WELCOME

Welcome to this month's edition of the Atomic Newsletter, a monthly email with updates and news about Atomic Red Team™ and its related projects such as MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more. Check out the archive for previous editions, visit our website, chat with us on Slack and visit our new subreddit!

THE LATEST FROM ATOMIC RED TEAM

Next week: We talk all things AI and Atomic

Join Atomic Red Team maintainer Hare Sudhan next week on Red Canary SecOps Weekly to hear about the latest AI enhancements for the project, including a Model Context Protocol (MCP) server and streamlined LLM integration for testing MITRE ATT&CK® techniques. Hear firsthand how these updates allow security teams to more easily connect open-source defense tests to AI models for advanced detection and response exploration.

NEW AND FEATURED TESTS

T1003.006 - OS Credential Dumping: DCSync

Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface to simulate the replication process from a remote domain controller using a technique called DCSync

T1562.008 - Impair Defenses: Disable Cloud Logs

An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities

T1176 - Browser Extensions

Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, IDEs, and other platforms

ATOMIC IN THE WILD

An automated detection engineering pipeline

Speaking of MCPs, Mike Haag and Paul Michaud of Atomics on a Friday recently discussed Security Detections MCP 3.0—an MCP server that lets LLMs query Sigma, Splunk ESCU, Elastic, and KQL detection rules—in a recent episode. The open source tool, which is now in v3.1, includes six sources and 8,200+ detections. Watch the video and head to the GitHub repository to learn more.

EXPLORE THE REPO

Execute Atomic tests with Atomic-Operator

Kali Linux released a new version of its distribution that includes a new security tool, Atomic-Operator, for running cross-platform Atomic Red Team tests. For more information on Atomic-Operator and how it can help identify defensive capabilities and gaps in defensive coverage, head to the tool's GitLab repository, or Kali's tool page, below.

READ RELEASE NOTES

Simulating and detecting malicious PowerShell

Nedheesh Hasija, a cybersecurity analyst based in India, wrote a Medium blog last month discussing how he set up a home lab with Atomic Red Team, Sysmon, and used Invoke-AtomicTest T1059.001 to detect malicious PowerShell activity ( MITRE ATT&CK T1059.001).

READ THE BLOG

Top contributors

First-time contributors

NEW RESOURCE

Red Canary 2026 Threat Detection Report

The 2026 Threat Detection Report is here, arming you and your team with actionable insights into the year’s most prevalent security trends, threats, and MITRE ATT&CK® techniques. Our eighth annual retrospective presents an in-depth analysis of more than 110,000 threats detected across over 4.5 million identities, endpoints, and cloud assets over the past year.