Skip to content

Lab 3.2: Testing Detections with Atomic Red Team

Est. Time: 15 minutes

Goals:

  • Trigger your detection with Atomic Red Team
  • Start creating a custom Atomics repository for your detection catalog

Instructions

  1. Testing your detections with Atomic Red Team (ART) is simple and easy. The detection we just created actually has an atomic associated, so run that atomic now and make sure it triggers your detection.

    1. Run PowerShell as administrator and run:

      powershell -exec bypass

    2. Next, we’re going to trigger the Atomic associated with the detection we just created. With Atomics, the Atomic identifier always matches up with the MITRE technique id.

    3. We’re going to run one part of that Atomic rather than all of the tests associated for the sake of speed. Specifically we are going to run Atomic T1087.001-9 using Invoke-AtomicRedTeam, which is a utility for ART that lets you quickly run specific Atomics.

      Import-Module Invoke-AtomicRedTeam
Invoke-AtomicTest T1087.001-9

  2. Following the execution of the ART test, you should have triggered your detection which created an alert in Elastic and Jira.

    1. Here in the Jira ticket you can see the command line parent command that was run by the Atomic, which includes net user.

  3. This is simple enough with one detection; we can just run a command to run a specific test. But what about if we have a whole slew of detections?

    1. As you build a detection library, one of the core pieces of documentation you need to include is a canary script to trigger your detection for testing purposes. ART makes this very easy for you.
    2. Let’s start building your Atomic library now.

    3. On your VM, create a folder on your desktop called “Custom-Atomics” or something of that nature.

      1. Copy T1087.001 from C:\AtomicRedTeam\atomics over to your Custom-Atomics folder

      2. If you run Invoke-AtomicTest with a specific folder specified, all of the Atomics within that folder will fire, triggering your detection library. Do you see where this is going? If you have a canary for each customer detection you build, and that canary is stored as an Atomic in that folder, you can test any of your detections (or all of them) at will.

        1. The syntax to trigger an entire Atomic folder is:

          Invoke-AtomicTest All -PathToAtomicsFolder C:\<path>

        2. So in my case it would look like:

          Invoke-AtomicTest All -PathToAtomicsFolder C:\Users\Administrator\Desktop\Custom-Atomics

      3. Please note that doing this triggers all of the subatomics (other tests) within each technique that is in the Atomic folder (as opposed to a singular test). This will take much longer.

      4. You should consider a few things before setting something like this up:
        1. Validating that your detections are functioning as intended is very important. Doing so regularly is good practice.
        2. However, each time you run this you will inevitably create alerts (as that is the whole point). You need a system in place to do the following:
      5. Catch the events and tag them in some way. For example, a Jira automation that looks at incoming tickets and if the hostname value is that of your test host, tag the event as “Canary” in Jira and close it. This keeps the work out of your analysts’ way.
      6. You also need a system to detect when firing an atomic does not trigger an alert. There are a number of ways you could do this, manual or automated. One idea is to have what is effectively an XOR detection in Elastic that matches the cadence your Atomics fire at and if not all of your alerts are detected within that period, that Elastic detection fires its own alert that something is wrong and a detection that was supposed to fire actually did not.
      7. These are examples of how you could solve this particularly complex situation. Continuous testing of your detections can be a large undertaking and should be planned well from the onset.

Additional References