ARTiC2 Atomic YAML is a collection of Atomic YAML instructions and technique dependencies forked from @redcanaryco. ARTiC2 uses them to dynamically extract, build, organize, and execute ARTiC2 instructions as fire-and-forget techniques. All techniques are executed from memory and mapped to the MITRE ATT&CK Framework.
For each Atomic YAML
- ARTiC2 reads the YAML stored in each atomics folder
- Decides which C2 delivery controllers are required
- Builds corresponding C2 instructions and PowerShell scripts
- Organizes technique dependencies such as c# code, DLLs, binaries, etc.
- Pushes atomic technique test cases and corresponding dependencies to the ARTiC2's TTP directory
NOTE In some cases, techniques and/or dependencies are modified to ensure evidence is collected by ARTiC2 with the intent to make it easier for security teams to evaluate if techniques are blocked without the need to triage IOCs on the breach point in question.
Check out the ARTiC2 Repo here
Blackbot Labs operates under the umbrella of full transparency while ensuring end-user privacy remains a top priority. For more details on how we operate with our community, visit our community Code of Conduct page.
- byt3bl33d3r from Black Hills Security
- The folks at Red Canary and everyone's code used to develop red team atomic test cases