Lab 0.2: Atomic Red Team & Sysmon

Warning

This below method is no longer actively updated. It still works but screenshots & exact instructions may have changed.

**We recommend and support utilizing the provided Cloud VM: LAB 0.3: CloudLabs Setup

All lab instructions going forward assume the use of the CloudLabs VM.**

The instructions for the rest of this are provided as-is and for your convenience if you want them.

Goals:

• Successfully install Atomic Red Team (ART) and Sysmon on your VM or host machine.
• Verify the correct installation of ART by running a test.

Instructions

This lab only applies to you if you are not using the provided Virtual Machine.

1. The lab VM comes with these items already installed. If using your own host, follow these instructions to install Atomic Red Team:

   1. Refer to the installation guide on the Atomic Red Team GitHub page.
   2. Specifically, follow the instructions for installing the Framework AND the Atomics.

   3. In a PowerShell admin window, run the following commands:

      powershell -exec bypass
      IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing); Install-AtomicRedTeam -getAtomics
      Import-Module Invoke-AtomicRedTeam
      

2. Confirm you have properly installed ART by running: Invoke-AtomicTest T1087.001-10. This executes a basic and unobtrusive Atomic to ensure everything is installed correctly.

3. Install Sysmon

   1. Sysmon can be found here.

   2. The Sysmon config used by the VM is available here, or below.

      bhis_defcon3_sysmon.xml

   3. Once you have installed both Sysmon and the Sysmon config, navigate to the location of the Sysmon binary and run:

      .\Sysmon64.exe -i <location of Sysmon config>
      

4. Download the necessary lab scripts

   Lab4-4.ps1

   Lab4-4-Cleanup.ps1

   Lab4-2.ps1

   Lab4-2-Cleanup.ps1

Additional References

• Atomic Red Team Installation Guide
• Sysmon
• Sysmon Config