Atomic Red Team
Atomic Red Team is an open source collection of small, highly portable tests mapped to the corresponding techniques in the MITRE ATT&CK framework. These tests can be used to validate detection and response technology and processes.
Get the repo: https://github.com/redcanaryco/atomic-red-team
Browse popular Atomic Red Team resources below to learn more.
Atomic Red Team Videos
This webinar shows defenders how to take endpoint atomic testing to the proving grounds by:
- Building “chain reactions” by combining multiple MITRE ATT&CK™ techniques and executing them simultaneously
- Customizing sequences based on your specific attack surface and threat risks
- Use Carbon Black telemetry to create detections AND
- Measure endpoint detection tools and expose gaps
Atomic Red Team Articles
An introduction to Atomic Red Team Tests with a mapping to the MITRE ATT&CK Framework. We cover the major test phases: execution, evidence collection, and detection. https://redcanary.com/blog/atomic-red-team-testing
How to Test with the Atomic Red Team
Q&A with Casey Smith and Michael Haag comparing Sysmon with EDR products, using the heatmap created by Roberto Rodriquez, answering questions about the Regsvr32 lab, and more. https://redcanary.com/blog/how-to-test-your-defenses-atomic-red-team
The Dragon’s Tail
Focus on post-exploitation behavior by simulating the variety of techniques chained together by a well-known threat actor.
“The Dragon’s Tail” is designed to test for the following MITRE techniques:
1. The script sets up persistence by creating, executing, and removing a scheduled task that uses the Regsvr32.exe payload. (Technique 1053, 1117)
2. The next phase pulls down a credential stealing tool. In this example, Invoke-Mimikatz is used. (Technique 1086, 1003)
3. A file and technique known as Timestomping modifies the time attributes on the file. (Technique 1099)
4. The file is deleted.
By chaining these activities together, teams can assess their ability to detect and respond to not just one technique, but a known pattern of attack leveraging many techniques in sequence. https://redcanary.com/blog/atomic-red-team-tests-catching-dragon-tail
Testing Detection and Prevention Tools With Atomic Red Team “Chain Reactions”
Learn how to test endpoint solutions by building an Atomic Red Team chain reaction.
Customize sequences based on specific attack surfaces and threat risks to confirm detection and prevention coverage on the MITRE ATT&CK matrix.