Atomic Red Team

Date: 2021-09-14 ID: d6a30644-63bf-464b-8a2a-4df5de49aa43 Author: Michael Haag Environment: attack_range Directory: atomic_red_team

Description

Simulated events with Atomic Red Team and manual.

ID	Technique	Tactic
T1069.001	Local Groups	Discovery

The following datasets were collected during this attack simulation:

Path: /datasets/attack_techniques/T1069.001/atomic_red_team/windows-powershell-xml.log
Sourcetype: XmlWinEventLog
Source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational

Path: /datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log
Sourcetype: XmlWinEventLog
Source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

The following detections in our security content repository use this attack data for testing:

Detection Name	Type	Source	MITRE ATT&CK	Analytic Story
Windows Group Discovery Via Net	`Hunting`	Endpoint	T1069.001, T1069.002	Windows Discovery Techniques, Windows Post-Exploitation, Graceful Wipe Out Attack, Active Directory Discovery, Prestige Ransomware, Medusa Ransomware, Azorult, Cleo File Transfer Software, Rhysida Ransomware, IcedID, Volt Typhoon, Microsoft WSUS CVE-2025-59287
Wmic Group Discovery	`Anomaly`	Endpoint	T1069.001	Active Directory Discovery, LAMEHUG
PowerShell Get LocalGroup Discovery	`Hunting`	Endpoint	T1069.001	Active Directory Discovery
Get WMIObject Group Discovery	`Hunting`	Endpoint	T1069.001	Active Directory Discovery
Get WMIObject Group Discovery with Script Block Logging	`Hunting`	Endpoint	T1069.001	Active Directory Discovery

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1069.001/atomic_red_team/windows-powershell-xml.log --index attack_data

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0