Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction Atomic Red Team Framework

Introduction Atomic Red Team Framework

Presented at null Dubai Meet 22 December 2017 Monthly


Pralhad Chaskar

December 22, 2017


  1. Atomic Red Team Framework By Pralhad Chaskar (@c0d3xpl0it)

  2. @redcanaryco @MITREattack Entire talk is inspired by below teams work

    !! @Cyb3rWard0g
  3. About MITRE Reference : - https://www.mitre.org/

  4. None
  5. None
  6. None
  7. None
  8. Atomic Red Team Framework has mapping for all ATT&CK checks

  9. Test case for Credential Dumping (T1003)

  10. How to use Atomic Red Team Framework

  11. None
  12. Emulating APT’s (Chain Reactions)

  13. Sysmon • System Monitor (Sysmon) is a Windows system service

    and device driver which provides detailed information about process creations, network connections, and changes to file creation time. • By collecting the events you can identify malicious or anomalous activity and understand how intruders and malware operate on your network. • Note that Sysmon does not provide analysis of the events it generates, nor does it attempt to protect or hide itself from attackers. Reference : - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
  14. Sysmon install with config file

  15. None
  16. How to collate all test data/results and present to management

  17. Generate HeatMaps !! • https://github.com/Cyb3rWard0g/ThreatHunter- Playbook/blob/master/metrics/HuntTeam_HeatMap.xlsx

  18. None
  19. None
  20. CALDERA (again by ….MITRE team) It is an automated adversary

    emulation system that performs post- compromise adversarial behavior within enterprise networks. It generates plans during operation using a planning system and a pre- configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project. Reference : - https://github.com/mitre/caldera https://www.blackhat.com/docs/eu-17/materials/eu-17-Miller-CALDERA-Automating-Adversary-Emulation.pdf
  21. Takeaways • Visibility of endpoints in Infrastructure • Analayze logs

    (powershell, cmd, etc) • Test framework against own infrastructure before attacker own’s you • Maturity of blue team is important • All teams (Red, Blue, Purple, etc) should work together
  22. References • https://attack.mitre.org/wiki/Main_Page • https://github.com/redcanaryco/atomic-red-team • https://github.com/Cyb3rWard0g/ThreatHunter-Playbook • https://github.com/Cyb3rWard0g/Invoke-ATTACKAPI

  23. None