WELCOME
 

Welcome to this month's edition of the Atomic Newsletter, a monthly email with updates and news about Atomic Red Team™ and its related projects such as MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more. Visit our website and join the community chat with us on Slack!

 
 
The latest from Atomic Red Team
 
 
 
post-thumbnail
 
WATCH: Backdoors & Breaches: Breaking it down
 

What happens when you combine Atomic Red Team maintainers, thrunters, and a new expansion deck? Atomic-grade shenanigans! Maintainers Carrie Roberts and Josh Rickard joined us to play a game of Backdoors & Breaches, fighting their way through an incident with some Red Canary threat hunters.

 
post-thumbnail
 
READ: Detecting & simulating recent APT persistence methods with community resources
 

Tidal Cyber’s Director of Cyber Threat Intelligence Scott Small wrote an excellent blog in response to the recent Flax Typhoon attacks. Using common validation techniques like atomic tests, Scott discusses standout behaviors that characterize APT persistence and how users can validate their defenses.

 
 
NEW ATOMIC TESTS
 
 
 
T1564.004 Hide Artifacts NTFS File Attributes
 

New contributor Scoubi created this test based on a proof of concept that uses $index_allocation to hide files. By specifying the ‘::$index_allocation’ stream, the test emulates a method of obscuring payloads.

 
T1021.001 Remote Desktop Protocol
 

This new test from contributor tropChaud disables network-level authentication for Remote Desktop Protocol (RDP) by changing a registry key via command prompt. Disabling NLA for RDP can allow remote user interaction with the Windows sign-in screen prior to authentication. This test was created using intel on Flax Typhoon reported by Microsoft.

 
T1082 System Information Discovery
 

New contributor Mikoyan-Dee’s commit brings a test with a custom .vbs script. This script is employed to collect system information such as operating system, DNS details, and firewall configuration. System information is then stored in C:\Windows\System32\config or C:\Windows\System32\reg. Adversaries use scripts like this to compile system data for exfiltration or to alter a system’s configuration.

 
T1564 Command Execution
 

CyberBilly7 contributed a test that emulates NirCmd usage for command execution. Reconnaissance and privilege escalation can be achieved by running commands with the SYSTEM account. This test was written in consideration of Kroll’s technical analysis on the Black Basta ransomware-as-a-service group.

 
CONTRIBUTOR SUPPORT
 
 

Top contributors

  • thomasxmeng
  • Scoubi
  • blueteam0ps
  • cyberbuff

New contributors

  • thomasxmeng
  • Scoubi
  • Mikoyan-Dee
 
 
Create and validate atomics in your browser
 

Want to contribute to Atomic Red Team but don’t know how? Are YAML files the bane of your existence? There’s an app for that! Try out the new Streamlit web application and create atomics at will. Input commands for a new test and see the resulting YAML in the sidebar or validate an atomic from a provided YAML.

 
TRY IT NOW
 
 
  Twitter   LinkedIn   GitHub   YouTube   Slack