Welcome to this month's edition of the Atomic Newsletter, a monthly email with updates and news about Atomic Red Team™ and its related projects such as MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more. Visit our website and join the community chat with us on Slack!

The latest from Atomic Red Team
TEST: The new TryHackMe atomic room!

Atomic enthusiasts, there’s a new place for you to test your skills and learn more about atomic tests! The new subscription TryHackMe room is a ready-made environment that walks new users through the execution and investigation of test artifacts.

SIGN UP: Validating EDR with Atomic Red Team Automation at BSides Austin

Calling all Texas-based testers: Alex Malone is giving a talk on validating your EDR with atomic automation at BSides Austin on May 5.

Threat Detection Series: PowerShell

Red Canary’s popular Threat Detection Series is back and better than ever! We’ve published a blog recapping our recent PowerShell webinar, including an AMSI validation script, a custom AMSI validation provider, and information on how you can leverage atomic tests to validate your controls.

Nuclear Testing: Building an Effective Detection Testing Lab

Are you in Maine’s MidCoast region or northern New England? Itching for more DC207 fun and a Mainecation? Join KillrBunn3 in Damariscotta on April 20 to learn how you can build a detection testing lab with atomics!

T1112: Enabling Remote Desktop Protocol via Remote Registry

Sometimes, simple is better. Contributor 0xzeta’s test emulates an attacker enabling Remote Desktop Protocol (RDP) through remote registry for lateral movement and exfiltration.

T1543.003: Remote Service Installation CMD

Contributor MHaggis added a new test for the creation or modification of a Windows system process that downloads an executable file and starts it as a service. This test was confirmed to work on remote endpoints but launches under localhost by default.

T1546: WMI InvokeCimMethod

In the same merge as the Remote Service test, contributor MHaggis added a new test for an event-triggered execution. This test emulates the creation of a new CimSession on a remote endpoint using Invoke-CimMethod. Activity of this sort is used by adversaries for lateral movement or remote execution.

T1562: Disable Journal Logging

New contributor D4rkCiph3r added a pair of Linux tests for the Impair Defenses technique that disable journal logging via systemctl and sed. Disabling journal logging allows an adversary to evade detection and defenses like antivirus.


Top contributors

  • clr2of8
  • josehelps
  • D4rkCiph3r
  • Burning-pm
  • m4nbat
  • 0xzeta
  • Ari-Weinberg

New contributors

  • Well123cs
  • Ari-Weinberg
  • zaicurity
  • decoderzhub
  • iai-rsa
  • D4rkCiph3r
  • sulakshan-kumar
  • m4nbat
Threat Detection Series Live: San Francisco

We’re coming to you, San Francisco! The Threat Detection Series Live will provide attendees with valuable insights on threats like Qbot and Gootloader, detection opportunities, and custom atomic tests. See you there!

  Twitter   LinkedIn   GitHub   YouTube   Slack