Day 4: I’m all atomic inside!

Note:

Hey! Before you go through this writeup try the task first by your self and if you get stuck come back and checkout the writeup.

Atomic Red Team is an open-source project that provides a library of small, easy-to-run tests designed to simulate real-world cyberattacks. Each test focuses on a specific tactic or technique from the MITRE ATT&CK framework, like privilege escalation, lateral movement, or data exfiltration. It’s great for testing your detection and response capabilities because it doesn’t require complex setup or specialised tools—just pick a test, run it, and see how well your security systems respond.

Q: What was the flag found in the .txt file that is found in the same directory as the PhishingAttachment.xslm artefact?

A: Open up a windows PowerShell as Administrator and open Windows Event Viewer,

In Event Viewer Navigate to Applications and Services => Microsoft => Windows => Sysmon => Operational .

Right click on Operational and select Clear Log and in the pop up select Clear .

Go back to the PowerShell and run,

Invoke-AtomicTest T1566.001 -TestNumbers 1

Go back to Windows Event Viewer click on Refresh .

We are interested in two event types

1. Process creation for PowerShell to execute the following command"powershell.exe" & {$url = '<http://localhost/PhishingAttachment.xlsm>' Invoke-WebRequest -Uri $url -OutFile $env:TEMP\\PhishingAttachment.xlsm}
2. File creation with name PhishingAttachment.xlsm

Go to the directory where the file was created, the “hishingAttachment.txt” file contains the flag.

Q: What ATT&CK technique ID would be our point of interest?

A: Head over to https://attack.mitre.org and find the relevant Tactic ID for “command and scripting interpreter”.

Q: What ATT&CK subtechnique ID focuses on the Windows Command Shell?

A: Back at MITRE in the click on the subtechnique drop down and find the Technique ID for tactic “Windows Command Shell”.

Q: What is the name of the Atomic Test to be simulated?

A: In the PowerShell window run

Invoke-Atomictest <Tactic ID from previous question> -ShowDetails 

As we are trying to simulate a ransomware attack based on the question, find the test related to ransomware and it’s name is the answer.

Q: What is the name of the file used in the test?

A: The output of the previous command has the answer.

Q: What is the flag found from this Atomic Test?

A: Open the file from the previous question. The flag is in the file.