Atomic Red Team year in review

Welcome to the Atomic year in review! This year has been a big one for the Atomic family of projects, introducing new features, new tests, and the release of incredible educational content. These contributions have helped bring the project to the eyes of more people who can benefit from tests, and therefore improved the overall state of the security community.

This year, there was a clear trend in big-picture focus; from new platform support to a sharp increase in atomic tests, the year to come promises amazing things!

For the 2022 year in review, we’ll be looking at some of the statistics behind the project and the most notable content from the last year.

By the numbers

• 91 new Atomic Red Team contributors (a 41% increase!)
• Over 191,000 unique GitHub views (a 19% increase from the previous year!)
• 436 atomic tests created (a 42.7% increase!)
• Over 750 of you joined us in Slack! (21% more atomic enthusiasts!)
• 17k people visited the atomicredteam.io website (a 2658% increase!)

This year, we witnessed a sharp rise in the number of atomic tests contributed by the community, with a whopping 42% increase from 2021. 753 of you joined us in Slack (up 21% from the prior year), and the Atomic Red Team GitHub saw over 191,000 unique views (a 19% increase).

Near the end of September, we launched a new website with smarter search filters, ATT&CK coverage heat maps, and many more insights about Atomic Red Team. Compared to 648 views at the end of 2021, 17k visits is a 2658% increase!

Notable project milestones

Atomic Operator

While technically introduced in the final days of 2021, Atomic Operator is an important enough addition that it deserves a mention here. Thanks to the folks at Swimlane and Red Canary’s Josh Rickard, users can now run tests locally or remotely, create configurations for easier testing, run in a Python package or as a command-line tool, and execute atomics on any operating system.

Atomic Test Harnesses on macOS and Linux

One of the biggest changes to the project this year came in the form of a massive quality-of-life increase: this release of POSIX Atomic Test Harnesses made waves and helped increase usability of atomic tests for users on Linux and macOS. We’ve gotten great feedback on this improvement, especially on the choice to leverage Python. The announcement article for this feature contains helpful information on installation, purpose, and a few use cases to get you started.

Addition of -nopayloads option to Invoke-AtomicRedTeam

Per maintainer Carrie Roberts: “This feature allows the atomics folder to be downloaded/installed without downloading any of the payloads in the /src or /bin directory since these files are likely to generate many alerts. Instead, you can use the getPrereqs feature to download any payloads you need for only those tests that you are going to run.” This was a big gamechanger for those running Invoke-AtomicRedTeam on limited resources, focusing on reduced log output, or those being selective on their tests.

2022 Threat Detection Report tests

This is an easy reference guide to the activity seen in this year’s threat report, codified for atomic users. Run tests that emulate the year’s most commonly seen threats and see how your detections stack up.

Media, training, and tutorials

Risky Business Episode 670

Red Canary’s Adam Mashinchi and Brian Donohue talk about Atomic Red Team in this episode of Risky Business. Host Patrick Gray asks about why Red Canary spends so much time in maintaining and working with Atomic Red Team, on usefulness for those that might not be trained security professionals, and some growing pains in producing so many POCs. (Starting at 44:14)

Atomic Spotlight video series 

Maintainer Carrie Roberts and Antisyphon Training launched the Atomic Spotlight series to help people of all experience levels learn more about features of atomic projects. With 13 entries so far, the Atomic Spotlight series is an incredible ongoing resource for contributors and users alike.

Breadth and Depth Analysis with Atomic

Presenting at ATT&CKcon 3.0, Red Canary’s Adam Mashinchi and Brian Donohue review the Atomic Red Team project’s efforts to define and increase the test coverage of MITRE ATT&CK techniques, including challenges in defining coverage and how a project of Atomic Red Team’s scale is managed and maintained.

Open Source in Cybersecurity: A deep dive by Ross Haleliuk

Cybersecurity writer Ross Haleliuk covers all things open source in the cybersecurity industry in his Venture in Security newsletter. History, notable projects, and common motivations towards open source are all on the table, and Atomic Red Team is no exception.

WWHF: So, You Want to Build a Community in Infosec

Red Canary’s Adam Mashinchi moderates a panel of experienced infosec community managers (Erica Peterson, Supriya Mazumdar, and Marrelle Bailey) as they talk about the importance of open source in creating a collaborative infosec community. With insights on project maintenance, support, and initial startup, this talk shines light on the time required to create an effective project.

Emulating Raspberry Robin with Atomic Red Team

Raspberry Robin was a hot topic this year, as sophisticated worms tend to be. This breakdown by Paul Michaud and Lauren Podber details how Raspberry Robin works and how you can emulate it using atomic tests.

Let’s make 2023 even better!

With such incredible contributions, it’s no surprise that the Atomic family is soaring far above where we ever imagined it would go. Want to help this project fly higher? Here’s how you can help:

• Join us on the Atomic Red Team Slack channel
• Sign up for the Atomic Newsletter
• Contribute to Atomic Red Team directly