WELCOME
 

Welcome to this month's edition of the Atomic Newsletter, a monthly email with updates and news about Atomic Red Team™ and its related projects such as MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more. Visit our website and join the community chat with us on Slack!

 
 
The latest from Atomic Red Team
 
 
 
post-thumbnail
 
WATCH: Backdoors & Breaches at OffensiveCon
 

Did you get a shiny new Red Canary expansion deck at Black Hat and want to learn more about how to play? Jason Blanchard from Black Hills Information Security has you covered! This informational talk walks through each card type and possible scenarios for play.

 
post-thumbnail
 
SIGN UP: Atomics on a Friday MSBuild
 

Paul Michaud and Michael Haag host a symphony of atomics and emulations on August 25 at 1 PM ET. The Atomics on a Friday livestream dives deep into common tactics, techniques, and procedures used by adversaries, then explores detection opportunities. What better way to finish out the work week?

 
 
NEW ATOMIC TESTS
 
 
 
T1098.003 New Cloud Role
 

Frequent contributor blueteam0ps has created a new test in a brand new technique involving additional cloud roles. This test emulates a common adversary tactic of adding an administrator role to an existing user on an Azure tenant. In the wild, this helps adversaries retain privileged access across the tenant, a great example of cloud-based persistence.

 
T1098.002 Additional Email Delegate Permissions
 

In another excellent test and new technique from blueteam0ps, additional permission levels are granted by a potential adversary to maintain persistence. This test pulls mailbox credentials and grants full mailbox permissions to a new user.

 
T1546 Event Triggered Execution
 

This new test from contributor CyberBilly7 emulates an adversary using NirCmd to execute commands. Based on behavior associated with ransomware-as-a-service group Black Basta, this test uses a command that hides the clock on the system tray.

 
T1562.001 Disable or Modify Tools
 

New contributor RedinDisguise added a test that emulates the suspension and deletion of an AWS GuardDuty configuration. Adversaries typically use this technique to subvert security controls, removing or disabling security tools to mitigate chances of detection.

 
CONTRIBUTOR SUPPORT
 
 

Top contributors

  • clr2of8
  • blueteam0ps
  • zaicurity
  • hunty-dumpy

New contributors

  • altjx
  • RedinDisguise
 
 
Backdoors & Breaches: Breaking it down
 

Join us on August 31 at 2 PM ET for a laid-back playthrough of Backdoors & Breaches with Atomic Red Team maintainer Carrie Roberts! This informal game with some of our best and brightest will be unpredictable and on-the-fly—after all, there’s no better way to emulate an incident.

 
SIGN UP
 
 
  Twitter   LinkedIn   GitHub   YouTube   Slack