Simulation)
Invoke-AtomicTest T1566.001
Start-Sleep -Seconds 60
# Phase 2: Execution
Invoke-AtomicTest T1059.001 # PowerShell
Start-Sleep -Seconds 60
# Phase 3: Persistence
Invoke-AtomicTest T1547.001 # Registry Run Key
Start-Sleep -Seconds 60
# Phase 4: Privilege Escalation
Invoke-AtomicTest T1134 # Token Manipulation
Start-Sleep -Seconds 60
# Phase 5: Credential Access
Invoke-AtomicTest T1003.001 # LSASS Dump
Start-Sleep -Seconds 60
# Phase 6: Lateral Movement
Invoke-AtomicTest T1021.002 # SMB
Start-Sleep -Seconds 60
# Phase 7: Exfiltration
Invoke-AtomicTest T1048.003 # Data exfil
# Analyze: Which phases were detected?
# Document: Detection gaps
11.3 CI/CD Integration
Automated testing in pipeline:
# .gitlab-ci.yml example
stages:
- atomic-testing
- validation
atomic_tests:
stage: atomic-testing
script:
- Import-Module invoke-atomicredteam
- $Tests = @("T1003.001","T1055.001","T1059.001")
- foreach ($Test in $Tests) { Invoke-AtomicTest $Test }
artifacts:
paths:
- test-results/
only:
- schedules
validation:
stage: validation
script:
- python3 validate_detections.py
dependencies:
- atomic_tests
12. Reporting & Documentation
12.1 Generate Coverage Report
# Script: generate_coverage_report.ps1
# Get all available atomic tests
$AllTests = Invoke-AtomicTest All -ShowDetails
# Tests executed today
$ExecutedTests = Get-Content C:\Logs\executed_tests_$(Get-Date -Format yyyyMMdd).txt
# Generate report
$Report = @{
"Total_Available_Tests" = $AllTests.Count
"Tests_Executed" = $ExecutedTests.Count
"Coverage_Percentage" = ($ExecutedTests.Count / $AllTests.Count) * 100
"Tactics_Covered" = ($ExecutedTests | Select-String -Pattern "TA\d{4}" | Group-Object).Count
}
# Export
$Report | ConvertTo-Json | Out-File C:\Reports\coverage_report_$(Get-Date -Format yyyyMMdd).json
# Visualize in PowerBI / Grafana
12.2 Detection Matrix
# Create ATT&CK Navigator layer
$DetectionMatrix = @()
$AllTests = @("T1003.001","T1055.001","T1059.001","T1070.001")
foreach ($Test in $AllTests) {
$DetectionMatrix += [PSCustomObject]@{
TechniqueID = $Test
Tested = "YES"
Detected = "MANUAL_CHECK" # Update after SIEM verification
DetectionSource = "FortiEDR"
Date = Get-Date -Format "yyyy-MM-dd"
}
}
# Export voor ATT&CK Navigator
$DetectionMatrix | ConvertTo-Json | Out-File C:\Reports\detection_matrix.json
Purple Team Report Template
# Purple Team Exercise Report
**Date:** 2025-12-01
**Duration:** 4 hours
**Participants:** Red Team (Johan), Blue Team (SOC)
## Scope
- **Tactics Tested:** Credential Access, Defense Evasion, Persistence
- **Techniques:** T1003.001, T1055.001, T1547.001
- **Environment:** Production Lab (isolated)
## Test Results
### T1003.001 - LSASS Memory Dump
- **Executed:** YES
- **Detected by FortiEDR:** YES (Blocked)
- **Detected by SIEM:** YES (Alert generated)
- **Response Time:** 15 seconds
- **Status:** PASS
### T1055.001 - Process Injection
- **Executed:** YES
- **Detected by FortiEDR:** PARTIAL (Logged, not blocked)
