Welcome to this month's edition of the Atomic Newsletter, a monthly email with updates and news about Atomic Red Team™ and its related projects such as MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more. Visit our website and join the community chat with us on Slack!

The latest from Atomic Red Team
WATCH: The Return of Atomics on a Friday

Atomics on a Friday March Madness kicks off with four weeks of streaming content on all things Atomic family! Featuring purple team planning strategies, TTP prioritization, and post-test detections and analytics, this set of streams is bound to be a great time for the testing aficionado. Watch the first stream recording here.

SIGN UP: Sp4rkCon and Atomic Runner

Maintainer Carrie Roberts will discuss lessons learned in the journey to continuous validation and introduce the Atomic Runner tool, which will be released to the security community at the conference. Learn more about implementing continuous end-to-end prevention and detection validation on April 15.

READ: Sysmon : L’ami des analystes

This article by researcher Securitricks is an excellent deep dive on sysmon as a tool, its purposes for administrators and adversaries alike, and testing using Invoke-Atomic. Initial Access, Data Exfiltration, and Scheduled Task tests using sysmon are all detailed here.

REGISTER: ATT&CKing Unicorns at CypherCon

It’s conference season! March 30-31 is CypherCon. Matthew Lange and Gary Lobermier are bringing testing and validation to the party with atomics and automation at scale, introducing their custom YAML schema for procedure tracking.

New technique: AWS Cloud Discovery

Contributor 0xv1n had their commit merged this month, a test that adds coverage for AWS Cloud Discovery commands run from EC2. Stratus is utilized to spin up and tear down needed testing infrastructure, similar to prior cloud coverage in the atomic repo. This marks the first test for the T1580 technique!

New tests: System Location Discovery: System Language Discovery

Contributor johnbrydon added several tests for T1614.001. Similar to the Windows tests already in this sub-technique, these tests can discover the system language by querying system files and through executing commands that return various environment variables.

New test: System Time with Windows Time Command

This test from contributor tropChaud displays the system time using the Windows time command. Emulating activity recently seen in the wild from Ursnif, this test is the most recent addition to T1124.

New tests: Command and Scripting Interpreter Unix Shell

Contributor biot-2131 added four new tests to T1059.004. These commands search for the running shells on the system, available shells on the system, and test for successive command attempts within a terminal session. The final test attempts to run shell commands but with Base64 encoding.


Top contributors

  • MSAdministrator
  • biot-2131
  • MHaggis
  • cnotin
  • cuberbuff
  • rc-dbogle

New contributors

  • BThunt
  • JChamblee99
  • rc-dbogle
  • nathanmcnulty
  • johnbrydon
  • yogisec
  • MSAdministrator
The Detection Series: PowerShell

Join us on March 27 for a detection-packed deep dive into everyone's favorite Windows management framework, PowerShell! We’ll talk about testing, detections, and all the common ways that adversaries abuse PowerShell.

  Twitter   LinkedIn   GitHub   YouTube   Slack