We recently held our second Atomic Red Team training session and were once again blown away by the positive response from the security community. As researchers, nothing is more exciting than taking our work out of the lab and teaching other security professionals how to apply the tests to improve their defenses. It was especially exciting to see multiple team members from organizations attend together. Some security teams are even holding Lunch & Learns afterward to begin doing atomic detonations and building detections.
Missed the training session? Download the recording.
We ran out of time before we could address all the audience’s questions, so a list of answers is included in this post. We’ve always wanted Atomic Red Team to be a community effort, so keep the ideas coming! As Michael Haag said, “We are all atomic.” :-)
We received a few questions about where to find things, so we also put together a run-down to make sure you can always find what you need:
- Atomic Red Team tests on github
- Library of lab videos and articles
- To receive new articles and videos, subscribe to our blog and YouTube channel
- Send feedback to firstname.lastname@example.org
Training Session Q&A
Creating a demo environment for these techniques can sometimes be a headache. Do you have demo environment we can download?
Check out DetectionLab by Chris Long. Its primary purpose is to allow users to quickly build a Windows domain that comes pre-loaded with security tooling and best practices. You can easily modify it to fit most needs or expand it to include additional hosts.
Can qwinsta get remote system information without privileged or domain admin access?
Qwinsta.exe is specific to querying for remote sessions active/disconnected on a remote endpoint. Rwinsta.exe will reset the session and does require administrative privileges. Quser.exe /server: will provide the stats of who is logged in as well.
You will need to authenticate in order to get this information. In the webinar, I had a matching User/Pass pair, even though my machine was not domain joined, and this was sufficient to authenticate.
Can you describe the process of turning an item from the MITRE ATT&CK matrix into a high fidelity watchlist? What kind of things do you filter out and what sort of things do you focus on?
First, you need to understand the technique that is being described. Next, you should try to develop a proof of concept or sample that mimics the behavior you wish to detect. From there, it would be a matter of looking at the attributes that are common and developing the detection. Most likely, you’ll never have a watchlist that won’t have some false positives you need to test and suppress.
Can you show the detections using Sysmon?
Watch the previous Atomic Red Team training session, which covered some basic Sysmon collection.
Do you find that these IOC’s are covered in the default threat feeds, or is it a good practice to explicitly call out these searches?
Some are covered in default threat feeds, but not all. Native commands can either be too noisy or not high fidelity enough to make it to one of the default feeds. Check out my recent article on threat hunting at scale for more details on managing watchlists and feeds at scale.
I want to emulate adversary actions. Do you have XP using MITRE’s Caldera project?
Caldera can be a great way to emulate adversaries. It’s especially useful for defenders who want to generate real data that represents how an adversary would typically behave within their networks. It is managed by MITRE and you can find all the items you need here: https://github.com/mitre/caldera/tree/master/caldera
How do you detect lateral moves that already happened with wmic or dcom?
It really depends on the tools on hand. In this case, Cb Response can definitely help for performing retrospection on the event. A watchlist may be able to help you detect it faster next time.
Where/how does Cb get the “internal_name” information from?
This is from the PE File that executes. The internal name of the module. This field is necessary because the name of the file can be changed by the user.
How do you determine the “Internal_name” for a process?
Sometimes you get lucky with the blind guess. Other times you will have to go look in Binary Search manually to confirm.
Where can I find Casey’s Atomic Red Team talk from ShmooCon?
We’ll share the video on YouTube once the organizers make it available. We’re also planning talks at several industry events in the coming months. Follow us on Twitter to make sure you get the latest updates on speaking events and trainings.
Thanks again to the team at MITRE for their great work and support, and to all of you who have shared ideas and feedback. We look forward to continuing to “blow stuff up” together.