In this edition of Atomics on a Friday, your local threat wizards Paul Michaud and Michael Haag demo the Streamlit app tailored for the AtomicTestHarnesses library. This app creates a more efficient and user-friendly interface for the library, allowing for set-up-and-go testing.

You asked and we listened! We got such great feedback on our first playthrough of Backdoors & Breaches that we just had to have another one! All aboard the Magical Spicy Battleship for a wild ride through a handcrafted incident relating to a top threat.

SANS Institute instructors Jason Ostrom and Jeroen Vandeleur put together a tool that builds a small breach and attack simulation lab. This lab features one Linux server deploying Caldera, Prelude Operator Headless, and VECTR, and one Windows Client (Windows Server 2022) auto-configured for Caldera agent deployment with Atomic Red Team and Sysmon. According to the creators, this is intended to be a customizable, well-documented, all-in-one lab.

In this edition of the Threat Detection Series Live, your tour guide Keith McCammon shares use cases and test plans based on the most commonly encountered threats and adversary techniques, and discusses how to perform high-quality tests in a short amount of time and how to operationalize testing at scale using tools that integrate and enhance Atomic Red Team.

This massive PR by contributor navsec includes 12 new atomic tests that cover various shellcode running techniques using Golang. These techniques were all pulled from open source repositories and adapted to be used as atomic tests. They include fun examples like executing shellcode in child processes, creating a process in a suspended state to execute shellcode, and process injection with WinAPI.

This test from contributor thomasxmeng exploits the vulnerability in legitimate PE formats where sections have read/write/execute (RWX) permissions and enough space for shellcode. The RWX injection avoids the use of VirtualAlloc, WriteVirtualMemory, and ProtectVirtualMemory, thus evading detection mechanisms that rely on API call sequences and heuristics. When successfully executed, this test opens a message box and a notepad.