From 79d352d13ffbe06e4b5380d37bc6234f775efaf6 Mon Sep 17 00:00:00 2001 From: ahenao4 Date: Mon, 27 Apr 2026 11:51:42 -0400 Subject: [PATCH 1/6] readme --- README.md | 81 ++++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 71 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 3e6fa580..a6bcb150 100644 --- a/README.md +++ b/README.md @@ -1,19 +1,80 @@ # MITRE Caldera plugin: Atomic -A plugin supplying Caldera with TTPs from the Atomic Red Team project. +## Overview: -## Details +The Atomic plugin converts Red Canary’s Atomic Red Team tests from their open-source GitHub repository into CALDERA abilities for granular ATT&CK simulation. -- When importing tests from Atomic Red Team, this plugin also catches `$PathToAtomicsFolder` usages pointing to an existing file. It then imports the files as payloads and fix path usages. Note other usages are not handled. If a path with `$PathToAtomicsFolder` points to an existing directory or an unexisting file, we will not process it any further and ingest it "as it is". Examples of such usages below: --- https://github.com/redcanaryco/atomic-red-team/blob/a956d4640f9186a7bd36d16a63f6d39433af5f1d/atomics/T1022/T1022.yaml#L99 --- https://github.com/redcanaryco/atomic-red-team/blob/ab0b391ac0d7b18f25cb17adb330309f92fa94e6/atomics/T1056/T1056.yaml#L24 +- [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) +- [AtomicCaldera](https://github.com/xenoscr/atomiccaldera) -- ART tests only specify techniques they address. This plugin creates a mapping and import abilities under the corresponding tactic. Yet sometimes multiple tactics are a match, and we do not know which one the test addresses. This will be fixed in the future thanks to the ATT&CK sub-techniques. As of now, we use a new tactic category called "multiple". +### Context: +Atomic-level detection validation -## Known issues +### Known Limitations: +- ART tests only specify techniques they address. This plugin creates a mapping and import abilities under the corresponding tactic. Yet sometimes multiple tactics are a match, and we do not know which one the test addresses. This will be fixed in the future thanks to the ATT&CK sub-techniques. As of now, we use a new tactic category called "multiple". - When a command/cleanup expands over multiple lines with one of them being a comment, it messes up the whole command/cleanup (as we reduce multiple lines into one with semi-colons). +- ART tests are not full adversary attack chains/ emulations. +- Some ART tests are incomplete. -## Acknowledgements +## Installation: -- [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) -- [AtomicCaldera](https://github.com/xenoscr/atomiccaldera) +1. Clone the repository to MITRE's Caldera "plugins" folder: +`cd ` +`git clone https://github.com/xenoscr/atomiccaldera.git` +2. Change directories: +`cd atomiccaldera` +3. Install required Python modules: +`pip install -r requirements.txt` +4. Clone the Red Canary Atomic Red Team repository: +`git clone https://github.com/redcanaryco/atomic-red-team.git` +5. Clone the MITRE CTI repository: +`git clone https://github.com/mitre/cti.git` +6. Edit the `conf/artconf.yml` file to update the paths to point to your Atomic Red Team and CTI repositories. +7. Edit Caldera's `local.yml` file and add `atomiccaldera` to the plugins section. + +## Dependencies/Requirements: + +1. Python 3.6.8+ with the following libraries installed: +- PyYAML - https://pyyaml.org/wiki/PyYAML +- STIX2 - https://github.com/oasis-open/cti-python-stix2 +2. Atomic-Caldera requires the following repositories be stored locally somewhere: +- https://github.com/redcanaryco/atomic-red-team +- https://github.com/mitre/cti + +## Getting Started: + +The first time you access the Atomic plugin you will need to import the Atomic Red Team YAML files to populate Atomic Caldera's database. To do this click the "Add Abilities" button. Adding the abilities for the first time will take some time to complete, please be patient, the status will update when the import is completed. + +Selecting an Ability +To select an ability: +1. First select a tactic "Select ATT&CK tactic" drop down. +2. Next select the ability from the "Select ability" drop down. + +After you have selected an ability you can use the left and right arrows to quickly move through the list of available abilities related to the selected tactic. +Saving an Ability +If you have made changes to an ability and wish to save them: +1. Click the "Save Ability" button. + +Saving Variables +If you have made changes to