cybersecops / go-atomicredteam Goto Github PK

go-atomicredteam is a Golang application to execute tests as defined in the atomics folder of Red Canary's Atomic Red Team project. The "atomics folder" contains a folder for each Technique defined by the MITRE ATT&CK™ Framework. Inside of each of these "T#" folders you'll find a yaml file that defines the attack procedures for each atomic test as well as an easier to read markdown (md) version of the same data.

• Executing atomic tests may leave your system in an undesirable state. You are responsible for understanding what a test does before executing.

• Ensure you have permission to test before you begin.

• It is recommended to set up a test machine for atomic test execution that is similar to the build in your environment. Be sure you have your collection/EDR solution in place, and that the endpoint is checking in and active.

The goal of go-atomicredteam (goart for short) is to package all the atomic test definitions and documentation directly into the executable such that it can be used in environments without Internet access. As of now this is not fool proof, however, since some tests themselves include calls to download additional resources from the Internet.

goart also supports local development of tests by making it possible for a user to dump existing test definitions to a local directory and load tests present in the local directory when executing. If a test is both defined locally and within the executable, the local test will be used.

To build goart for all operating systems, simply run make release from the root directory. Otherwise, run the appropriate make bin/goart-<os> target for your OS.

Obviously, Golang needs to be installed locally in order to build.

Note: This execution framwork works on Windows, MacOS, and Linux (assuming it's cross-compiled).