In this article, we’ll cover the Atomic Red Team - I’m all atomic inside! The write-up is called the Day 4 challenge of the Advent of Cyber event challenge. It was interesting to understand and navigate through the Cyber Attacks & the Kill Chain, the Atomic Red Library which is a red team test case that is mapped to the MITRE ATT&CK framework. We’re still at Wareville for SOC-mas!
As Glitch continues to prepare for SOC-mas and fortifies Wareville's security, he decides to conduct an attack simulation that would mimic a ransomware attack across the environment. He is unsure of the correct detection metrics to implement for this test and asks you for help. Your task is to identify the correct atomic test to run that will take advantage of a command and scripting interpreter, conduct the test, and extract valuable artifacts that would be used to craft a detection rule.
Answer the questions below
What was the flag found in the .txt file that is found in the same directory as the PhishingAttachment.xslm artefact?
THM{GlitchTestingForSpearphishing}
What ATT&CK technique ID would be our point of interest?
T1059
What ATT&CK subtechnique ID focuses on the Windows Command Shell?
T1059.003
What is the name of the Atomic Test to be simulated?
Simulate BlackByte Ransomware Print Bombing
What is the name of the file used in the test?
Wareville_Ransomware.txt
What is the flag found from this Atomic Test?
THM{R2xpdGNoIGlzIG5vdCB0aGUgZW5lbXk=}
Learn more about the Atomic Red Team via the linked room.
Thank you for reading through this article. You can leave a comment with your thoughts: areas to improve or other suggestions and questions if any. Till the next one, stay secure!