Atomic Red Team – Test Endpoint Solutions Based on MITRE’s ATT&CK

Malware attacks have changed the detection and prevention mechanism we deploy and use in our modern systems. modern malware include an advanced technique to avoid detection, persist and spread on compromised network. an example is Stuxnet a malware that exploit several zerodays on operating systems and moved from one system to another without being detected or prevented at that time. This made all new defenses based on detecting and preventing APT (advanced persistent threats). If you are looking to test your endpoint security solutions against advanced attack you can use Atomic Red Team test cases.

Atomic Red Team allows every security team to test their controls by executing simple “atomic tests” that exercise the same techniques used by adversaries (all mapped to Mitre’s ATT&CK).

Atomic Red Team - Test Endpoint Solutions based on MITRE's ATT&CK

Atomic Red Team – Test Endpoint Solutions based on MITRE’s ATT&CK

Atomic Tests by ATT&CK Tactic & Technique have the following sections:

  1. Persistence – this by creating for example a hidden file in a hidden directory on Linux or Mac. there is a list that cover windows , linux and Mac based operating system.
  2. Defense-evasion – this by disabling security tool or to modify file permission.
  3. Privilege-escalation – this by testing or example sudo on macos, linux and check if this was logged on the system or schedule a local remote task on windows.
  4. Discovery – enumerate all accounts or view sudoers access and see if this is logged on the system.
  5. credential-access – for example RDP brute force attack and see if there is an alert and issue is logged on the system.
  6. Execution – for example execute a command as a service on windows system. [windows]
  7. Lateral-movement – for example hijack RDS and RemoteApp sessions transparently to move through an organization.
  8. Collection – for example capture audio files that may be written to disk and exfiltrated later.
  9. Exfiltration – for example exfiltration over SSH local to remote and send a test file to remote system. check if the firewall detected and blocked the files.
  10. Command-and-control – rsync remote file copy
  11. Initial-access – for example VBScript that will opens web browser and opens it to

There are a large list of test cases normally RedTeam execute each test next collect the evidence and check if the Blue Team were able to detect and react ti the attack or not. The approach proposed:

  • Select a test
  • Execute Test
  • Collect Evidence
  • Develop Detection
  • Measure Progress

The project is open source so you can contribute with some test cases using linux or powershell scripts. You can read more and download the test cases over here:

Notify of
Inline Feedbacks
View all comments