The Atomic plugin converts Red Canary’s Atomic Red Team tests from their open-source GitHub repository into CALDERA abilities for granular ATT&CK simulation.
Atomic-level detection validation
The Atomic plugin ships with CALDERA as a default plugin (a git submodule under
plugins/atomic). To add it manually:
- Clone this repository into CALDERA's
pluginsfolder:cd <path to caldera>/pluginsgit clone https://github.com/mitre/atomic.git - Enable the plugin by adding
- atomicto theplugins:list in CALDERA'sconf/local.yml(orconf/default.yml). - Restart CALDERA.
On first load the plugin automatically clones Red Canary's Atomic Red Team
repository into plugins/atomic/data/atomic-red-team and imports the tests as
abilities — no manual cloning, requirements file, or path configuration is
required. The ATT&CK technique-to-tactic mapping is read from the
enterprise-attack.json file bundled inside that same repository, so no separate
CTI repository is needed. (This first import takes a while; see "Getting Started"
below.)
gitavailable on the PATH (used to clone the Atomic Red Team repository).- Python dependencies are provided by CALDERA core (e.g. PyYAML); the plugin has no separate requirements file or install step.
The first time you access the Atomic plugin you will need to import the Atomic Red Team YAML files to populate Atomic Caldera's database. To do this click the "Add Abilities" button. Adding the abilities for the first time will take some time to complete, please be patient, the status will update when the import is completed.
To select an ability:
- First select a tactic "Select ATT&CK tactic" drop down.
- Next select the ability from the "Select ability" drop down.
After you have selected an ability you can use the left and right arrows to quickly move through the list of available abilities related to the selected tactic.
If you have made changes to an ability and wish to save them:
- Click the "Save Ability" button.
If you have made changes to variables and wish to save them:
- Click the "Save Variables" button.
If you wish to export the selected ability only to Stockpile:
- Click the Export Ability button.
If you wish to export all of the abilities from Atomic Caldera to Stockpile:
- Click the Export All Abilities button.
If you wish to delete everything that has been imported and wish to start over, do so by:
- Click the Reload Abilities button
- Click the Yes button.
After clicking yes, it will then take some time for the abilities to complete reloading. NOTE: It is necessary to restart Caldera to view the new abilities. At the moment there is no way to force Chain to reload its database from the GUI.
- ART tests only specify techniques they address. This plugin creates a mapping and import abilities under the corresponding tactic. Yet sometimes multiple tactics are a match, and we do not know which one the test addresses. This will be fixed in the future thanks to the ATT&CK sub-techniques. As of now, we use a new tactic category called "multiple".
- When a command/cleanup expands over multiple lines with one of them being a comment, it messes up the whole command/cleanup (as we reduce multiple lines into one with semi-colons).
- ART tests are not full adversary attack chains/ emulations.
- Some ART tests are incomplete.
- When importing tests from Atomic Red Team, this plugin also catches
$PathToAtomicsFolderusages pointing to an existing file. It then imports the files as payloads and fixes path usages. Note other usages are not handled. If a path with$PathToAtomicsFolderpoints to an existing directory or an unexisting file, we will not process it any further and ingest it "as it is". Examples of such usages below: