WELCOME

Welcome to this month's edition of the Atomic Newsletter, a monthly email with updates and news about Atomic Red Team™ and its related projects such as MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more. Check out the archive for previous editions, visit our website, chat with us on Slack and visit our new subreddit!

THE LATEST FROM ATOMIC RED TEAM

Launch into the COM-mos: NEBULA takes off

Many living-off-the-land binaries and scripts can be used for malicious purposes. A new tool to help test how they work— NEBULA (Nefarious Execution & Behavioral Unit for LOLBAS Attacks)—is an atomic testing framework designed for security researchers, red teamers, and blue teamers to understand COM objects, WMI methods and persistence techniques in a controlled environment. Michael Haag’s framework includes safe test payloads derived from Atomic Red Team for hands-on security testing.

EXPLORE THE GITHUB REPO

NEW AND FEATURED TESTS

T1496 Resource Hijacking - Windows - Simulate CPU Load with PowerShell

This new test utilizes the PowerShell "Start-Job" to spawn background threads. These threads execute tight arithmetic loops to simulate high resource usage in order to stress CPU cores for a configurable duration

T1546.018 - Event Triggered Execution: Python Startup Hooks

Adversaries may achieve persistence by leveraging Python’s startup mechanisms, including path configuration (.pth) files and the sitecustomize.py or usercustomize.py modules. A new update added a command to print 'Interpreter started' after setting up the Python environment

T1546.018 - Event Triggered Execution: Python Startup Hooks

Another update to this subtechnique increased the total number of tests from three to five, with the newly added tests specifically validating site-packages-based Python file execution across all supported operating systems (Windows, Linux, macOS)

Will your security tools trigger when it matters most?

Looking to refine your SOC training? Join Atomic Red Team maintainer Carrie Roberts to learn how to execute scripted, realistic cyber attacks within your own environment. This training, part of Antisyphon Training’s SOC Summit, focuses on moving beyond assumptions by validating defenses and identifying critical coverage gaps before they can be exploited by adversaries.

March 25

3:30 – 3:55 PM ET

Virtual event

ATOMIC IN THE WILD

A new intel dashboard

Antonio Brandao, a cybersecurity services director, recently shared the evolution of his Threat Intelligence Command Center, a project that's designed to give actionable intelligence to security teams. The website Integrates the complete ATT&CK® Matrix with Atomic Red Team test mappings in a single, interactive view and allows for the tracking of threat groups, software, mitigations, and campaigns.

TEST THE PROJECT

Build your own agentic AI SOC lab

Syed Muddassir, a SOC analyst who regularly shares videos on YouTube under the handle ThreatHunter Academy, built an agentic AI SOC automation lab that demonstrates practical application of AI agents in security operations. He uses Atomic Red Team to validate techniques including T1003.001 - OS Credential Dumping, T1047 - Windows Management Instrumentation, and T1136.001 - Create Account. Muddassir demonstrates the Atomic Red Team validation at the 20-minute mark of the demo.

WATCH THE VIDEO

Top contributors

First-time contributors

EXCLUSIVE INSIGHTS

Introducing SecOps Weekly

Join Red Canary’s security experts and industry influencers every Tuesday for a weekly broadcast that dissects the latest cybersecurity news, emerging threats, and practical detection guidance.