BSidesCharm - 2018 - Adam Mathis - Using Atomic Red Team to Test Endpoint Solutions

let's um take a moment and say like hi thank you guys for coming out um and and choosing this talk for your post-lunch nap i appreciate it um my name is adam everybody can say hi my name is whatever your name is so we can all be best friends my name is adam yes perfect there we go thanks now i know you guys this is this will make it easier so just a heads up like the stage has got a little wobble to it so if you see me grab this it's half stage fright in half trying not to fall off so um so we are here to talk about testing security solutions with the

atomic red team um which is an open source project that we uh we started some time ago and i'll get into more of that in just a moment so who am i um my name's adam i already said that um my my favorite things are security beard metal that good stuff so who i am is less important than what we're gonna talk about though so what we're going to cover we're going to talk about why testing is important testing your security solutions testing your your security architecture why it's important some of the common roadblocks that people run into we're going to talk about you know kind of our proposal our take on how we can

make testing easier how to make it more effective and hopefully give everyone a few tools that they can they can take back and immediately start using in their organization in their day-to-day life all right so the current state of the security architecture so your organization might look a little bit different but a lot of you will you know resonate with some of these things so you have things you have security tools you have your you know your ids your ips your sim av you have controls you have hardening in place you have technical constraints that keep keep your users from doing dumb things and keep your enemies uh you know out of your network and then you have policies which are

mostly not followed but you put them in place anyway um and you expect these things to do things like prevent evil and put together your awesome incident response team knock all the apt out of your network and of course walk away from explosions without looking at them but the truth is many organizations have put a lot of money and time and sweat and blood into their their security measures but they don't actually know if they work so let's talk about how we got here so how did how did we build these these systems these architectures well we built them because it was good security right you know we saw that we had a gap we saw that we needed to go

and put together tooling we needed to put together different policies whatever it took to get the bad guys out or compliance sometimes somebody else tells you you have to do a thing or buy a thing or implement a thing you don't always have a lot of faith in that thing you hope that it works um and then expectations so i'm sure a lot of people have had you know managers come back from rsa and it's like dude i'm gonna buy this really awesome thing that you've never heard of right so you end up with something because it was gartner said it was a good idea to do it um so that's kind of how we

we put together our security architectures over time um and and it's okay to feel proud of them especially if you had parts in in building them so you know you look at it you're like yeah there's places we could do work but we've got really great prevention and detection visibility you know we can we can find all the things stop all the things see all the things we have great escalation paths right i mean we feel like we have a pretty good thing put together here um but if you looked at your organization or the organizations you work with you look at the security measures in place and you did a gut check how do you

really feel so you've got a lot of security are you confident in it you know sometimes it's really noisy sometimes it's really quiet you're not exactly sure which one of those makes you feel better you believe everything's working as it's intended to you hope everything is working as it's intended to but um as we all know hope is a feeling not a strategy so how can we know that it's working how can we know that everything is working you test it that's easy right but how do you test it how you test something is very important as well so there's some common testing approaches and i'm just gonna you know touch on a couple of them

um so specifically like when you're you're getting involved in like a poc some new technology you want to test out the vendor is very helpful right you you say okay i'm going to buy this thing and they're like okay yeah yeah you should definitely buy one of ours you know okay well i need to make sure that it works and i need to make sure it works better than what i have already or better than what your competitor does and like no problem run this thing run this thing with us run thing with them so mostly they're going to give you something that's going to play to their strengths obviously but sometimes it's just outright rigged

so we had yeah so we i had a situation in a past life where had a vendor do something very similar they came in and they said hey we have this email solution um give us your email address we're going to send something through it um they sent it through they're like did you catch it with the thing you have today like no we we didn't like well we did we caught it of course you did you said it you crafted it you sent it to me so anyways that's that's a it's a problem so you could also try in-house testing so we're going to get together we're going to build our own test plan whether

that's for something new or something established and it's a great approach but it's kind of hard to get started you know it's hard to figure out like what exactly should my test plan look like how can i be objective with it um you know which which tests should i include um and it's hard to it's hard to scope like you don't you don't always know you know when you're testing your security solutions like should i just go and download some tools like bloodhound's pretty cool should i do that you know do i need to just find all this stuff on twitter whatever case he's doing today um you know and how do you track your progress like

