Welcome to this month's edition of the Atomic Newsletter, a monthly email with updates and news about Atomic Red Team™ and its related projects such as MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more. Visit our website and join the community chat with us on Slack!

The latest from Atomic Red Team
READ: New Invoke-AtomicRedTeam updates in version 2.0.6

It’s here! The newest version of Invoke-AtomicRedTeam contains an assortment of additions, including the addition of a Docker container or Windows Sandbox file for quick test environments, an option to pause between tests, and a new AnyOS option that shows details of any atomics, regardless of platform. See the announcement and related links in the Atomic Red Team Slack!

WATCH: Simplify security testing with Docker, Windows Sandbox, and Atomic Red Team

Atomic Red Team maintainers Carrie Roberts and Hare Sudhan unveiled and demonstrated a wealth of new features recently added to Invoke-Atomic, from dependency checks and installation to test execution and clean-up. New Docker and Windows Sandbox support makes it easier than ever to set up a lab environment and start testing, with Docker compatibility being especially helpful for security practitioners beset with virtual machine problems caused by Apple silicon.

READ: Gootloader validation with Atomic Red Team

After ranking fourth in the 2023 Threat Detection Report, Gootloader continues to show up in Red Canary’s monitored environments with evolving tradecraft and execution patterns. In this blog, we’ve compiled the most useful Atomic Red Team tests and corresponding detector logic for you to validate your ability to observe and detect behaviors similar to those leveraged by this threat.

COMING SOON: Atomic Red Team and SigmaHQ

SigmaHQ is an open signature format that decreases the chaos usually surrounding standardized log events. The project currently has a large rule repository available for vendor agnostic and peer-reviewed detection rules. This SigmaHQ update will regularly validate rules with atomic tests!

T1059.004 Current Kernel Information Enumeration

This first contribution from user wand3rlust is a test that attempts to enumerate kernel information with the `uname` command. This technique is commonly used by adversaries to gather information on the target machine.

T1654 PowerShell Log Enumeration

Contributor 0-etep has added a test that relates to a ransomware technique observed by The DFIR Report. This test enumerates logs using the Get-EventLog PowerShell command, generating a file of matching Windows events using the ‘SYSTEM’ keyword.

T1562.001 Disable Defender ATP for Linux/macOS

Another new contributor, JeffMichelmore, has added a new test for disabling real-time protection on Linux and macOS systems. This behavior from adversaries impairs system defenses, making actions on objectives easier to complete unobstructed.

T1553.003 SIP (Subject Interface Package) Hijacking via Custom DLL

This test from new contributor pingujwal registers a DLL using regsvr32 that logs signature checks, mimicking SIP hijacking. This technique misleads the operating system and application control tools when conducting future signature validation checks.


Top contributors

  • clr2of8
  • five-three
  • swachchhanda000

New contributors

  • 0-etep
  • alonsobsd
  • JeffMichelmore
  • pingujwal
  • wand3rlust
Backdoors & Breaches: Expansion deck chronicles

Join us on November 14 at 2 PM ET for another laid-back playthrough of Backdoors & Breaches with a flock of Red Canary threat enthusiasts and maintainer Josh Rickard! This informal game with some of our best and brightest will be unpredictable and on-the-fly—after all, there’s no better way to emulate an incident.

  Twitter   LinkedIn   GitHub   YouTube   Slack