Did you get a shiny new Red Canary expansion deck at Black Hat and want to learn more about how to play? Jason Blanchard from Black Hills Information Security has you covered! This informational talk walks through each card type and possible scenarios for play.

Paul Michaud and Michael Haag host a symphony of atomics and emulations on August 25 at 1 PM ET. The Atomics on a Friday livestream dives deep into common tactics, techniques, and procedures used by adversaries, then explores detection opportunities. What better way to finish out the work week?

Frequent contributor blueteam0ps has created a new test in a brand new technique involving additional cloud roles. This test emulates a common adversary tactic of adding an administrator role to an existing user on an Azure tenant. In the wild, this helps adversaries retain privileged access across the tenant, a great example of cloud-based persistence.

In another excellent test and new technique from blueteam0ps, additional permission levels are granted by a potential adversary to maintain persistence. This test pulls mailbox credentials and grants full mailbox permissions to a new user.

This new test from contributor CyberBilly7 emulates an adversary using NirCmd to execute commands. Based on behavior associated with ransomware-as-a-service group Black Basta, this test uses a command that hides the clock on the system tray.

New contributor RedinDisguise added a test that emulates the suspension and deletion of an AWS GuardDuty configuration. Adversaries typically use this technique to subvert security controls, removing or disabling security tools to mitigate chances of detection.