if you're throwing darts at the wall how do you make measurable progress with your testing and one of the most common approaches for testing security solutions spin tests there's problems with pen tests too most of the time it's a compliance checkbox so a lot of times organizations will contract a pin test team they come in once a year they run nessus they give you a pretty report and nothing of value is gained so that doesn't necessarily help the organization so you need something that's a little bit more you know substitute but those teams can be expensive so if you if you're saying i need to i want to have more frequent testing i want to have maybe a team that's going

to be a little bit more legit that's going to cost you and sometimes that's hard from a business perspective to to pitch you you know you're not going to be able to get management to buy off on like we want to have a pen test come in you know pin test team come in and do work for you know every other every other week or you know every other month um scoping problems a lot of a lot of organizations have problems where when they go to contract to pin tests they don't really know what they want them to test so they say okay uh just go get root or go get domain admin or you know just go hack things um and they

will you know those people will go do it but that's that doesn't really give you like a very structured amount of things to test or there might be a very very narrow scope where it's like we have this contract we're going to stand up this web app you need to see if you can you know get into this thing so they test the load balancer they find no open ports except for the ones that are supposed to be open and they say okay well you're good neither one of those is going to be particularly useful for for getting better most of the time and as i mentioned not all teams are created equal so i've seen

i've seen some really legit teams doing you know true adversary simulation um i've also seen teams with literally one tool they just mimikats they get things they run more memory cats they get more things they just keep doing that over and over again and that's a great tool but that's i mean at the end of the day all that gets you is better at finding mini cats which useful but not no it's not that's not enough you know that's not the full scope that you want um and long route rip long round trip times um so like i said you're going to have these these testers come in once a year maybe once a quarter if you're lucky um

you know they're going to give you some findings hopefully you can act on those you can get better if they come back and they retest they're usually just retesting the exact same thing that they did before so yes you found the one thing that they did that's great but now you have to wait until they come back so none of those is a particular i mean that's not really a great option for you know a nice iterative testing process so what's the solution do we just build our own red team that's a that's actually a great idea but there's problems with that too sometimes it's hard to build internally like you have people that are very

interested in testing and doing penetration tests but they don't have the expertise they don't really know where to get started they haven't spent time in the trenches and that's nothing wrong with that you can definitely build from that and a lot of good people who've started from nothing and they've kind of turned themselves into excellent you know red teamers um but it's it's tough to get started especially since a lot of those people are wearing a lot of hats right so it's like this guy's not only like the you know the guy who wants to be the red team but he's also like the network administrator and you know the domain administrator and he does a lot of other things

um so it's it's kind of tough to get started there so if you say well i'll just go and find somebody who's an excellent red teamer and i'll hire them and then they can come in and test all my stuff that's also great but they are very expensive and hard to find so like good good experienced red teamers if you're not into remote work you're going to pay a lot of money and a lot of organizations especially smaller ones don't have that kind of budget and they don't really even know how to hire for that position um they just don't have the the resources in inside to uh to figure that out and you know if any of you guys have ever

done any red teams you know red team activity in your organizations you know sometimes it's hard to maintain objectivity um you know what your strengths are you know what your weaknesses are and as speaking as someone who's sat in that chair um hackers can be really lazy so it's it's a matter of like i know how to get the the goal like i know how to get domain admin and all i have to do is this thing here so why why would i go and try all this like fancy tradecraft that's saying that that's everybody there's lots of excellent red teamers you know that work internal to organizations that are really doing excellent adversary simulation um but

you know we all tend to fall back to at least passive the path of least resistance so where does this bring us so outside of occasionally you know occasional poorly scoped pin test rigged poc testing a lot of organizations just do not regularly test their solutions so we need something that is you know we need ongoing iterative testing so we need to be able to test something see what we can do about it test it again very very quickly we need objective measurements we need some road map that helps us figure out where we're starting where we're going and how we check those boxes along the way we need a low barrier for entry because

there's a lot of organizations that are very small they have limited resources but they want to do good things too they want to test their solutions and make sure that they're working this is the pause for dramatic effect boom atomic red team so this is our this is our project this is the the the big reveal um the atomic red team is an open source project um that is comprised of discrete unit tests which i'll cover a little bit more in a minute um and it's mapped to the miter attack framework which some of you have probably heard of before and i know what you're thinking minor attack so hot right now everybody's got a project whether it's

an off-the-shelf project or a open source project that is mapping to mitre and with very good reason mitre is doing excellent work they've put together a great resource of adversary tactics and techniques that is very easy to to kind of go through understand and operationalize so it makes sense that there's a lot of a lot of teams that are trying to you know get on board and and do stuff with the minor attack framework um there's there's other good projects besides ours obviously you know meta from chris gates um in-game has got their red team automation apt simulator please please don't stop with looking atomic red team stuff there's plenty of other good projects that are that are also doing this good

