WELCOME

Welcome to this month's edition of the Atomic Newsletter, a monthly email with updates and news about Atomic Red Team™ and its related projects such as MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more. Check out the archive for previous editions, visit our website, chat with us on Slack and visit our new subreddit!

THE LATEST FROM ATOMIC RED TEAM

Thanks for joining us in Denver!

Thanks to everyone who joined our two-hour long Atomic Red Team training last month in Denver! Missed it and happen to live in the Dallas area? We’re running it back next month. Sign up and be sure to select the Atomic Red Team 101 training add-on. Not in Dallas? Tell us where to go next.

NEW AND FEATURED TESTS

T1140 - Deobfuscate/ decode files or information

Uses expand.exe to extract a file from a CAB created locally. This simulates adversarial use of expand on cabinet archives. Upon success, art-expand-source.txt is extracted next to the CAB

T1562.001 - Freeze PPL-protected process with EDR-Freeze

This test simulates how an adversary can leverage a computer's peripheral devices, like microphones and webcams, or applications, like voice and video call services, to capture audio recordings

T1546.008 - Replace AtBroker.exe (App Switcher binary) with cmd.exe.

This allows the user to launch an elevated command prompt from the login screen by locking and then unlocking the computer after toggling on any of the accessibility tools in the Accessibility menu

ATOMIC IN THE WILD

Quick—and safe—NPM threat emulation

With npm compromises still making headlines week in and week out, Atomic Red Team co-founder Michael Haag pulled together a set of scripts to simulate common npm supply chain behaviors in a controlled way. Want more? See it discussed on Atomics on a Friday.

EXPLORE THE REPO

Build your own SIEM

Mourad Sherif, a blue team cybersecurity student, completed Elastic-ART, a guide to deploying Elastic Stack to create your own local SIEM setup for Windows event log shipping and analysis, simulations and more, plus mock DFIR simulations using Atomic Red Team. Head to the repo to learn how to deploy the infrastructure, set up your server, and more.

LEARN MORE

Build a detection lab that fits in your laptop

In this Medium blog—the second of three—cybersecurity engineer Joseph Gitonga walks readers through how to use Atomic tests in a DIY detection environment. He highlights tests including invoke-atomictest T1566.001 (Initial Access via Spear-phishing) and invoke-atomictest T1003.003 (Credential Access via NTDS.dit Dump).

READ THE BLOG

Top contributors

First-time contributors

Random-Linoge

UPCOMING WEBINAR

The Detection Series: Phishing

On October 30, learn how adversaries leverage phishing techniques and what security teams can do to better defend their organizations against the ways that intrusions, incidents, and breaches commonly start.