Welcome to this month's edition of the Atomic Newsletter, a monthly email with updates and news about Atomic Red Team™ and its related projects such as MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more. Visit our website and join the community chat with us on Slack!

The latest from Atomic Red Team
WATCH: Atomics on a Friday Constructing Defense

Joined by Anton Ovrutsky of SumoLogic Threat Labs, Mike Haag and Paul Michaud to tour Anton’s latest project, the ‘Constructing Defense’ course. Learn about the construction of a multi-cloud lab from the ground up, the execution of real-world TTPs, and detection strategies using a SIEM platform.

READ: Why adversaries have their heads in the cloud

It makes sense that defenders’ visibility into cloud environments can be a bit…well, cloudy. We gathered a team of experts to help you clear things up. In the latest installment of our Detection Series, Red Canary’s own Thomas Gardner and Justin Schoenfeld joined MITRE’s Casey Knerr and Atomic Red Team Maintainer Jose Hernandez for an in-depth discussion of the most prevalent cloud techniques.

T1562.010 PowerShell v2 downgrade

Contributor zaicurity added this new test that runs a cmdlet explicitly via PowerShell v2. This is a tactic sometimes seen in adversary TTPs and is known as a PowerShell downgrade attack, intended to subvert some of PowerShell’s newer security features (like better transcription, deep script block logging, and more).

T1055 Custom UUID process injection

This test from contributor thomasxm is an emulation of a particularly stealthy implementation of UUID injection written in C. The code can be stored in UUID forms on the heap and converted back to binary via UuidFromStringA at runtime. Custom implementations of UuidToString and UuidFromString are used to avoid static signatures, making for a more challenging detection.

T1027.007 Dynamic API resolution

In another test from thomasxm, NtCreateFile is called via API hashing and dynamic syscall resolution. A new file is created in the user’s temp folder, a common location for droppers. Adversaries typically obfuscated and dynamically resolve API functions to conceal malicious functionality and impair defensive analysis.

T1020 Exfiltration via encrypted FTP

Contributor prashanthpulisetti added the second test to this technique. In this test, an encrypted file transfer is simulated to a free temporary FTP server. Adversaries typically exfiltrate sensitive data over FTP and other alternate protocols because they are external to an existing command and control channel or are easier to obfuscate.


Top contributors

  • prashanthpulisetti
  • Jake151
  • thomasxm

New contributors

  • thomasxm
  • kchoudhury-scwx
  • Emilemarty
  • Jake151
  • prashanthpulisetti
A new view for Atomic

Maintainer Hare Sudhan has put together a beautiful new test portal to represent Atomic Red Team! Based off of Vercel, this new format features better access to overviews on the Atomic family of projects and a streamlined search and filtering system for Atomic tests. This portal is currently in-progress and will likely be moving around and merging into AtomicRedTeam.io in the coming months.

  Twitter   LinkedIn   GitHub   YouTube   Slack