Welcome to this month's edition of the Atomic Newsletter, a monthly email with updates and news about Atomic Red Team™ and its related projects such as MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more. Visit our website and join the community chat with us on Slack!

The latest from Atomic Red Team
NEW: Atomic Runner

The Atomic Runner functionality allows you to run a configurable list of atomic tests unattended in a way that aids prevention and detection reporting. The scripts are designed to run all tests listed in the CSV schedule once per week by default. Before it runs each atomic test, it appends the atomic test GUID to the end of the computer hostname. This makes it easier to determine which detections fired from which atomics. Cleanup commands are run after atomic test execution, making for easy and clean deployment.

WELCOME: New maintainer Hare Sudhan

We are excited to welcome Hare Sudhan to the Atomic Red Team maintainers group! The maintainers are responsible for reviewing all community contributions to the project within GitHub. Hare has been contributing to Atomic Red Team since the summer of 2020. His latest contributions include automated validation and labeling of contributions in GitHub, allowing the maintainers to do even more for Atomic Red Team in less time and with fewer mistakes. Thank you Hare for all you do!

INTRODUCING: The new validation schema

A very special thank you to maintainers Josh Rickard and Hare Sudhan for creating an official schema file to validate the Atomic YAML files. This allows us to programmatically ensure that any changes to the atomic definitions are valid before inclusion in the Atomic Red Team project. Check out the validation readme to learn more!

WATCH: Sp4rkCon 2023—Continuous End-to-End Detection Validation and Reporting with Carrie Roberts

Maintainer Carrie Roberts reveals the influences and advantages to her experience when working with Atomic Red Team, the value in effective coverage tracking, and the process of automating attack emulation.

T1560.001: Archive collected data via utility

This new test from contributor aranhams emulates the behavior of the FLEXIROOT backdoor to archive the collected data. FLEXIROOT typically utilizes AES encryption and Base64 encoding to transfer the encrypted data to the C2 server. This test uses standard zip compression and the OpenSSL library to encrypt the compressed data.

T1505.005: Server software component Terminal Services DLL

Contributor nos111 submitted the pull request that adds this technique pertaining to the manipulation of the Terminal Services DLL. The atomic test simulates the action of patching termsrv.dll by making a benign change to the file and then replacing it with the original file. This test is intended to mimic the actions of an adversary who might attempt to modify termsrv.dll for nefarious purposes, such as enabling concurrent Remote Desktop Protocol sessions.

T1027: Obfuscated Files or Information

New contributor KillrBunn3 added a test that attempts to emulate the behavior of Gootloader. This test downloads a compressed file, then unpacks and launches the JavaScript file inside through the wscript.exe utility. This closely resembles Gootloader’s C2 communications, which also launch malicious JavaScript through wscript.exe.

T1140: Deobfuscate/Decode Files or Information

Another contribution from aranhams introduces a new atomic test with a focus on XOR de-obfuscation and command execution. The test emulates adversary behavior similar to that observed in the Remexi backdoor that used XOR to obfuscate the malicious payload and configuration information used by the malware. In this new test, a Python script decrypts a simple whoami command that was encrypted using XOR; after decryption, the script will execute the whoami command.


Top contributors

  • clr2of8
  • cyberbuff
  • KillrBunn3
  • MHaggis
  • burning-pm
  • nos111

New contributors

  • KillrBunn3
  • alphonsa-01
  • dependabot[bot]
  • aranhams
  • nos111
  • renzhexigua
  • amalone-scwx
Introducing Readiness Exercises

Red Canary’s new Readiness Exercises combine real-world training scenarios, tabletop exercises, and Atomic Red Team tests into one seamless experience.

  Twitter   LinkedIn   GitHub   YouTube   Slack