variables and wish to save them: +1. Click the "Save Variables" button. + +Export a Single Ability +If you wish to export the selected ability only to Stockpile: +1. Click the Export Ability button. + +Export All Abilities +If you wish to export all of the abilities from Atomic Caldera to Stockpile: +1. Click the Export All Abilities button. + +Reloading Data (i.e. Start over) +If you wish to delete everything that has been imported and wish to start over, do so by: +1. Click the Reload Abilities button +2. Click the Yes button. + +After clicking yes, it will then take some time for the abilities to complete reloading. NOTE: It is necessary to restart Caldera to view the new abilities. At the moment there is no way to force Chain to reload its database from the GUI. + +### Additional Note +- When importing tests from Atomic Red Team, this plugin also catches `$PathToAtomicsFolder` usages pointing to an existing file. It then imports the files as payloads and fix path usages. Note other usages are not handled. If a path with `$PathToAtomicsFolder` points to an existing directory or an unexisting file, we will not process it any further and ingest it "as it is". Examples of such usages below: +-- https://github.com/redcanaryco/atomic-red-team/blob/a956d4640f9186a7bd36d16a63f6d39433af5f1d/atomics/T1022/T1022.yaml#L99 +-- https://github.com/redcanaryco/atomic-red-team/blob/ab0b391ac0d7b18f25cb17adb330309f92fa94e6/atomics/T1056/T1056.yaml#L24 \ No newline at end of file From 1cb4ac807cc4588ea402ee2ddc97de4926538f6a Mon Sep 17 00:00:00 2001 From: Allison Date: Tue, 28 Apr 2026 16:01:51 -0400 Subject: [PATCH 2/6] Update README.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a6bcb150..aeacdc9e 100644 --- a/README.md +++ b/README.md @@ -75,6 +75,6 @@ If you wish to delete everything that has been imported and wish to start over, After clicking yes, it will then take some time for the abilities to complete reloading. NOTE: It is necessary to restart Caldera to view the new abilities. At the moment there is no way to force Chain to reload its database from the GUI. ### Additional Note -- When importing tests from Atomic Red Team, this plugin also catches `$PathToAtomicsFolder` usages pointing to an existing file. It then imports the files as payloads and fix path usages. Note other usages are not handled. If a path with `$PathToAtomicsFolder` points to an existing directory or an unexisting file, we will not process it any further and ingest it "as it is". Examples of such usages below: +- When importing tests from Atomic Red Team, this plugin also catches `$PathToAtomicsFolder` usages pointing to an existing file. It then imports the files as payloads and fixes path usages. Note other usages are not handled. If a path with `$PathToAtomicsFolder` points to an existing directory or an unexisting file, we will not process it any further and ingest it "as it is". Examples of such usages below: -- https://github.com/redcanaryco/atomic-red-team/blob/a956d4640f9186a7bd36d16a63f6d39433af5f1d/atomics/T1022/T1022.yaml#L99 -- https://github.com/redcanaryco/atomic-red-team/blob/ab0b391ac0d7b18f25cb17adb330309f92fa94e6/atomics/T1056/T1056.yaml#L24 \ No newline at end of file From e43fd90e9b1e209d56116c8360d5847d57d1412b Mon Sep 17 00:00:00 2001 From: Allison Date: Tue, 28 Apr 2026 16:02:37 -0400 Subject: [PATCH 3/6] Update README.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index aeacdc9e..4bc67730 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,7 @@ Atomic-level detection validation ## Dependencies/Requirements: -1. Python 3.6.8+ with the following libraries installed: +1. Python 3.8+ with the following libraries installed: - PyYAML - https://pyyaml.org/wiki/PyYAML - STIX2 - https://github.com/oasis-open/cti-python-stix2 2. Atomic-Caldera requires the following repositories be stored locally somewhere: From bd4eb16bfc41d4954d7022393389d361c7b744ba Mon Sep 17 00:00:00 2001 From: Allison Date: Tue, 28 Apr 2026 16:03:44 -0400 Subject: [PATCH 4/6] Update README.