Atomic Red Team

Atomic Red Team™ by Red Canary is a library of simple tests that every security team can execute to test their defenses. You can use it is a service to run MITRE ATT&CK techniques against your tenant (live or staging organization) to see what you have coverage against, and to uncover any gaps.

Once you have found the gaps in your detection & responses rule coverage, you can write D&R rules to address these gaps.

Find more information about it here.

Enabling Atomic Red Team

Enabling Atomic Red Team can be done within the LimaCharlie marketplace, or at this link.

Under the Organization dropdown, select a tenant (organization) you want to subscribe to Atomic Red Team and click Subscribe.

Please note that add-ons are applied on the per-tenant basis. If you have multiple organizations you want to subscribe to Atomic Red Team, you will need to subscribe each organization to the add-on separately.

You can also manage add-ons from the Subscriptions menu under Billing.

Tenants that have been subscribed to the add-on, will be marked with a green check mark in the Organization dropdown.

Running Atomic Red Team

After the Atomic Red Team has been enabled for your organization, a Run Atomic Tests button will appear inside the Overview of any Windows sensor.

Before running, you can select a set of tests from the full suite. The list of available tests is updated every time the window is opened so you can be sure you are getting all available options.

Once tests are selected and run, the output can be viewed inside a job on the Dashboard of your organization. Depending on the number of tests selected, it may take a few minutes for the job to finish.

Once complete, you can check the results of the test by opening the job details view.

If any detections have been generated, they will appear as regular detections at the Detections dashboard.

Additionally, if you are looking to run the Atomic Red Team tests on multiple endpoints, you can do it at the Services tab.

To do it,

• Select an action (required) - list (to list available tests) or run (to run Atomic Red Team tests on the endpoint)
• Select a sensor (required if you want to run tests; not needed for list). The sensor must be online to run tests.
• List comma separated test IDs (test IDs are required if you want to run tests but are optional for listing)
• Choose if you want to clean after running a test. "Clean" will cleanup after the test has run (i.e., if settings were changed, it will revert the system to its original state)
• Choose if you want a service to impersonate current user. Impersonate is a general parameter that gets the service to use your own Permissions (and not the permissions the Service was set to have)
• Choose if you want a service to run as a background job. Atomic Red Team run action will always run as a background job.

Once complete, you can check the results of the test by opening the job details view on the Dashboard. If any detections have been generated, they will appear as regular detections at the Detections dashboard.