Welcome to this month's edition of the Atomic Newsletter, a monthly email with updates and news about Atomic Red Team™ and its related projects such as MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more. Visit our website and join the community chat with us on Slack!

The latest from Atomic Red Team
WATCH: Atomics on a Friday

In this edition of Atomics on a Friday, your local threat wizards Paul Michaud and Michael Haag demo the Streamlit app tailored for the AtomicTestHarnesses library. This app creates a more efficient and user-friendly interface for the library, allowing for set-up-and-go testing.

WATCH: Backdoors & Breaches Expansion deck chronicles

You asked and we listened! We got such great feedback on our first playthrough of Backdoors & Breaches that we just had to have another one! All aboard the Magical Spicy Battleship for a wild ride through a handcrafted incident relating to a top threat.

TRY: The Automated Emulation lab building tool

SANS Institute instructors Jason Ostrom and Jeroen Vandeleur put together a tool that builds a small breach and attack simulation lab. This lab features one Linux server deploying Caldera, Prelude Operator Headless, and VECTR, and one Windows Client (Windows Server 2022) auto-configured for Caldera agent deployment with Atomic Red Team and Sysmon. According to the creators, this is intended to be a customizable, well-documented, all-in-one lab.

WATCH: Threat Detection Series Live, Validation Station

In this edition of the Threat Detection Series Live, your tour guide Keith McCammon shares use cases and test plans based on the most commonly encountered threats and adversary techniques, and discusses how to perform high-quality tests in a short amount of time and how to operationalize testing at scale using tools that integrate and enhance Atomic Red Team.

T1055.004 Shellcode and Go

This massive PR by contributor navsec includes 12 new atomic tests that cover various shellcode running techniques using Golang. These techniques were all pulled from open source repositories and adapted to be used as atomic tests. They include fun examples like executing shellcode in child processes, creating a process in a suspended state to execute shellcode, and process injection with WinAPI.

T1055 RWX and Mockingjay process injection

This test from contributor thomasxmeng exploits the vulnerability in legitimate PE formats where sections have read/write/execute (RWX) permissions and enough space for shellcode. The RWX injection avoids the use of VirtualAlloc, WriteVirtualMemory, and ProtectVirtualMemory, thus evading detection mechanisms that rely on API call sequences and heuristics. When successfully executed, this test opens a message box and a notepad.


Top contributors

  • devasmith4
  • MattDotL
  • swachchhanda000
  • cyberbuff
  • PhyoPaingHtun

New contributors

  • tjgeorgen
  • navsec
  • PhyoPaingHtun
  • MattDotL
  • devasmith4
  • kdebscwx
  • AmyHeat
  • nter10k
  • moullos
  • tsale
  • mbabinski
The Detection Series: Prevalent cloud techniques

Drawing on the real-world experience of cloud security experts from across the industry, we construct a hypothetical narrative detailing how adversaries gain initial access to cloud systems, elevate their privilege levels, persist, and more. Throughout this webinar, you’ll learn how adversaries are attacking cloud systems, and what you can do to gain observability, broaden detection coverage, respond to threats, mitigate risks, and test your security controls.

  Twitter   LinkedIn   GitHub   YouTube   Slack