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- README.md | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 4bc67730..5a22512b 100644 --- a/README.md +++ b/README.md @@ -45,32 +45,32 @@ Atomic-level detection validation The first time you access the Atomic plugin you will need to import the Atomic Red Team YAML files to populate Atomic Caldera's database. To do this click the "Add Abilities" button. Adding the abilities for the first time will take some time to complete, please be patient, the status will update when the import is completed. -Selecting an Ability +### Selecting an Ability To select an ability: -1. First select a tactic "Select ATT&CK tactic" drop down. -2. Next select the ability from the "Select ability" drop down. +1. First select a tactic "Select ATT&CK tactic" drop down. +2. Next select the ability from the "Select ability" drop down. After you have selected an ability you can use the left and right arrows to quickly move through the list of available abilities related to the selected tactic. -Saving an Ability +### Saving an Ability If you have made changes to an ability and wish to save them: -1. Click the "Save Ability" button. +1. Click the "Save Ability" button. -Saving Variables +### Saving Variables If you have made changes to variables and wish to save them: -1. Click the "Save Variables" button. +1. Click the "Save Variables" button. -Export a Single Ability +### Export a Single Ability If you wish to export the selected ability only to Stockpile: -1. Click the Export Ability button. +1. Click the Export Ability button. -Export All Abilities +### Export All Abilities If you wish to export all of the abilities from Atomic Caldera to Stockpile: -1. Click the Export All Abilities button. +1. Click the Export All Abilities button. -Reloading Data (i.e. Start over) +### Reloading Data (i.e. Start over) If you wish to delete everything that has been imported and wish to start over, do so by: -1. Click the Reload Abilities button -2. Click the Yes button. +1. Click the Reload Abilities button +2. Click the Yes button. After clicking yes, it will then take some time for the abilities to complete reloading. NOTE: It is necessary to restart Caldera to view the new abilities. At the moment there is no way to force Chain to reload its database from the GUI. From b4c9506e0a615a399a0b96b3ffedf6ee5a643b99 Mon Sep 17 00:00:00 2001 From: Allison Date: Tue, 28 Apr 2026 16:06:27 -0400 Subject: [PATCH 5/6] Update README.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5a22512b..6bcce548 100644 --- a/README.md +++ b/README.md @@ -76,5 +76,5 @@ After clicking yes, it will then take some time for the abilities to complete re ### Additional Note - When importing tests from Atomic Red Team, this plugin also catches `$PathToAtomicsFolder` usages pointing to an existing file. It then imports the files as payloads and fixes path usages. Note other usages are not handled. If a path with `$PathToAtomicsFolder` points to an existing directory or an unexisting file, we will not process it any further and ingest it "as it is". Examples of such usages below: --- https://github.com/redcanaryco/atomic-red-team/blob/a956d4640f9186a7bd36d16a63f6d39433af5f1d/atomics/T1022/T1022.yaml#L99 --- https://github.com/redcanaryco/atomic-red-team/blob/ab0b391ac0d7b18f25cb17adb330309f92fa94e6/atomics/T1056/T1056.yaml#L24 \ No newline at end of file +- https://github.com/redcanaryco/atomic-red-team/blob/a956d4640f9186a7bd36d16a63f6d39433af5f1d/atomics/T1022/T1022.yaml#L99 +- https://github.com/redcanaryco/atomic-red-team/blob/ab0b391ac0d7b18f25cb17adb330309f92fa94e6/atomics/T1056/T1056.yaml#L24 \ No newline at end of file From 693e1c3e980d048f531ca93291b90afbce993a88 Mon Sep 17 00:00:00 2001 From: deacon-mp <61169193+deacon-mp@users.noreply.github.com> Date: Thu, 30 Apr 2026 12:40:48 -0400 Subject: [PATCH 6/6] Fix header formatting in README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6bcce548..7e2a651b 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# MITRE Caldera plugin: Atomic +# MITRE Caldera plugin: Atomic ## Overview: @@ -77,4 +77,4 @@ After clicking yes, it will then take some time for the abilities to complete re ### Additional Note - When importing tests from Atomic Red Team, this plugin also catches `$PathToAtomicsFolder` usages pointing to an existing file. It then imports the files as payloads and fixes path usages. Note other usages are not handled. If a path with `$PathToAtomicsFolder` points to an existing directory or an unexisting file, we will not process it any further and ingest it "as it is". Examples of such usages below: - https://github.com/redcanaryco/atomic-red-team/blob/a956d4640f9186a7bd36d16a63f6d39433af5f1d/atomics/T1022/T1022.yaml#L99 -- https://github.com/redcanaryco/atomic-red-team/blob/ab0b391ac0d7b18f25cb17adb330309f92fa94e6/atomics/T1056/T1056.yaml#L24 \ No newline at end of file +- https://github.com/redcanaryco/atomic-red-team/blob/ab0b391ac0d7b18f25cb17adb330309f92fa94e6/atomics/T1056/T1056.yaml#L24