WELCOME
 

Welcome to this month's edition of the Atomic Newsletter, a monthly email with updates and news about Atomic Red Team™ and its related projects such as MITRE ATT&CK®, Invoke-AtomicRedTeam, AtomicTestHarnesses, and more. Visit our website and join the community chat with us on Slack!

 
 
The latest from Atomic Red Team
 
 
 
post-thumbnail
 
Welcome to new maintainer Josh Rickard!
 

We're so happy to have Josh Rickard as our newest maintainer! As the creator of Atomic-Operator, he's already contributed a lot to the Atomic family as well as the entire open source space.

 
post-thumbnail
 
READ: Atomic year in review
 

It's time for our first year in review! We rounded up some of the most popular updates to the Atomic family and some of the most popular resources related to Atomic.

 
Finding the gap: How curiosity and creativity drive threat detection
 

Threat Detection Engineer Micah Babinski writes on the use of Atomic Red Team in understanding detections and the gaps between them in a playful examination of how real-world attack techniques.

 
Atomic Red Team 5: Abuse NSlookup with DNS Records
 

Security professional Sai Prashanth Pulisetti provides a useful guide on how to run T1059.001 to abuse NSLookup and examine from ELK, even providing a custom Sigma rule to capture events in multiple instances.

 
NEW ATOMIC TESTS
 
 
 
Introducing T1562: Windows Disable LSA Protection
 

Enabling LSA Protection configures Windows to control the information stored in memory (like hashes and clear-text passwords) in a more secure fashion—specifically, to prevent non-protected processes from accessing that data. Upon successful execution, the registry will be modified and RunAsPPL will be set to 0, disabling LSASS protection.

 
Abusing container administration: Docker
 

Adversaries who have permissions can run malicious commands in containers in the cluster using exec command (`docker exec`). In this method, adversaries can use legitimate images such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using `docker exec`. Kinsing (Golang-based malware) was executed with an Ubuntu container entry point that runs shell scripts.

 
CONTRIBUTOR SUPPORT
 
 

Top contributors

  • clr2of8
  • packetzero
  • aman143kri
  • dlee35

New contributors

  • dlee35
  • aman143kri
  • tvjust
  • devapriya16
  • noy-s1
  • prashanthpulisetti
  • briancdonohue
 
 
Contribute to Atomic Red Team
 

Roll the dice and find a technique—you’ll find that some don’t have atomic tests to go with them. This is where you come in! These MITRE ATTACK techniques without tests represent a big opportunity for new contributions.

 
ROLL THE DICE
 
 
  Twitter   LinkedIn   GitHub   YouTube   Slack