What happens when you combine Atomic Red Team maintainers, thrunters, and a new expansion deck? Atomic-grade shenanigans! Maintainers Carrie Roberts and Josh Rickard joined us to play a game of Backdoors & Breaches, fighting their way through an incident with some Red Canary threat hunters.

Tidal Cyber’s Director of Cyber Threat Intelligence Scott Small wrote an excellent blog in response to the recent Flax Typhoon attacks. Using common validation techniques like atomic tests, Scott discusses standout behaviors that characterize APT persistence and how users can validate their defenses.

New contributor Scoubi created this test based on a proof of concept that uses $index_allocation to hide files. By specifying the ‘::$index_allocation’ stream, the test emulates a method of obscuring payloads.

This new test from contributor tropChaud disables network-level authentication for Remote Desktop Protocol (RDP) by changing a registry key via command prompt. Disabling NLA for RDP can allow remote user interaction with the Windows sign-in screen prior to authentication. This test was created using intel on Flax Typhoon reported by Microsoft.

New contributor Mikoyan-Dee’s commit brings a test with a custom .vbs script. This script is employed to collect system information such as operating system, DNS details, and firewall configuration. System information is then stored in C:\Windows\System32\config or C:\Windows\System32\reg. Adversaries use scripts like this to compile system data for exfiltration or to alter a system’s configuration.

CyberBilly7 contributed a test that emulates NirCmd usage for command execution. Reconnaissance and privilege escalation can be achieved by running commands with the SYSTEM account. This test was written in consideration of Kroll’s technical analysis on the Black Basta ransomware-as-a-service group.