work um so for the two of you out there that have never heard of attack before um the the minor attack framework kind of focuses on the post exploit portion of the kill chain so it's looking at things that happen um after someone has already accessed your system um which sometimes prompts the question why why do they focus on that um and the reason is that tracking um staying in front of the zero day exploitation is like really hard um like to completely like rip off and change a phrase that my dad uses a lot there is software being pwned today that has never been before there are there are state actors out there that are using

exploits and tradecraft that we just don't have documented anywhere and that's hard to defend against but once somebody lands on a system the behaviors that they use you know for persistence for execution for defense evasion those those are more consistent those are a little bit easier to track and keep up with um you know though they do change over time and we have to stay on top of it there's just there's there's definitely value there right so um so as i mentioned it's a it's a it's a curated treasure trove of adversary ttps um it's mapping to known group behavior so you can actually so the you know fuzzy animal and you know apt whatever number

it is those those organizations are tracked um their known tradecraft is put together in a really meaningful way it's easy to consume and it's vendor agnostic it's not something where they're trying to push any prod in a product they're just trying to put together good information so everyone can grow together which is awesome so the atomic red team this is this is what it looks like basically what we've done is um we've taken the attack the attack matrices for each platform and we've tried to mimic them uh you know in our in our repository in github so we have you know windows you know windows mac linux we have some artifacts i'll kind of cover those in a little bit and they

kind of look like this so basically you have your tactics at the top you have the various techniques and for each one of those techniques what we've done is created an individual test or a series of tests so why why did we do this so obviously you know i've been up here talking to testing for a long time now um testing is very important we think it's it's crucial to understanding you know what's going on in your network understanding what capabilities you actually have and we want to lower the barrier for entry we want to make sure that teams of any size and you know any you know any security tooling could get involved in this regardless of what they had

today um the smaller targeted test so this is this is kind of taking a um taking a hand you know a page out of the dev playbook so so the concept of unit tests being this is the smallest valid version of a thing so what we do is we take a tactic from mitre we break it down into a very small one line script when we can and then we put that out there for you to use and we try to add as many permutations variations of that as we can so what that does is it allows somebody to unlock the you know one of the greatest technological abilities they have copy and paste and post that into a

shell and run it and then see what goes off right i mean and then so once it goes off or it doesn't go off then you have so you have an action you go find something and say okay i found this one thing that's great so but if you didn't there's a whole another set of things that you have to do so the idea is just let's get testing on a much more rapid rapid cycle and we want to give back we want to help people we want to make security better for everybody regardless of what size that team is regardless of which products they use we want everyone to level up because we work

in a an interesting industry where we actually have an enemy like we're not each other's enemies we want everyone to beat the collective enemy so that's kind of that's kind of the why um like how it came up with you know the origins is kind of you know it's a the classic story of observed need and passionate people so we had multiple people working inside the organization so mike i put his bookish happiness project in here because it has a ridiculous auto-generated name but it started off that was kind of you know one of the early iterations of let's just put tests out there and make them easy you know casey was working on it we were talking other people in the

industry and everyone was kind of like yeah we need to do testing better so we're like cool let's do it so how how do you use the atomic red team so we're gonna actually get into demo stuff now um so one thing i will this is my soapbox um i i feel like there is there's a lot of emphasis on um windows from a research and tooling perspective a lot of projects focused on window systems and justifiably like they have the market share but i'm a mac and linux guy so these are going to be mac and linux tests um because we we need more people looking at those things um and in a lot

of organizations like they just they don't have visibility even like basic things they don't have um so this is t1155 which is um in the execution tag uh tactic and the technique is applescript so applescript is kind of like um you can think of it kind of like a powershell for for apple maybe not as full featured but it can do a lot of really cool stuff so it can it can talk to open programs it can open programs it can push keys so if you think about it it can do lots and lots of evil things on your systems so this is kind of the example of of what the uh what oh sorry this is kind of the

example of how mitre presents this information so they give you the context and then they give you some mitigation some detection capabilities so it's a really great way if you haven't spent time in here you really gotta you gotta get in here and start looking at some of these things um so this is this is what it looks like on the atomic red team side so we give you the the context right back to mitre you can go and you can understand what it is you can understand kind of like what the test is trying to achieve and then you have a nice little one-line script so in this case we've just kind of taken a

