WELCOME

Welcome to this month's edition of the Atomic Newsletter, a monthly email with updates and news about Atomic Red Team™ and its related projects such as MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more. Check out the archive for previous editions, visit our website, chat with us on Slack and visit our new subreddit!

THE LATEST FROM ATOMIC RED TEAM

Let's get automated

Atomic Red Team maintainer Hare Sudhan has released Atomic Red Team MCP (Model Context Protocol), a server that automates atomic testing, streams results and logs for correlation, and integrates with AI tools like Claude. Looking to learn more? Visit the GitHub repo and watch a live demo of the tool on Atomics on a Friday.

READ THE RELEASE BLOG

NEW AND FEATURED TESTS

T1083 - File and Directory Discovery - Recursive enumerate file and directories by PowerShell

Emulates an adversary attempting to discover and collect sensitive documents and archives from a user’s system. The test recursively enumerates common user folders for file types of interest such as .pdf, .doc, .docx, .xls, .xlsx, .txt, .zip, .rar, and .7z

T1204.002 - User Execution: Malicious File - Simulate click-fix via downloaded BAT file

Simulates user execution of a BAT file downloaded from the Atomic Red Team GitHub repository. The BAT file performs harmless terminal output to simulate a "fix" operation

T1195.002 - Compromise Software Supply Chain - Simulate npm package installation on a Linux system

Launches a short‑lived Kubernetes pod, initializes a minimal npm project in /tmp/test, and installs the specified npm package without audit/fund/ package‑lock options, simulating potentially suspicious package retrieval from within a container

ATOMIC IN THE WILD

Simulate EDR-Freeze evasion

On Office Hours, Keith McCammon, Red Canary co-founder and Chief Security Officer and Dave Farrow, Red Canary CISO, discussed EDR-Freeze— a new, proof of concept EDR disabling tool—and a new Atomic test designed to help test your defenses against it.

WATCH THE VIDEO

Build your own SIEM

Carlos Adriano, a cybersecurity engineer who blogs about reverse engineering, has published a three-part series on threat emulation, including a primer on installing and running Atomic Red Team, a deep dive on Atomic functions including Invoke-AtomicTest, and how to turn Sigma rules for Atomic Red Team tests into SIEM queries.

READ THE ATOMIC PRIMER

Hunting stealthy WMI event subscriptions

Nesrine Cherrabi, a security engineer and SOC analyst published this Medium blog on hunting WMI event subscription persistence. After generating an Atomic test, which walks readers through how to generate and run an atomic test with PowerLurk to show stealthy WMI persistence. It also touches on how to hunt for artifacts with Sysmon, the ELK Stack, and Osquery.

LEARN MORE

Top contributors

1. CheraghiMilad

2. patel-bhavin

3. cyberbuff

4. wikijm

First-time contributors

UPCOMING WEBINAR

Inside Red Canary’s human-led, AI-powered SOC

Join us for a rare look at Red Canary’s human-centric approach to AI in the SOC. Learn how to operationalize intelligence quickly, how to build agents and workflows you can trust, and more.