It’s here! The newest version of Invoke-AtomicRedTeam contains an assortment of additions, including the addition of a Docker container or Windows Sandbox file for quick test environments, an option to pause between tests, and a new AnyOS option that shows details of any atomics, regardless of platform. See the announcement and related links in the Atomic Red Team Slack!

Atomic Red Team maintainers Carrie Roberts and Hare Sudhan unveiled and demonstrated a wealth of new features recently added to Invoke-Atomic, from dependency checks and installation to test execution and clean-up. New Docker and Windows Sandbox support makes it easier than ever to set up a lab environment and start testing, with Docker compatibility being especially helpful for security practitioners beset with virtual machine problems caused by Apple silicon.

After ranking fourth in the 2023 Threat Detection Report, Gootloader continues to show up in Red Canary’s monitored environments with evolving tradecraft and execution patterns. In this blog, we’ve compiled the most useful Atomic Red Team tests and corresponding detector logic for you to validate your ability to observe and detect behaviors similar to those leveraged by this threat.

SigmaHQ is an open signature format that decreases the chaos usually surrounding standardized log events. The project currently has a large rule repository available for vendor agnostic and peer-reviewed detection rules. This SigmaHQ update will regularly validate rules with atomic tests!

This first contribution from user wand3rlust is a test that attempts to enumerate kernel information with the `uname` command. This technique is commonly used by adversaries to gather information on the target machine.

Contributor 0-etep has added a test that relates to a ransomware technique observed by The DFIR Report. This test enumerates logs using the Get-EventLog PowerShell command, generating a file of matching Windows events using the ‘SYSTEM’ keyword.

Another new contributor, JeffMichelmore, has added a new test for disabling real-time protection on Linux and macOS systems. This behavior from adversaries impairs system defenses, making actions on objectives easier to complete unobstructed.

This test from new contributor pingujwal registers a DLL using regsvr32 that logs signature checks, mimicking SIP hijacking. This technique misleads the operating system and application control tools when conducting future signature validation checks.