Welcome to this month's edition of the Atomic Newsletter, a monthly email with updates and news about Atomic Red Team™ and its related projects such as MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more. Visit our website and join the community chat with us on Slack!

The latest from Atomic Red Team
READ: Red Canary’s new Backdoors & Breaches expansion deck

Backdoors & Breaches is back…this time, in red. The popular incident response card game is not only excellent for helping professional teams maintain a good security posture, it also makes for a great party game among security practitioners of all experience levels. Featuring a series of incidents from the realistic to the bizarre, we integrated atomic tests and MITRE techniques heavily into the deck. Play on!

READ: Atomic emulation at scale with Coalmine

Testing at scale to validate activity is difficult, especially when working from different data sources and endpoints. Therein lies the need for a testing project that creates and instruments virtual machines, and thus, Coalmine was born. Using Atomic Test Harnesses, Invoke-Atomic, Ansible, and Terraform, we explore the process of deploying effective tests and emulation at scale.

T1082 Driver Enumeration using driverquery

This new test from contributor msdlearn executes the driverquery command to list drivers installed on the system. Adversaries use driver enumeration to find possible defenses, vulnerabilities, and functions of the victim machine.

T1562.009 Impair Defenses - Safe Boot Mode

Contributor Anitube added a test that emulates the abuse of safe mode to modify boot configuration data stores. This is commonly used by adversaries to disable defenses like antivirus and endpoint protection solutions.

T1486 Data Encrypted for Impact

A new set of tests from contributor D4rkCiph3r adds a series of emulations to a common adversarial technique: encrypting data for impact. This test set uses 7zip, OpenSSL, and ccrypt to encrypt files and create an archive. Adversaries use this technique to interrupt availability, rendering data or resources inaccessible.

T1539 macOS Chrome Remote Debugging

jonod8698 contributed a test for macOS Chrome Remote Debugging, which falls under the technique of T1539: Steal Web Session Cookie. This OS-agnostic technique has an adversary stealing session cookies to gain unauthorized access to services or applications without credentials. The new test uses the remote debugging functionality in Chrome to obtain cookies without keychain access, sidestepping encryption using a built-in browser function.


Top contributors

  • clr2of8
  • jonod8698
  • amalone-scwx

New contributors

  • Anitube
  • jonod8968
  • kevinmstapleton
  • hRun
Backdoors & Breaches launch webinar

During this webcast, we'll teach you how to get started playing Backdoors & Breaches with your teams to learn cybersecurity and conduct fun and effective incident response tabletop exercises. Join us as we introduce the new Red Canary expansion deck on July 13!

  Twitter   LinkedIn   GitHub   YouTube   Slack