Welcome to this month's edition of the Atomic Newsletter, a monthly email with updates and news about Atomic Red Team™ and its related projects such as MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more. Visit our website and join the community chat with us on Slack!

The latest from Atomic Red Team
WATCH: Backdoors & Breaches at OffensiveCon

Did you get a shiny new Red Canary expansion deck at Black Hat and want to learn more about how to play? Jason Blanchard from Black Hills Information Security has you covered! This informational talk walks through each card type and possible scenarios for play.

SIGN UP: Atomics on a Friday MSBuild

Paul Michaud and Michael Haag host a symphony of atomics and emulations on August 25 at 1 PM ET. The Atomics on a Friday livestream dives deep into common tactics, techniques, and procedures used by adversaries, then explores detection opportunities. What better way to finish out the work week?

T1098.003 New Cloud Role

Frequent contributor blueteam0ps has created a new test in a brand new technique involving additional cloud roles. This test emulates a common adversary tactic of adding an administrator role to an existing user on an Azure tenant. In the wild, this helps adversaries retain privileged access across the tenant, a great example of cloud-based persistence.

T1098.002 Additional Email Delegate Permissions

In another excellent test and new technique from blueteam0ps, additional permission levels are granted by a potential adversary to maintain persistence. This test pulls mailbox credentials and grants full mailbox permissions to a new user.

T1546 Event Triggered Execution

This new test from contributor CyberBilly7 emulates an adversary using NirCmd to execute commands. Based on behavior associated with ransomware-as-a-service group Black Basta, this test uses a command that hides the clock on the system tray.

T1562.001 Disable or Modify Tools

New contributor RedinDisguise added a test that emulates the suspension and deletion of an AWS GuardDuty configuration. Adversaries typically use this technique to subvert security controls, removing or disabling security tools to mitigate chances of detection.


Top contributors

  • clr2of8
  • blueteam0ps
  • zaicurity
  • hunty-dumpy

New contributors

  • altjx
  • RedinDisguise
Backdoors & Breaches: Breaking it down

Join us on August 31 at 2 PM ET for a laid-back playthrough of Backdoors & Breaches with Atomic Red Team maintainer Carrie Roberts! This informal game with some of our best and brightest will be unpredictable and on-the-fly—after all, there’s no better way to emulate an incident.

  Twitter   LinkedIn   GitHub   YouTube   Slack