WELCOME

Welcome to this month's edition of the Atomic Newsletter, a monthly email with updates and news about Atomic Red Team™ and its related projects such as MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more. Check out the archive for previous editions, visit our website, chat with us on Slack and visit our new subreddit!

THE LATEST FROM ATOMIC RED TEAM

A new way to see and sort recently updated tests

Ever wonder when Atomic Red Team tests for a MITRE ATT&CK technique were last updated? Or wanted a way to see what the most recently updated tests are? A new update to atomicredteam.io now shows the last update when searching and filtering the list of Atomic Tests. Curious which techniques don’t have a test yet? Now there’s a way— see example here—to know which technique would be better with your contribution.

TRY OUT THE NEW FEATURE

NEW AND FEATURED TESTS

T1003.003 - OS Credential Dumping: NTDS

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights

T1176 - Browser Extensions

Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, IDEs, and other platforms

T1546.018 - Event Triggered Execution: Python Startup Hooks

Adversaries may achieve persistence by leveraging Python’s startup mechanisms, including path configuration (.pth) files and the sitecustomize.py or usercustomize.py modules

ATOMIC IN THE WILD

Simulate and build detections in Attack Range

The latest update (V5.0) to Splunk’s Attack Range, an open source project that allows for the building of cloud environments and simulation of adversary behavior, was recently released. Attack Range allows for the simulation of attacks via Atomic Red Team techniques from the app, API, or CLI. Afterwards, defenders can use the generated telemetry to build and test detections in Splunk.

LEARN MORE

A PowerShell primer

Donya Bino, a cybersecurity consultant at London-based Red Secure Tech recently published a blog walking through how to get started with Atomic Red Team for PowerShell, including popular tests to use—including tests #1, #2, and #3 from T1059.001—pointers for running a test, and other practical tips for your environment.

READ THE BLOG

A new way to emulate AWS threats

Cloud security company Mitigant used the Atomic Red Team schema to build its YAML-based Cloud Attack Language. This blog breaks down how the language feeds into its Threat Catalog, a catalog of cloud attack techniques it recently released to help better visualize MITRE ATT&CK techniques in AWS environments. The catalog translates these into specific AWS CLI actions that target cloud services like IAM, S3, and Lambda.

EXPLORE THE PROJECT

Top contributors

First-time contributors

UPCOMING MINISERIES

Inside the Threat Detection Report

The 2026 Threat Detection Report is almost here! Join Red Canary for a three-part miniseries designed to help defenders and decision makers gain a strategic and tactical advantage over modern adversaries. Get a look at the latest shifts in cybercrime, learn how to operationalize this intelligence to harden your organization’s security controls against today’s threats, and more.