we've taken a copy of the um and we've neutered it but the empire loader for applescript and so you can see right here in the first couple of little uh words osa script which is the command line invocation for applescript uh do shell script which does exactly what you think it does so it calls bash and then now now you're seeing some python code that's going in there so what this looks like from a telemetry perspective is osuscript calling bash calling python um which is which is awesome but that just just to give you kind of an understanding of what you could do with something like this this is just like the tip of the iceberg

so how how do we how do we implement this like what is what is a what is a life cycle of using this tool using this project what does that look like so um so we start off with a test so let's just say we take that applescript example so we're going to we're going to test that we're going to run that in our environment we can just copy and paste it did you detect it did anything go off in your environment any one of your tools um if it did great go back to the beginning maybe now it's time to test a permutation so let's look at something else let's look at let's let's obfuscate it a

little bit right let's let's um maybe we'll we'll try a different way to invoke the same technique if you didn't detect it now you have an action you have to go and look and see do i have any raw telemetry for this is there any is there any data in my stack any like in my sim in my edr products in anything that saw this thing happen even if i didn't get an alert if not maybe it's time to do some you know get some more tooling and there's a lot of great tooling out there that doesn't cost you anything you can i mean there's sysmon there's os query you know that kind of covers pretty much all your

platforms um and and with a little bit of configuration you can really gr get great visibility without having to pay anything except for a little bit of your time um if you do have the telemetry that's great let's go ahead and build a detection capability so build something that will alert you the next time this thing happens and and you're going to want to make sure that when you're building that detection capability that you're building resilient detection capabilities rather than fragile and what i mean by that is don't build something that will find the exact test you ran you want to find something that's going to cast the widest possible net without crushing you with false positives

you want to make sure that you are looking for something so if somebody like starts putting a bunch of spaces or weird characters in between their character you know between their um you know in their syntax like if you look at anything that um bohannon's written where he likes to really mess up all of the powershell stuff or you know most recently the command stuff it's easy to obfuscate a lot of these commands so add a little bit of flavor to it see if you can still catch it and so once you've built or tuned the existing detection capability you test again you'll notice everything goes back to testing so let's look at another one so this is

1141 this is the input prompt um this is in the credential access tactic still using applescript um so using applescript you can do cool stuff like pop-up boxes that look exactly like system boxes that's that's you know so any of you guys have used like responder on the windows side this like a similar concept you have some kind of prompt that pops up says hey we need your password because because reasons and the user is like yep here it is because that's what they do and so um you know we've got some we've got some mitigations again and detection capabilities um and here is a nice little one-line script again from atomic red team um shout out to

fuzzy knob because this is from his blog so if we look at this this is this is the this is the command right and that's what it looks like at the bottom when you run it so you run this in a you know you you've found your way onto a system right you've you've gotten michelle you're unprivileged you don't know much but you know a user is on it so you run this and the user gets this nice software update box and it says hey we need your password so that we can update the software and you just like yep i'm going to do that and then that comes back to you now you can say okay you know a lot of people

that run max you know for simplicity sake maybe they have admin so let's see if we can get root and then do all the evil stuff we've ever wanted to so you run this thing let's just say this is in your environment you run this you don't have anything that goes off okay i need to build something so we have telemetry and we have a couple of things that we can do with it so we know the process is oscript and then there's a couple of keywords in the command line so there's two things immediately that we can kind of latch on to so we have our process and we have some command line syntax

entries so you can say okay maybe i want to like maybe a detection would look like you know process name is jose script and you know the command line's got system preferences and password and that that's great and that will catch this thing every single time but you can also do the same thing with sh so you can pass all these still the same parameters into it um and to say hey this is a this is going to be an apple script type command and you can get the same type of box so the take home of that particular thing is remember your abts always be tested you want to make sure that you're iterating through this stuff you want to

you want to test and you want to find another way to do it you want to test that and you want to keep going through this until you have caught as many iterations of this as you can possibly stand but you don't want to spend all your time on it right i mean there's plenty of boxes to check on the miter attack framework so you know do what makes sense don't don't you know don't beat your head against the wall you know when you could be building something else it's very simple so but keep testing all right so now you've got some tests right you've got some tests under your belt you're like okay i need something that's

going to be a little bit more robust i want something that's going to look more like what an attacker would look like when they're in my network so what we've done is we've created these chain reactions and these are just reference scripts just putting lego blocks together so we've taken a couple of tactics a couple of techniques we put them together in a way that simulates things that attackers would want to do so you can do the same thing you can go to mitre you can go through their their you know find your platform of choice go through your tactics and say boom boom boom boom boom i want all of these things um and and just try to achieve the goals

