Red teaming is an authorised emulation of real attackers’ TTPs (Tactics, Techniques and Procedures) from MITRE ATT&CK, where you pretend to be a threat actor and attempt intrusion against an organisation.


ATOMIC RED TEAM

Atomic Red Team is a tool that allows you to easily run simulated attacks based on known TTPs in order to test detection and prevention systems [Link]. It uses a PowerShell module called Invoke-AtomicRedTeam to execute the desired attack procedure [Link].

Install Execution Framework Only

Install-Module -Name invoke-atomicredteam,powershell-yaml -Scope CurrentUser

Install Execution Framework and Atomics Folder

IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics -Force

Import the Module in the PowerShell Session

Import-Module "~\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force

List Atomic Tests and Check Any

Invoke-AtomicTest All -ShowDetailsBrief
Invoke-AtomicTest All -ShowDetailsBrief -anyOS
Invoke-AtomicTest T1016-8 -ShowDetailsBrief
Invoke-AtomicTest T1016-8 -ShowDetails
Invoke-AtomicTest T1016-8 -CheckPrereqs

Then, Execute!

Invoke-AtomicTest T1016-8
Invoke-AtomicTest T1016-8 -PromptForInputArgs
Invoke-AtomicTest T1016-8 -Interactive

Other Options

Invoke-AtomicTest T1089 -Cleanup
Invoke-AtomicTest T1218.010 -ExecutionLogPath 'C:\log.csv'
Invoke-AtomicRunner -listOfAtomics .\testsList.csv -PauseBetweenAtomics 30

Start the Atomic GUI

Start-AtomicGUI


CALDERA

Caldera is an Automated Adversary Emulation Platform developed by MITRE [Link]. Its source code is available at [Link].

Both Red and Blue teams can use this platform to deploy their Agents and monitor ongoing operations.

Install and start Caldera on Kali

sudo apt install caldera -y
caldera

Note the credentials for both teams displayed in the terminal:

Navigate to http://localhost:8888/.

Each team (Red and Blue) has its own dashboard, but both look and work the same way:

Set up the Agents.

  • Key setup points:
    • Select the Agent based on the desired communication protocol: TCP, HTTP, HTTPS, etc.
    • Enter the IP or hostname of the Caldera Server and make sure it is reachable from the Agents.
    • Several deployment commands will be generated to copy and paste onto the endpoints (Agents):
      • Caldera’s default Red team agent,
      • Blue team agent,
      • One with a randomised name for a quick background start,
      • One that compiles on the endpoint (requires GoLang),
      • One that uses GIST C2,
      • And one capable of P2P communication.

Review the Adversary Profiles and define what will be emulated.

  • Key setup points:
    • Search the Abilities database for TTPs that match the organisation’s attack surface.

Create an Operation with the chosen Adversary Profile.

  • Key setup points:
    • Research which adversaries are most likely to target your organisation or industry.
      • Adversaries are based on real threat actors’ observed behaviours and capabilities.

Configure the Operation settings.

  • Key setup points:
    • Create a new Operation and select the Adversary you want to emulate.
    • Adjust the desired obfuscation level and the amount of noise it will generate on the network.

Monitor the operation as it unfolds.


BONUS

Run Atomic Red Team from a container with:

docker run -it redcanary/invoke-atomicredteam:latest

Run Caldera from a container with:

docker run -it -d mitre/caldera