Welcome to the September edition of the Atomic Newsletter, a monthly email in which we will summarize the updates and news about Atomic Red Team™ and its related projects such as Atomic Friday, MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more!

Test Showcase

Highlighting new & novel atomics

This month the Atomic Red Team maintainers wanted to showcase a couple of noteworthy new atomic tests that caught their eye!

T1552.004:
ADFS certificates theft

Retrieving ADFS signing tokens and encryption keys is the first step in being able to spoof an ADFS-provided signed security token to elevate privileges or move laterally.

This works especially well in environments that are leveraging ADFS federation for single-sign-on (SSO) authentication like SAML 2.0 apps and Office 365.

This was the most novel and impactful element of the GoldenSAML attack against Microsoft Office 365 by the Nobelium actor group.

SEE THE PR

T1572:
Protocol tunneling
(DNS over HTTPS)

This test added three DNS over HTTPS atomics, where we had none; all from a first-time contributor!

Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems.

Command and control (C2) queries can be encapsulated within encrypted HTTPS packets known as DNS over HTTPS. The Godlua malware uses DNS over HTTPS to block researchers from analyzing its traffic.

SEE THE PR

How do you (yes, you!) use Atomic Red Team?

Reply on Twitter

Videos for your queue

Atomic Friday alum presents at Black Hat 2021

Mauricio Velazco, longtime friend of the Atomic family, gave a Black Hat presentation on how his PurpleSharp open source tool can help you simulate attacks that leverage Active Directory.

Watch the Atomic Friday on PurpleSharp

Invoke-AtomicRedTeam now in PowerShell Gallery

Thanks to the amazing Atomic Red Team maintainers, the Invoke-AtomicRedTeam module is now available in the PowerShell Gallery. Now, it is even easier to download and install it:

Install-Module -Name invoke-atomicredteam -Scope CurrentUser

SEE IT LIVE

Atomic Red Team community updates

Atomic Red Team cannot continue to be the amazing library it is without the time, effort, and contributions from the community and the project maintainers. We wanted to showcase some of the individuals who have taken the time to contribute changes and additions to Atomic Red Team!

New & top contributors in August

Top contributors:

bnt1006
chdd-ltd
esanyaCode
JChamblee99
morgansec
security-geek
ZeArioch

Huge thanks to everyone who contributed to Atomic Red Team, and a special shout out to all of the first-time contributors:

ZeArioch
esanyaCode
security-geek
sc0o
chdd-ltd
Bradichus
JChamblee99
bryan-wendt

We are here to help!

Atomic Red Team maintainers

Meet our amazing team of maintainers, who create new tests, manage pull requests, mentor new contributors, and do so much more.

Bhavin Patel

Slack: Bhavin Patel

GitHub: patel-bhavin

Carl Petty

Slack: Carl Petty

GitHub: rc-grey

Carrie Roberts

Slack: OrOneEqualsOne

GitHub: clr2of8

Jose Hernandez

Slack: Jose Hernandez

GitHub: d1vious

Matt Graeber

Slack: mattifestation

GitHub: mattifestation

Mike Haag

Slack: Mike Haag

GitHub: MHaggis

On-demand

Check out the 1-hour webcast "Atomic Red Team: Hands-on Getting Started Guide" with Carrie and Darin Roberts.

VIEW WEBCAST

Hands-on learning

Join us!

Atomic Red Team depends on community contributions to increase technique coverage across platforms.

GET STARTED

Be a part of the Atomic community

Atomic Red Team is developed by a community of thousands of computer security advocates, practitioners, and enthusiasts. Come say hi on the Atomic Red Team Slack!

Join Us On Slack