Welcome to this month's edition of the Atomic Newsletter, a monthly email with updates and news about Atomic Red Team™ and its related projects such as MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more. Visit our website and join the community chat with us on Slack!

The latest from Atomic Red Team
READ: Datadog’s Workload Security Evaluator with atomic tests

The folks at Datadog just made detection validation a whole lot easier! Their Workload Security Evaluator conveniently runs in a Docker container that includes ready-to-execute atomic tests and is monitored by the Datadog Agent, making for an easy and portable emulation environment.

WATCH: Testing your EDR with John Strand

Need to do some testing in a hurry? John Strand and the fine folks at Black Hills Information Security have a quick and dirty tutorial on running atomic tests against BLUESPAWN open source EDR. If you’ve got five minutes, you’ve got time for this great how-to guide.

READ: So you want to write your first test

The Haag is here and ready to talk tests! In this thread, Atomics on a Friday host and maintainer Michael Haag shows contributors-to-be how to identify threats that could use emulation, then writes the test step-by-step. If you’ve got cold feet about contributing, this thread will show you where to start.

READ: Emulating ATT&CK techniques with Wazuh

The open source XDR/SIEM Wazuh has a lot of tricks up its sleeves. What better way to test them than with atomics? This guide from John Olatunde breaks down the process of event capture, detection rule creation, log analysis, and alerting in Wazuh using Atomic Red Team emulation.

READ: Safely validate executable file attributes with Atomic Test Harnesses

Adversaries like to make their malicious executables appear legitimate, resulting in an opportunity to evade naive detection logic. New-ATHPortableExecutableRunner allows a user to build an EXE or DLL without needing to write any code and with full, granular control over version-info properties and signature information. It can also be used to clone these attributes from an existing PE file.

WATCH: Atomic Spotlight on persistent code execution with Office Add-ins

Maintainer Carrie Roberts demonstrates tests in the Office Application Startup technique (T1137) and explains how they work in another edition of Atomic Spotlight! Custom built Add-ins for Microsoft Office allow attackers to obtain persistent code execution without needing administrative access to their target.

T1518.001 Security Software Discovery

Contributor swachchhanda000 added a set of tests and improvements to both the Security Software Discovery (T1518.001) and LSASS Memory (T1003.001) techniques. Among them are tests that emulate antivirus discovery via cmdlets, tests for Windows Defender and Firewall enumeration, and tests that emulate an LSASS dump using the rdrleakdiag LOLbin.

T1059.003 Windows Command Shell Execution

This test from contributor traceflow emulates the DarkGate loader malware’s second stage by writing a VBscript to disk directly from the command prompt then executing it. VBScript malware is exceedingly common thanks to the decades-old language’s popularity in Windows system management.

T1548.002 Bypass User Account Control

User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts. In this new test from contributor msdlearn, UAC is disabled for Secure Desktop mode by modifying a registry key. This test is very similar to the UAC bypass registry changes made by ransomware like BitPaymer.

T1055.002 Portable Executable Injection

In this test, contributor thomasxmeng creates an emulation of a tactic seen in many backdoors. When run, the test iinjects a portable executable into a remote Notepad process's memory using Portable Executable Injection and base-address relocation techniques.


Top contributors

  • clr2of8
  • jonod8698
  • socketz
  • swachchhanda000
  • msdlearn

New contributors

  • art-labs
  • maskit-ariely
  • nasbench
  • ryanplasma
  • five-three
  • swachchhanda000
  • sidahmed-malaoui
  • antman1p
  • Tuutaans
  • socketz
Backdoors & Breaches: Expansion deck chronicles

Join us on November 14 at 2 PM ET for another laid-back playthrough of Backdoors & Breaches with a flock of Red Canary threat enthusiasts and maintainer Josh Rickard! This informal game with some of our best and brightest will be unpredictable and on-the-fly—after all, there’s no better way to emulate an incident.

  Twitter   LinkedIn   GitHub   YouTube   Slack