Backdoors & Breaches is back…this time, in red. The popular incident response card game is not only excellent for helping professional teams maintain a good security posture, it also makes for a great party game among security practitioners of all experience levels. Featuring a series of incidents from the realistic to the bizarre, we integrated atomic tests and MITRE techniques heavily into the deck. Play on!

Testing at scale to validate activity is difficult, especially when working from different data sources and endpoints. Therein lies the need for a testing project that creates and instruments virtual machines, and thus, Coalmine was born. Using Atomic Test Harnesses, Invoke-Atomic, Ansible, and Terraform, we explore the process of deploying effective tests and emulation at scale.

This new test from contributor msdlearn executes the driverquery command to list drivers installed on the system. Adversaries use driver enumeration to find possible defenses, vulnerabilities, and functions of the victim machine.

Contributor Anitube added a test that emulates the abuse of safe mode to modify boot configuration data stores. This is commonly used by adversaries to disable defenses like antivirus and endpoint protection solutions.

A new set of tests from contributor D4rkCiph3r adds a series of emulations to a common adversarial technique: encrypting data for impact. This test set uses 7zip, OpenSSL, and ccrypt to encrypt files and create an archive. Adversaries use this technique to interrupt availability, rendering data or resources inaccessible.

jonod8698 contributed a test for macOS Chrome Remote Debugging, which falls under the technique of T1539: Steal Web Session Cookie. This OS-agnostic technique has an adversary stealing session cookies to gain unauthorized access to services or applications without credentials. The new test uses the remote debugging functionality in Chrome to obtain cookies without keychain access, sidestepping encryption using a built-in browser function.