that you would want to achieve as an attacker so now we have this chain reaction we're going to go over called ranger this is a mac and linux platform aware um script that we have out there and it covers some of these these boxes so you've got your defensive agent you're you're collecting a lot of interesting information and preparing for exfiltration um you know you could you could easily throw some more in here you could just go and take this and say okay well maybe i also want to grab this information this information this information and then and then maybe you want to just go ahead and add like i've got another box over here i'm going to stand up you

know netcat and i'm going to actually exfiltrate this data that's great i mean that's exactly what this thing is for right this is just a framework that you can use and build upon so looking at ranger this is you know just as if you want to find it you can go out there and of course we recommend you should absolutely understand what you're running in your environment don't run anything just because we told you to um make sure you know what it is what it does and run it somewhere that's safe that's that's the disclaimer so this is this is just a little bit of the code um and please don't please don't harass my code it's not

very good i like pull requests please please fix it if you can um but but basically what it does is you can see there's nothing aside from the probably the the over complicated like determining if it's a mac or a linux machine most of it's very simple stuff like you're using things like who am i and um you know system preferences system preferences by the way if you have mac systems if you're attacking mac systems um system preference is like one of the greatest things ever like it has so much data in it's got user data it's got firewall data it's got hardware data software data it is it's awesome like if you run this

script you will notice that um that that takes far longer than anything else in the in the test but it the information is it's amazing it's fantastic so um so anyway so basically what we're doing is we're gathering all the information we are staging that and some text files and then we're taking those text files and we are shoving them into some encrypted and spliced um little tar files and the reason do that is there's a lot of adversaries that will take those files and then they will try to send them out something like dns you know some kind of you know known good allowable activity that goes outside of uh goes outside of your network

um so that's that's what that's what we're staging here and like i said you can easily add your own system on there open it up and say okay send me all the files and now you can say now now you're not only testing endpoint stuff you're testing your network like did anything on your network see that you just pushed a bunch of files out so it this is this is not the end this is just this is just an example and here's the telemetry so you can see there's all this stuff on the right there's a lot of a lot of normal looking activity the one of the hardest things to build detection capabilities for is recon

because it looks exactly like admin traffic most of the time so um so you have to get a little bit more creative you can't just say every time somebody runs who am i i want to set off an alert because that's going to kill you but what you can say is anytime somebody said you know runs who am i and they're not one of my system administrators my network administrators i absolutely want to know that because like csrs they do not need to know what who mi is um but it's just it's in your own environment it's understanding what you can get away with and what you can't remember you got to build resilient detections not fragile ones

so what's the next level up so let's talk about ept simulation because apt is the the big fun buzzword although you know most most organizations are not going to be facing apt that's good and for those of you that face apt every day like god bless you like let me know how i can help that's that's like that's scary stuff um but you know you want to make sure that you are doing your due diligence and you want to make sure like if you're in an industry where there are actors that have nation state capabilities and they're coming after your cohorts you have to you have to at least use the tools that are at your disposal to defend

yourselves so evaluate your threat model know who you are like don't go and pick some apt guy that's your apt organization that's you know only target south korea if you don't have an asian presence like that's you should absolutely look at the tradecraft eventually but that's not where you put your priority right um so you find your friendly neighborhood apt someone who is applicable to your organization to your vertical um and then you can mimic the actor so mitre has this great treasure trove of information and they're like you know this apt actor these are the things they do so for an example so this is apt 32 also known as ocean lotus there's a lot of

different names for a lot of different groups and that's a whole other talk on its own but um you can you can track and see like this this actor this is these are the things they do once they get in this is these are the the tools they use um you know maybe some of them are heavy on ps execs some of them are um you know heavy on you know squibbly do which is a fun name um powershell all that other good stuff but you can go and this is all available to you right now you can say okay this group attacks my people what do they do when they get in so we took abt 32 and we made an

approximation that looked kind of like what they do now it's it's hard to like directly mimic nation state but you can get really close right so we have um in this in this case there's just a couple of a couple of tactics and techniques that kind of stand out they use scheduled tasks for you know for persistence they're using squibbly do because i want to say that again you know to to bypass application whitelisting execute their code and do it in a very stealthy way you know in this in this case you know we're not trying to like wreck you so you'll see things like we'll set a scheduled task and we'll take it away the real thing is

