Introduction Atomic Red Team Framework

Introduction Atomic Red Team Framework

Presented at null Dubai Meet 22 December 2017 Monthly

95dc04de5f5eca79b14a48ebcdaf43cf?s=128

Pralhad Chaskar

December 22, 2017
Tweet

Transcript

  1. Atomic Red Team Framework By Pralhad Chaskar (@c0d3xpl0it)

  2. @redcanaryco @MITREattack Entire talk is inspired by below teams work

    !! @Cyb3rWard0g
  3. About MITRE Reference : - https://www.mitre.org/

  4. None
  5. None
  6. None
  7. None
  8. Atomic Red Team Framework has mapping for all ATT&CK checks

  9. Test case for Credential Dumping (T1003)

  10. How to use Atomic Red Team Framework

  11. None
  12. Emulating APT’s (Chain Reactions)

  13. Sysmon • System Monitor (Sysmon) is a Windows system service

    and device driver which provides detailed information about process creations, network connections, and changes to file creation time. • By collecting the events you can identify malicious or anomalous activity and understand how intruders and malware operate on your network. • Note that Sysmon does not provide analysis of the events it generates, nor does it attempt to protect or hide itself from attackers. Reference : - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
  14. Sysmon install with config file

  15. None
  16. How to collate all test data/results and present to management

    ??
  17. Generate HeatMaps !! • https://github.com/Cyb3rWard0g/ThreatHunter- Playbook/blob/master/metrics/HuntTeam_HeatMap.xlsx

  18. None
  19. None
  20. CALDERA (again by ….MITRE team) It is an automated adversary

    emulation system that performs post- compromise adversarial behavior within enterprise networks. It generates plans during operation using a planning system and a pre- configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project. Reference : - https://github.com/mitre/caldera https://www.blackhat.com/docs/eu-17/materials/eu-17-Miller-CALDERA-Automating-Adversary-Emulation.pdf
  21. Takeaways • Visibility of endpoints in Infrastructure • Analayze logs

    (powershell, cmd, etc) • Test framework against own infrastructure before attacker own’s you • Maturity of blue team is important • All teams (Red, Blue, Purple, etc) should work together
  22. References • https://attack.mitre.org/wiki/Main_Page • https://github.com/redcanaryco/atomic-red-team • https://github.com/Cyb3rWard0g/ThreatHunter-Playbook • https://github.com/Cyb3rWard0g/Invoke-ATTACKAPI

  23. None