Welcome to this month's edition of the Atomic Newsletter, a monthly email with updates and news about Atomic Red Team™ and its related projects such as MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more. Visit our website and join the community chat with us on Slack!

The latest from Atomic Red Team
WATCH: Atomic testing with John Hammond

The security mastermind himself has gone nuclear! John Hammond gives a ground-up overview of the BlueSpawn open source stand-in and how it picks up on Atomic Red Team tests. Speaking on the greatness of MITRE’s ATT&CK framework and defense logic, John’s insights are unique and a fun listen.

TRY: Mac Monitor

It’s here: Mac Monitor is a new free tool for collection and dynamic system analysis on macOS endpoints. Using common macOS atomic tests, Mac Monitor provides simple and friendly output to examine forensic artifacts left behind on compromised systems. In this blog, we execute a test harness for AppleScript to showcase enhanced telemetry collection from this behavior.

LEARN: Attack emulation tools with AntiSyphon

Another excellent AntiSyphon training from maintainer Carrie Roberts is open for registration! This course is for all experience levels and covers attack emulation and visualization, including Atomic Red Team, Caldera, Vectr, and more—perfect for both seasoned and aspiring security practitioners.

READ: Developing and testing cloud-based detections

Researcher and maintainer Jose Hernandez writes about integrating atomic testing with Lacework to create powerful detections and customizing LQL policies.

T1059.004: Pipe-to-shell

These new tests contributed by biot-2131 emulate piped commands into the Unix shell. An adversary may develop a useful utility or subvert the CI/CD pipeline of a legitimate utility developer that requires or suggests installing their utility by piping a curl download directly into bash. The adversary may also take advantage of this BLIND install method and selectively run extra commands in the install script.

T1024.003: Malicious image

Contributor msdlearn has added a new test that emulates an adversary’s backdoored/malicious image, a common strategy in cloud and containerized environments. This is used to skip the Initial Access phase and leads to execution of malicious code or cryptocurrency mining.

T1078.003: Local accounts

Another set of tests from contributor biot-2131 tests the creation, reactivation, and repurposing of system accounts on Linux systems. This can allow for lateral movement across a network or to escalate privileges.

T1531: Account access removal

Contributor D4rkCiph3r has added a series of tests that change user passwords and delete user accounts using dscl and sysadminctl. These techniques can impede incident response and recovery efforts during certain types of attacks, especially ransomware.


Top contributors

  • biot-2131
  • clr2of8
  • josehelps
  • well123cs

Top contributors

  • traceflow
  • well123cs
Threat Detection Series Live: San Francisco

Put on a sweater and prepare for the live event of a lifetime! The Threat Detection Series Live is coming to Bespoke San Francisco with insights on common threats, useful detection opportunities, and of course, testing.

  Twitter   LinkedIn   GitHub   YouTube   Slack