- **Detected by SIEM:** NO
- **Response Time:** N/A
- **Status:** NEEDS TUNING
## Recommendations
1. Tune FortiEDR to block T1055.001
2. Create SIEM correlation rule for process injection
3. Add T1055 to SOC playbook
## Next Steps
- Schedule follow-up test in 2 weeks
- Implement recommendations
- Test Lateral Movement tactics
13. Troubleshooting
13.1 Common Issues
Issue 1: "Execution Policy" Errors
# Error: cannot be loaded because running scripts is disabled
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
# Or bypass voor single test
powershell.exe -ExecutionPolicy Bypass -File test.ps1
Issue 2: Prerequisites Missing
# Check what's missing
Invoke-AtomicTest T1003.001 -CheckPrereqs
# Auto-install prerequisites
Invoke-AtomicTest T1003.001 -GetPrereqs
# Manual install example
choco install procdump -y
Issue 3: Tests Fail Silently
# Run with verbose output
Invoke-AtomicTest T1003.001 -Verbose
# Check transcript
Start-Transcript -Path C:\Logs\atomic_debug.log
Invoke-AtomicTest T1003.001
Stop-Transcript
Issue 4: Cleanup Failures
# Manual cleanup
Invoke-AtomicTest T1003.001 -Cleanup
# Force cleanup
Stop-Process -Name "procdump" -Force -ErrorAction SilentlyContinue
Remove-Item C:\Temp\lsass.dmp -Force -ErrorAction SilentlyContinue
# Reset to baseline
# Use VM snapshot rollback
Issue 5: EDR Blocks Execution
# Temporarily disable EDR (in test environment only!)
# Method depends on EDR solution
# For testing purposes, whitelist Atomic directory
# In FortiClient: Settings > Exceptions > Add: C:\AtomicRedTeam\
# Alternative: Run from non-standard location
Copy-Item C:\AtomicRedTeam C:\CustomPath
cd C:\CustomPath
Invoke-AtomicTest T1003.001
14. Best Practices
Do's
- Always coordinate met Blue Team
- Schedule tests vooraf
- Communicate tijdens execution
-
Debrief na afloop
-
Use isolated environment eerst
- Test in lab voor production
- Verify impact van tests
-
Document side effects
-
Document everything
- Test parameters
- Results
- Detection gaps
-
Recommendations
-
Start small
- Begin met basic tests
- Build up complexity
-
Learn your environment
-
Cleanup religiously
- Run cleanup commands
- Verify artifacts removed
- Check for persistence
Don'ts
- Never run in production zonder approval
- Some tests cause system instability
- Can trigger incident response
-
May violate policies
-
Don't chain tests zonder pause
- Give SOC time to analyze
- Prevent log flooding
-
Allow for detection validation
-
Don't ignore prerequisites
- Tests may fail unexpectedly
- Can cause partial execution
-
May leave artifacts
-
Don't test tijdens business hours (initial runs)
- Test impact unknown
- Could cause alerts
-
May disrupt operations
-
Don't forget legal authorization
- Get written approval
- Document scope
- Follow rules of engagement
15. Detection Coverage Tracking
15.1 Create Detection Dashboard
# Script: update_detection_coverage.ps1
# Define all techniques in your scope
$InScopeTechniques = @(
"T1003.001", "T1003.002", "T1003.003",
"T1055.001", "T1055.002",
"T1059.001", "T1059.003",
"T1070.001",
"T1547.001",
"T1053.005"
)
# Check current coverage
$Coverage = @()
foreach ($Technique in $InScopeTechniques) {
# Check if test exists
$TestExists = Test-Path "C:\AtomicRedTeam\atomics\$Technique"
# Check if detected (read from previous test logs)
$DetectionLog = "C:\Logs\detections.csv"
$IsDetected = Import-Csv $DetectionLog | Where-Object { $_.Technique -eq $Technique }
$Coverage += [PSCustomObject]@{
Technique = $Technique
TestAvailable = $TestExists
LastTested = $IsDetected.Date
DetectedByEDR = $IsDetected.EDR_Detected
DetectedBySIEM = $IsDetected.SIEM_Detected
CoverageScore = if($IsDetected.EDR_Detected -and $IsDetected.SIEM_Detected) { 100 }
elseif($IsDetected.EDR_Detected -or $IsDetected.SIEM_Detected) { 50 }
else { 0 }
}
}
# Calculate overall coverage
$OverallCoverage = ($Coverage | Where-Object { $_.CoverageScore -eq 100 }).Count / $InScopeTechniques.Count * 100
Write-Host "Overall Detection Coverage: $OverallCoverage%"
# Export voor dashboard
$Coverage | Export-Csv C:\Reports\coverage_$(Get-Date -Format yyyyMMdd).csv -NoTypeInformation
15.2 Integration met ATT&CK Navigator
