{"id":3978,"date":"2024-03-25T20:41:29","date_gmt":"2024-03-26T00:41:29","guid":{"rendered":"https:\/\/dft.wiki\/?p=3978"},"modified":"2024-03-26T11:42:53","modified_gmt":"2024-03-26T15:42:53","slug":"practising-red-teaming-adversary-emulation","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=3978","title":{"rendered":"Practising Red Teaming (Adversary Emulation)"},"content":{"rendered":"

Red teaming is an authorised emulation of real attackers’ TTPs (Tactics, Techniques and Procedures) from MITRE ATT&CK, pretending to be a threat actor, and attempting intrusion against an organisation.<\/p>\n

\n

ATOMIC READ TEAM<\/strong><\/p>\n

Atomic Read Team<\/strong> is a tool that allow to easily run “fake” attacks based on known TTPs in order to test detection and prevention systems [Link<\/a>]. It used a PoweShell module called Invoke-AtomicRedTeam to execute the desired attack’s procedure [Link<\/a>].<\/p>\n

Install Execution Framework Only<\/p>\n

Install-Module -Name invoke-atomicredteam,powershell-yaml -Scope CurrentUser<\/pre>\n
Install Execution Framework and Atomics Folder<\/p>\n
IEX (IWR 'https:\/\/raw.githubusercontent.com\/redcanaryco\/invoke-atomicredteam\/master\/install-atomicredteam.ps1' -UseBasicParsing);\r\nInstall-AtomicRedTeam -getAtomics -Force<\/pre>\n
Importing the Module in the PowerShell Session<\/p>\n
Import-Module \"~\\AtomicRedTeam\\invoke-atomicredteam\\Invoke-AtomicRedTeam.psd1\" -Force<\/pre>\n
List Atomic Tests and Check Any<\/p>\n
Invoke-AtomicTest All -ShowDetailsBrief\r\nInvoke-AtomicTest All -ShowDetailsBrief -anyOS<\/pre>\n
Invoke-AtomicTest T1016-8 -ShowDetailsBrief\r\nInvoke-AtomicTest T1016-8 -ShowDetails\r\nInvoke-AtomicTest T1016-8 -CheckPrereqs<\/pre>\n
Then, Execute!<\/p>\n
Invoke-AtomicTest T1016-8\r\nInvoke-AtomicTest T1016-8 -PromptForInputArgs\r\nInvoke-AtomicTest T1016-8 -Interactive<\/pre>\n
Other Options<\/p>\n
Invoke-AtomicTest T1089 -Cleanup\r\nInvoke-AtomicTest T1218.010 -ExecutionLogPath 'C:\\log.csv'\r\nInvoke-AtomicRunner -listOfAtomics .\\testsList.csv -PauseBetweenAtomics 30<\/pre>\n
Start the Atomic GUI<\/p>\n
Start-AtomicGUI<\/pre>\n
\"\"<\/p>\n
\n
CALDERA<\/strong><\/p>\n
Caldera<\/strong> is an Automated Adversary Emulation Platform developed by MITRE [Link<\/a>]. Its code can be found at [Link<\/a>].<\/p>\n
Both, Red and Blue teams can use this platform to install their Agents and monitor the operations occur.<\/p>\n
Install and start Caldera on Kali<\/p>\n
sudo apt install caldera -y\r\ncaldera<\/pre>\n
Note the credentials for both teams on the terminal:<\/p>\n
\"\"<\/p>\n
Navigate to http:\/\/localhost:8888\/<\/strong>.<\/p>\n
\"\"<\/p>\n
Each team (Red and Blue) will have its own dashboard but they both look and work the same way:<\/p>\n
\"\"<\/p>\n
\"\"<\/p>\n
Setup the Agents.<\/p>\n
\"\"<\/p>\n
    \n
  • Important points to setup:\n
      \n
    • Select the Agent based on criteria like the desired communication protocol: TCP, HTTP, HTTPS, etc.<\/li>\n
    • Enter the IP or hostname of Caldera Server and make sure it is reachable from the Agents.<\/li>\n
    • It will produce multiple deployment commands that can copied and pasted on the end-points (Agents):\n
        \n
      • Caldera’s default Red team’s agent,<\/li>\n
      • Blue team’s agent,<\/li>\n
      • With a randomised name for quick start in background,<\/li>\n
      • One that compiles in the end-point (requires GoLang),<\/li>\n
      • Another that uses GIST C2,<\/li>\n
      • And one that is capable of P2P communication.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
        Check the Adversary Profiles and define what will be emulated.<\/p>\n
        \"\"<\/p>\n
          \n
        • Important points to setup:\n
            \n
          • Re search the Abilities database for TTPs that match the organisation attach surface.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
            Create an Operation with the Adversary Profile chosen.<\/p>\n
            \"\"<\/p>\n
              \n
            • Important points to setup:\n
                \n
              • Study what adversaries are more likely to target your organisation or industry.\n
                  \n
                • The adversaries are based on real threat actors observer behaviours and their abilities.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
                  Create an Operation with the Adversary Profile chosen.<\/p>\n
                  \"\"<\/p>\n
                    \n
                  • Important points to setup:\n
                      \n
                    • Create a new Operation and select the Adversary you want to emulate.<\/li>\n
                    • Adjust the desired obfuscation level and how much noise it will cause in the network.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
                      \"\"<\/p>\n
                      Now, monitor the operation as it unfolds.<\/p>\n
                      \n
                      BONUS<\/strong><\/p>\n
                      Run Atomic Red Team from a Container with:<\/p>\n
                      docker run -it redcanary\/invoke-atomicredteam:latest<\/pre>\n
                      Run Caldera from a Container with:<\/p>\n
                      docker run -it -d mitre\/caldera<\/pre>\n","protected":false},"excerpt":{"rendered":"
                      Red teaming is an authorised emulation of real attackers’ TTPs (Tactics, Techniques and Procedures) from […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-3978","post","type-post","status-publish","format-standard","hentry","category-hacking"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/3978","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3978"}],"version-history":[{"count":10,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/3978\/revisions"}],"predecessor-version":[{"id":4017,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/3978\/revisions\/4017"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3978"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3978"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3978"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}