-
Notifications
You must be signed in to change notification settings - Fork 2.8k
Getting started
Everything you need to execute your first atomic test.
Before you start testing, you'll need the following:
- Permission to test. Always ask your environment owner for permission before executing an atomic test.
- A test machine. Set up a machine that mimics the build of your environment. Make sure your security solution is active.
We store all of our atomic test files in the atomics directory of the Atomic
Red Team repository. To keep things organized, we divide tests into directories
named after the MITRE ATT&CK® technique they represent. For example, we keep
Process Injection tests in
atomic-red-team/atomics/T1055/.
Each technique directory contains the following:
- A YAML test file
- A human-readable Markdown test file
- An optional
srcdirectory for source file dependencies - An optional
bindirectory for binary dependencies
Browse the atomics directory for an appropriate test. You can also select
a test from one of these lists:
Open the Markdown test definition file and navigate to your test of choice.
Some tests have a "Dependencies" subheading. These tests require additional files to run. To install dependencies, execute the commands in the "Get Prereq Commands" subheading.
To run your test, execute the commands in the "Attack Commands" subheading. Note what information, if any, is collected by your security solution.
Some tests make changes to your environment. To revert these changes, run the commands in the "Cleanup Commands" subheading.
💡 Tip: Be sure to replace any #{<input>} arguments with the inputs
specified by the "Inputs" heading of the Markdown test file.
- Use the data collected by your security solution to evaluate and improve your detection coverage.
- Automatically run atomic tests using an execution framework like Invoke-Atomic.
Questions? Get connected to the community on the Atomic Red Team™ Slack channel.