- Export results naar Navigator format:
$NavigatorLayer = @{
"name" = "Atomic Red Team Coverage"
"versions" = @{
"attack" = "13"
"navigator" = "4.8"
"layer" = "4.4"
}
"domain" = "enterprise-attack"
"description" = "Detection coverage from Atomic Red Team testing"
"techniques" = @()
}
foreach ($Test in $Coverage) {
$NavigatorLayer.techniques += @{
"techniqueID" = $Test.Technique
"score" = $Test.CoverageScore
"color" = if($Test.CoverageScore -eq 100) { "#00ff00" }
elseif($Test.CoverageScore -eq 50) { "#ffff00" }
else { "#ff0000" }
"comment" = "Last tested: $($Test.LastTested)"
}
}
$NavigatorLayer | ConvertTo-Json -Depth 10 | Out-File C:\Reports\navigator_layer.json
- Import in ATT&CK Navigator:
- Go to https://mitre-attack.github.io/attack-navigator/
- Upload
navigator_layer.json - Visualize coverage
16. Cheat Sheet
16.1 Quick Commands
# Installation
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing); Install-AtomicRedTeam -getAtomics
# List all tests
Invoke-AtomicTest All -ShowDetails
# Show specific technique
Invoke-AtomicTest T1003.001 -ShowDetailsBrief
# Check prerequisites
Invoke-AtomicTest T1003.001 -CheckPrereqs
# Install prerequisites
Invoke-AtomicTest T1003.001 -GetPrereqs
# Run test
Invoke-AtomicTest T1003.001
# Run specific test number
Invoke-AtomicTest T1003.001 -TestNumbers 1
# Run with cleanup
Invoke-AtomicTest T1003.001 -Cleanup
# Cleanup only
Invoke-AtomicTest T1003.001 -Cleanup -TestNumbers 1
# Custom parameters
Invoke-AtomicTest T1059.001 -InputArgs @{"command"="whoami"}
# Verbose output
Invoke-AtomicTest T1003.001 -Verbose
# Update atomics
Update-AtomicRedTeam
16.2 Top 10 Tests voor SOC Validation
# 1. Credential Dumping
Invoke-AtomicTest T1003.001
# 2. PowerShell Execution
Invoke-AtomicTest T1059.001
# 3. Process Injection
Invoke-AtomicTest T1055.001
# 4. Scheduled Task Persistence
Invoke-AtomicTest T1053.005
# 5. Registry Run Key
Invoke-AtomicTest T1547.001
# 6. Event Log Clearing
Invoke-AtomicTest T1070.001
# 7. Lateral Movement (SMB)
Invoke-AtomicTest T1021.002
# 8. Discovery (Network)
Invoke-AtomicTest T1016
# 9. Data Exfiltration
Invoke-AtomicTest T1048.003
# 10. Ransomware Simulation
Invoke-AtomicTest T1486
17. Resources
17.1 Official Resources
- GitHub: https://github.com/redcanaryco/atomic-red-team
- Documentation: https://atomicredteam.io/
- Invoke-AtomicRedTeam: https://github.com/redcanaryco/invoke-atomicredteam
17.2 Learning Materials
- Red Canary Blog: https://redcanary.com/blog/
- MITRE ATT&CK: https://attack.mitre.org/
- ATT&CK Navigator: https://mitre-attack.github.io/attack-navigator/
17.3 Community
- Slack: Red Canary Community
- Twitter: @redcanary, @attackevals
- LinkedIn: Red Canary Group
17.4 Related Tools
- Atomic Threat Coverage: Detection rule repository
- Sigma: Generic signature format
- Caldera: Automated adversary emulation
- VECTR: Purple team management platform
17.5 Belgian/EU Specific
- CCB (Centre for Cybersecurity Belgium): Threat intelligence
- NIST Cybersecurity Framework: Detection guidelines
- IEC 62443: Industrial security (voor OT testing)
18. Appendix: Sample Test Output
Example: T1003.001 Execution
PS C:\> Invoke-AtomicTest T1003.001
PathToAtomicsFolder = C:\AtomicRedTeam\atomics
[********BEGIN TEST*******]
Executing test: T1003.001-1 Dump LSASS.exe Memory using ProcDump
Elevation required: True
Command:
C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -accepteula -ma lsass.exe C:\Temp\lsass_dump.dmp
ProcDump v10.0 - Sysinternals process dump utility
Copyright (C) 2009-2020 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
[12:34:56] Dump 1 initiated: C:\Temp\lsass_dump.dmp
[12:34:57] Dump 1 writing: Estimated dump file size is 52 MB.
[12:34:58] Dump 1 complete: 52 MB written in 2.0 seconds
[12:34:58] Dump count reached.
Done. [*******END TEST*******]
Kritieke Herinneringen
- Altijd toestemming krijgen voor testing
- Start in geïsoleerde omgeving
- Coordinate met Blue Team
- Document alles
- Cleanup na elke test
- Respect production systems
Voor Stage Project
Perfect voor het valideren van FortiEDR, FortiAnalyzer, en je firewall evaluatie. Test welke vendor welke techniques detecteert, en bouw je Purple Team capabilities op!