Welcome to this month's edition of the Atomic Newsletter, a monthly email with updates and news about Atomic Red Team™ and its related projects such as MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more. Visit our website and join the community chat with us on Slack!

The latest from Atomic Red Team
WATCH: Backdoors & Breaches: Breaking it down

What happens when you combine Atomic Red Team maintainers, thrunters, and a new expansion deck? Atomic-grade shenanigans! Maintainers Carrie Roberts and Josh Rickard joined us to play a game of Backdoors & Breaches, fighting their way through an incident with some Red Canary threat hunters.

READ: Detecting & simulating recent APT persistence methods with community resources

Tidal Cyber’s Director of Cyber Threat Intelligence Scott Small wrote an excellent blog in response to the recent Flax Typhoon attacks. Using common validation techniques like atomic tests, Scott discusses standout behaviors that characterize APT persistence and how users can validate their defenses.

T1564.004 Hide Artifacts NTFS File Attributes

New contributor Scoubi created this test based on a proof of concept that uses $index_allocation to hide files. By specifying the ‘::$index_allocation’ stream, the test emulates a method of obscuring payloads.

T1021.001 Remote Desktop Protocol

This new test from contributor tropChaud disables network-level authentication for Remote Desktop Protocol (RDP) by changing a registry key via command prompt. Disabling NLA for RDP can allow remote user interaction with the Windows sign-in screen prior to authentication. This test was created using intel on Flax Typhoon reported by Microsoft.

T1082 System Information Discovery

New contributor Mikoyan-Dee’s commit brings a test with a custom .vbs script. This script is employed to collect system information such as operating system, DNS details, and firewall configuration. System information is then stored in C:\Windows\System32\config or C:\Windows\System32\reg. Adversaries use scripts like this to compile system data for exfiltration or to alter a system’s configuration.

T1564 Command Execution

CyberBilly7 contributed a test that emulates NirCmd usage for command execution. Reconnaissance and privilege escalation can be achieved by running commands with the SYSTEM account. This test was written in consideration of Kroll’s technical analysis on the Black Basta ransomware-as-a-service group.


Top contributors

  • thomasxmeng
  • Scoubi
  • blueteam0ps
  • cyberbuff

New contributors

  • thomasxmeng
  • Scoubi
  • Mikoyan-Dee
Create and validate atomics in your browser

Want to contribute to Atomic Red Team but don’t know how? Are YAML files the bane of your existence? There’s an app for that! Try out the new Streamlit web application and create atomics at will. Input commands for a new test and see the resulting YAML in the sidebar or validate an atomic from a provided YAML.

  Twitter   LinkedIn   GitHub   YouTube   Slack