Welcome to this month's edition of the Atomic Newsletter, a monthly email with updates and news about Atomic Red Team™ and its related projects such as MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more. Visit our website and join the community chat with us on Slack!

The latest from Atomic Red Team
Welcome to new maintainer Josh Rickard!

We're so happy to have Josh Rickard as our newest maintainer! As the creator of Atomic-Operator, he's already contributed a lot to the Atomic family as well as the entire open source space.

READ: Atomic year in review

It's time for our first year in review! We rounded up some of the most popular updates to the Atomic family and some of the most popular resources related to Atomic.

Finding the gap: How curiosity and creativity drive threat detection

Threat Detection Engineer Micah Babinski writes on the use of Atomic Red Team in understanding detections and the gaps between them in a playful examination of how real-world attack techniques.

Atomic Red Team 5: Abuse NSlookup with DNS Records

Security professional Sai Prashanth Pulisetti provides a useful guide on how to run T1059.001 to abuse NSLookup and examine from ELK, even providing a custom Sigma rule to capture events in multiple instances.

Introducing T1562: Windows Disable LSA Protection

Enabling LSA Protection configures Windows to control the information stored in memory (like hashes and clear-text passwords) in a more secure fashion—specifically, to prevent non-protected processes from accessing that data. Upon successful execution, the registry will be modified and RunAsPPL will be set to 0, disabling LSASS protection.

Abusing container administration: Docker

Adversaries who have permissions can run malicious commands in containers in the cluster using exec command (`docker exec`). In this method, adversaries can use legitimate images such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using `docker exec`. Kinsing (Golang-based malware) was executed with an Ubuntu container entry point that runs shell scripts.


Top contributors

  • clr2of8
  • packetzero
  • aman143kri
  • dlee35

New contributors

  • dlee35
  • aman143kri
  • tvjust
  • devapriya16
  • noy-s1
  • prashanthpulisetti
  • briancdonohue
Contribute to Atomic Red Team

Roll the dice and find a technique—you’ll find that some don’t have atomic tests to go with them. This is where you come in! These MITRE ATTACK techniques without tests represent a big opportunity for new contributions.

  Twitter   LinkedIn   GitHub   YouTube   Slack