Open in app

Sign in

Write

Sign in

Security Assessment With Atomic Red Team Tutorial | TryHackMe Atomic Red Team

Motasem Hamdan
3 min read2 days ago

--

We covered conducting security testing and assessment using Atomic Red Team framework. Atomic Red Team is a library of techniques mapped off the MITRE ATT&CK framework along with a markup and yaml configuration file used to execute the technique testing file in the environment. This was part of TryHackMe Atomic Red Team room which is part of SOC level 2 track.

Offensive Security Certified Professional Study Notes and Guide

This is a 1459 pages of notes that will guide and help you prepare for and pass the OSCP exam taking into account the…

buymeacoffee.com

Blue Team Cyber Security & SOC Analyst Study Notes

This guide cover various areas such as cyber threat intelligence, incident response operational notes, secure coding…

buymeacoffee.com

What is Atmoic Red Team

Atomic Red Team is an open-source project that provides a framework for performing security testing and threat emulation. It consists of tools and techniques that can be used to simulate various types of attacks and security threats, such as malware, phishing attacks, and network compromise. The Atomic Red Team aims to help security professionals assess the effectiveness of their organization’s security controls and incident response processes and identify areas for improvement.

The Atomic Red Team framework is designed to be modular and flexible, allowing security professionals to select the tactics and techniques most relevant to their testing needs. It is intended to be used with other tools and frameworks, such as the MITRE ATT&CK framework, which provides a comprehensive overview of common tactics and techniques threat actors use.

Components of Atomic Red Team

Atomics refers to different testing techniques based on the MITRE ATT&CK Framework. Each works as a standalone testing mock-up that Security Analysts can use to emulate a specific Technique, such as OS Credential Dumping: LSASS Memory, for a quick example.

Each Atomic typically contain two files, both of which are named by their MITRE ATT&CK Technique ID:

  • Markdown File (.md) — Contains all the information about the technique, the supported platform, Executor, GUID, and commands to be executed.
  • YAML File (.yaml) — Configuration used by frameworks, such as Invoke-Atomic and Atomic-Operator, to do the exact emulation of the technique

The Markdown file is written to be self-explanatory, so let’s dive deep into the configuration files used to emulate commands.

Invoke-AtomicRedTeam

Invoke-AtomicRedTeam is a PowerShell module created by the same author (Red Canary) that allows Security Analysts to run simulations defined by Atomics. To avoid confusion, the primary cmdlet used in this module is Invoke-AtomicTest and not Invoke-AtomicRedTeam.

Scenario Case Study: Emulating APT37

To apply all items discussed in the previous tasks, let’s do a case study for the emulation of APT37.

APT37, also known as Reaper, is a cyber espionage group that has been active since 2012 and is believed to be operating out of North Korea. The group has been known to target a wide range of organisations, including government agencies, defence contractors, and media companies.

Check out the video below for detailed explanation.

Room Answers | TryHackMe Atomic Red Team

Room answers can be found here.

Video Walkthrough | TryHackMe Intro to Threat Emulation

Tryhackme
Tryhackme Walkthrough
Tryhackme Writeup
Ctf Writeup
Threat Intelligence

--

--

Motasem Hamdan

Written by Motasem Hamdan

229 Followers

Motasem Hamdan is a cybersecurity consultant and content creator. He is also a marketing expert and growth hacker. https://www.youtube.com/@MotasemHamdan

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams