Atomic enthusiasts, there’s a new place for you to test your skills and learn more about atomic tests! The new subscription TryHackMe room is a ready-made environment that walks new users through the execution and investigation of test artifacts.

Calling all Texas-based testers: Alex Malone is giving a talk on validating your EDR with atomic automation at BSides Austin on May 5.

Red Canary’s popular Threat Detection Series is back and better than ever! We’ve published a blog recapping our recent PowerShell webinar, including an AMSI validation script, a custom AMSI validation provider, and information on how you can leverage atomic tests to validate your controls.

Are you in Maine’s MidCoast region or northern New England? Itching for more DC207 fun and a Mainecation? Join KillrBunn3 in Damariscotta on April 20 to learn how you can build a detection testing lab with atomics!

Sometimes, simple is better. Contributor 0xzeta’s test emulates an attacker enabling Remote Desktop Protocol (RDP) through remote registry for lateral movement and exfiltration.

Contributor MHaggis added a new test for the creation or modification of a Windows system process that downloads an executable file and starts it as a service. This test was confirmed to work on remote endpoints but launches under localhost by default.

In the same merge as the Remote Service test, contributor MHaggis added a new test for an event-triggered execution. This test emulates the creation of a new CimSession on a remote endpoint using Invoke-CimMethod. Activity of this sort is used by adversaries for lateral movement or remote execution.

New contributor D4rkCiph3r added a pair of Linux tests for the Impair Defenses technique that disable journal logging via systemctl and sed. Disabling journal logging allows an adversary to evade detection and defenses like antivirus.