do you see it right are you are you catching this stuff um so and then there's some files and stuff to get dropped and some time stomping that occurs and it's really fun it's a fun one you should download this and you should run it somewhere and see like what your sock does it'll be fun so a note on simulating apt um so nikkar this is like you know it's a great it's a great little quote here um you know someone that actually tracks apts it says i don't know if it's possible to authentically you know authentically simulate the best apt groups you can get the same victim and victims and data but they have nation-state funding to

innovate you can get as close as yesterday which is which is great i mean that's true it's totally true they they have way more money they have super smart minds but i wouldn't let i wouldn't let tweets like this one are this obviously fake one that i made up discourage you um because if you can get as close to yesterday the nation's date like you were an apex defender like that is that is you're you're really rocking out like if you can if you can position yourself to protect your your organization from nation state actors using recent data then you're doing a great job and you should continue doing that great job right you should continue to

you know continue to innovate like just just realize just like when i said never never stop testing never stop innovating never stop you know keeping up with this data always check in see what's the new tradecraft that's available um so what's next for atomic red team so you might have noticed on that one slide that uh there's some boxes unchecked there's there's definitely um there's definitely tactics and techniques some of them don't really lend themselves well to one line you know one-line tests and that's okay um we we try to use the the tools that are available in the systems um more than you know bringing in outside tooling if we can help it but

sometimes we're going to have to bring that stuff in so we're evaluating some of those cases we're also looking at one of the big things that we've gotten from the community is interest in being able to machine consume the tests for atomic red team so basically somebody else wants to host a framework and they want to use us like a repository of modules which is which is great it's a great use case we we would love to be that repository so we are yamalyzing all of our our all of our tests um so that's one of the big things that's coming up and we expect to add some of our own automation um but you know definitely we will always

have this nice easy low barrier for entry um that we have today um also the uh the great the great lee holmes has reached out and he's he's done some power shell automation stuff for us as well kind of so almost like an invoke atomic so that's that's pretty exciting um but you know really this is a great transition we need more people right we built this thing for the community and we've had some really great community feedback um but we we need you right we we need you to contribute we want more people to to build tests and stuff um and i'll tell you i'll tell you a little story i i was interviewing for a

job and uh talking to this really smart guy who i respected and uh he said he said what so what open source stuff are you playing with i was like oh yeah you know i'm playing with this tool and i'm playing this tool and like i kind of nerded out for a minute he's like yeah that's great he said um which ones are you contributing to i was like oh uh well you know i've been meaning to and like i haven't gotten around to it and like you know i just i don't really know github that well and he said bummer you know how terrible the word bummer is when you're in an interview like

that's like the worst thing that you can that you can hear like that's you know and it was it was one of those things i was like man it's like a wake-up call because i'd wanted to and i always made you know made a point to do it but i had never actually put any time in on it um it was kind of like i said that was my wake-up call so um i will say that if you've ever thought about contributing to open source if you're not doing it already this is a super easy way to get involved it takes maybe 10-15 minutes to research a a box in the mitre attack framework um go and find some some poc

code you know neuter it a little bit so it's not you know random wearing somebody's environment um and then and then you know doing uh doing a pull request and and we can certainly help you like if you say like i really want to contribute and i have this data and i don't know how to get it in there like just please like reach out to us because we would really love to help you with that um and on that note um if you want to reach out to us on you know if you want to reach out to us you want to talk to us about anything at all the project how you can help if you think it's

terrible and you have another idea that's great too you can hit me or me casey mike up on twitter and then we have we have a great repository of resources at atomicredteam.com so as we built this project we built a lot of blogs a lot of like webinars all kinds of stuff i actually have another webinar coming up friday where we'll be talking about mac and linux stuff that's right that's right all right um so so that's it i mean that's that's basically um that's what we got any any questions i think we have a couple minutes anybody have any questions

yeah so so the question was you know are there any native dependencies um yeah it's just most of most of these tests all they require is a shell script we try to stay away from having you know a lot of external tools for that reason um you're going to run into stuff like there's a lot of actors like ps exec because ps exec is awesome um but of course that's going to require that you download it and in those cases we try to make sure that we we highlight those dependencies so that you don't run into a problem where you're like this test doesn't work and these guys are terrible what else well i have a ton of stickers so like my

friend kelly sent these stickers like overnight so you guys have to take them so so please see me please see me after um i'll be i'll be around today so like come ask any questions you have i'd love to talk to you guys thank you guys for coming it's awesome [Applause]