The folks at Datadog just made detection validation a whole lot easier! Their Workload Security Evaluator conveniently runs in a Docker container that includes ready-to-execute atomic tests and is monitored by the Datadog Agent, making for an easy and portable emulation environment.

Need to do some testing in a hurry? John Strand and the fine folks at Black Hills Information Security have a quick and dirty tutorial on running atomic tests against BLUESPAWN open source EDR. If you’ve got five minutes, you’ve got time for this great how-to guide.

The Haag is here and ready to talk tests! In this thread, Atomics on a Friday host and maintainer Michael Haag shows contributors-to-be how to identify threats that could use emulation, then writes the test step-by-step. If you’ve got cold feet about contributing, this thread will show you where to start.

The open source XDR/SIEM Wazuh has a lot of tricks up its sleeves. What better way to test them than with atomics? This guide from John Olatunde breaks down the process of event capture, detection rule creation, log analysis, and alerting in Wazuh using Atomic Red Team emulation.

Adversaries like to make their malicious executables appear legitimate, resulting in an opportunity to evade naive detection logic. New-ATHPortableExecutableRunner allows a user to build an EXE or DLL without needing to write any code and with full, granular control over version-info properties and signature information. It can also be used to clone these attributes from an existing PE file.

Maintainer Carrie Roberts demonstrates tests in the Office Application Startup technique (T1137) and explains how they work in another edition of Atomic Spotlight! Custom built Add-ins for Microsoft Office allow attackers to obtain persistent code execution without needing administrative access to their target.

Contributor swachchhanda000 added a set of tests and improvements to both the Security Software Discovery (T1518.001) and LSASS Memory (T1003.001) techniques. Among them are tests that emulate antivirus discovery via cmdlets, tests for Windows Defender and Firewall enumeration, and tests that emulate an LSASS dump using the rdrleakdiag LOLbin.

This test from contributor traceflow emulates the DarkGate loader malware’s second stage by writing a VBscript to disk directly from the command prompt then executing it. VBScript malware is exceedingly common thanks to the decades-old language’s popularity in Windows system management.

User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts. In this new test from contributor msdlearn, UAC is disabled for Secure Desktop mode by modifying a registry key. This test is very similar to the UAC bypass registry changes made by ransomware like BitPaymer.

In this test, contributor thomasxmeng creates an emulation of a tactic seen in many backdoors. When run, the test iinjects a portable executable into a remote Notepad process's memory using Portable Executable Injection and base-address relocation techniques.