WELCOME

Welcome to this month's edition of the Atomic Newsletter, a monthly email with updates and news about Atomic Red Team™ and its related projects such as MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more. Check out the archive for previous editions, visit our website, chat with us on Slack and visit our new subreddit!

THE LATEST FROM ATOMIC RED TEAM

Brush up on Atomic Red Team at

WWHF @ Mile High

As the new year begins, it's a great time to start planning which cybersecurity conferences you'd like to attend, leveraging this fresh start to map out your professional development for the months ahead. If you’re based in Colorado, there's still time to register for Wild West Hackin' Fest @ Mile High. Looking to brush up on Atomic Red Team? Register for an in-person training class on either February 12 or 13 to get hands-on help building practical threat emulation capabilities.

NEW AND FEATURED TESTS

T1490 - Inhibit System Recovery: Delete volume shadow copies via Diskshadow.exe

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This test demonstrates how the Diskshadow.exe binary can be used to delete Windows Volume Shadow Copies

T1113 - Screen Capture: RDP bitmap cache extraction via bmc-tools

Adversaries may attempt to reconstruct RDP session screenshots from the persistent bitmap cache stored on the local machine to gather intelligence or sensitive information. This test simulates an attacker extracting the RDP bitmap cache using the ANSSI "bmc-tools.py" script

T1652 - Device Driver Discovery

Adversaries may attempt to enumerate local device drivers on a victim host. This test expands coverage for T1652 by adding four new atomic tests for Linux and macOS

ATOMIC IN THE WILD

Discovery vs. persistence

A blogger who regularly writes about testing SIEM detection with Atomic Red Team under the handle Raynard Waits had a handful of great blogs over the last month, including a two-part series on hunting for persistence techniques. This blog, about account discovery, walks through a threat hunt for three techniques — T1087.001 #9 , T1069.001 #3 , and T1018.001 #1 —buried in over 1,200 process events. The big takeaway? Detection maturity varies wildly by technique category.

READ THE BLOG

Automating the hunt

Sujal Chauhan, who blogs as CyberFreak on Medium, wrote about building a production-grade detection automation setup leveraging Elastic, Sigma, and Atomic Red Team. In this example, convert_sigma.py reads Sigma rules, execute_atomic.py executes a LSASS dumping attack while other components verify and handle production.

LEARN MORE

Atomic Red Team → ELK pipeline

In this home detection lab writeup recently published to GitHub, Will Schmidt, a cybersecurity analyst who creates projects under the name MYRMIDON Security, shows how his lab can mirror SIEM triage workflows with a live simulation of attacks from Atomic Red Team and an independent Kali attack box, with telemetry fed into ELK Stack.

VISIT THE GITHUB REPO

Top contributors

Congratulations to our top contributor this month, vl43den !

UPCOMING WEBINAR

Simplify cloud threat detection in complex environments

Effective cloud security requires both comprehensive insights into cloud resources and efficient threat detection to respond to risks quickly. Join this upcoming webinar to learn about some of the key challenges in securing dynamic cloud environments.