This report presents end-to-end Atomic Red Team attack simulations against Elastic Security, an enterprise XDR platform with SIEM, endpoint security, and cloud security capabilities. The simulations are based on Scattered Spider tactics and aligned with the MITRE ATT&CK framework.
Our objectives are to evaluate Elastic Security's detection capabilities and to analyze undetected threats through Windows logs. This analysis will help develop new detection signatures. Additionally, we explore potential improvements like automating the mapping of Sysmon logs to MITRE ATT&CK.
This report only includes techniques that are supported by Atomic Red Team. Techniques not supported by Atomic Red Team, such as T1566.004 - Spearfishing Voice, are excluded.
We also evaluate sub-techniques that, while not identical to Scattered Spider's methods, share similar characteristics. For example, MITRE ATT&CK documents Scattered Spider's use of T1133 - External Remote Services as follows:
Scattered Spider has leveraged legitimate remote management tools to maintain persistent access.
During C0027, Scattered Spider used Citrix and VPNs to persist in compromised environments.
While Atomic Red Team's T1133 test currently (as of November 2024) only supports Chrome VPN and not Citrix, the test remains valuable for evaluating Elastic Security. We include atomic tests that share the same MITRE ATT&CK technique ID when they are either generalizable or closely related to Scattered Spider's methods.
We use Elastic Security as our enterprise security solution. The setup consists of a central Elastic Security SIEM running on a Fleet Server that collects logs and monitors events from protected machines. On these endpoints, we've installed the Elastic Agent with two key integrations: Elastic Defend for EDR capabilities, and Windows integration to gather system logs (System, Application, Security, and Sysmon).
This PowerShell script executes all Atomic Red Team tests that were used to simulate Scattered Spider's TTPs. The script can be used to quickly replicate the attack simulation environment or serve as a reference for future testing.
| Technique | Precise detection of specific adversary technique |
|---|---|
| Tactic | Detection at broader tactical level |
| General | General behavioral detection |
| Telemetry | Basic activity logging |
| None | No detection capabilities |
| Not Applicable | Detection not relevant or possible |
<aside> More Specific ⟶ Less Specific
■ ■ ■ ■ ■ ■
</aside>
<aside> ℹ️
Detection levels of General or higher are considered successful detections.
</aside>
Scenario Detections
<aside> 22/37 detections
</aside>