The Atomic Runner functionality allows you to run a configurable list of atomic tests unattended in a way that aids prevention and detection reporting. The scripts are designed to run all tests listed in the CSV schedule once per week by default. Before it runs each atomic test, it appends the atomic test GUID to the end of the computer hostname. This makes it easier to determine which detections fired from which atomics. Cleanup commands are run after atomic test execution, making for easy and clean deployment.

We are excited to welcome Hare Sudhan to the Atomic Red Team maintainers group! The maintainers are responsible for reviewing all community contributions to the project within GitHub. Hare has been contributing to Atomic Red Team since the summer of 2020. His latest contributions include automated validation and labeling of contributions in GitHub, allowing the maintainers to do even more for Atomic Red Team in less time and with fewer mistakes. Thank you Hare for all you do!

A very special thank you to maintainers Josh Rickard and Hare Sudhan for creating an official schema file to validate the Atomic YAML files. This allows us to programmatically ensure that any changes to the atomic definitions are valid before inclusion in the Atomic Red Team project. Check out the validation readme to learn more!

Maintainer Carrie Roberts reveals the influences and advantages to her experience when working with Atomic Red Team, the value in effective coverage tracking, and the process of automating attack emulation.

This new test from contributor aranhams emulates the behavior of the FLEXIROOT backdoor to archive the collected data. FLEXIROOT typically utilizes AES encryption and Base64 encoding to transfer the encrypted data to the C2 server. This test uses standard zip compression and the OpenSSL library to encrypt the compressed data.

Contributor nos111 submitted the pull request that adds this technique pertaining to the manipulation of the Terminal Services DLL. The atomic test simulates the action of patching termsrv.dll by making a benign change to the file and then replacing it with the original file. This test is intended to mimic the actions of an adversary who might attempt to modify termsrv.dll for nefarious purposes, such as enabling concurrent Remote Desktop Protocol sessions.

New contributor KillrBunn3 added a test that attempts to emulate the behavior of Gootloader. This test downloads a compressed file, then unpacks and launches the JavaScript file inside through the wscript.exe utility. This closely resembles Gootloader’s C2 communications, which also launch malicious JavaScript through wscript.exe.

Another contribution from aranhams introduces a new atomic test with a focus on XOR de-obfuscation and command execution. The test emulates adversary behavior similar to that observed in the Remexi backdoor that used XOR to obfuscate the malicious payload and configuration information used by the malware. In this new test, a Python script decrypts a simple whoami command that was encrypted using XOR; after decryption, the script will execute the whoami command.