Atomic Red Team

Atomic Red Team is a library of tests mapped to the MITRE ATT&CK framework that security teams can use to quickly, portably, and reproducibly test their environments.

Installation & Setup

Command	Description
`git clone https://github.com/redcanaryco/atomic-red-team.git`	Clone Atomic Red Team repository
`cd atomic-red-team`	Navigate to repository
`Install-Module -Name invoke-atomicredteam,powershell-yaml -Scope CurrentUser`	Install PowerShell modules
`Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force`	Import PowerShell module
`Invoke-AtomicTest T1003.001 -ShowDetails`	Show test details

Basic Usage

Command	Description
`Invoke-AtomicTest T1003.001`	Execute specific atomic test
`Invoke-AtomicTest T1003.001 -TestNumbers 1`	Execute specific test number
`Invoke-AtomicTest T1003.001 -ShowDetails`	Show test details without executing
`Invoke-AtomicTest T1003.001 -CheckPrereqs`	Check prerequisites
`Invoke-AtomicTest T1003.001 -GetPrereqs`	Install prerequisites
`Invoke-AtomicTest T1003.001 -Cleanup`	Run cleanup for test

Test Discovery

Command	Description
`Get-AtomicTechnique`	List all available techniques
`Get-AtomicTechnique -Path "C:\AtomicRedTeam\atomics"`	List techniques from specific path
`Get-AtomicTechnique \| Where-Object {$_.DisplayName -match "credential"}`	Search techniques by keyword
`Get-AtomicTechnique T1003`	Get details for specific technique

MITRE ATT&CK Techniques

Initial Access

Command	Description
`Invoke-AtomicTest T1566.001`	Spearphishing Attachment
`Invoke-AtomicTest T1566.002`	Spearphishing Link
`Invoke-AtomicTest T1190`	Exploit Public-Facing Application
`Invoke-AtomicTest T1133`	External Remote Services
`Invoke-AtomicTest T1200`	Hardware Additions

Execution

Command	Description
`Invoke-AtomicTest T1059.001`	PowerShell execution
`Invoke-AtomicTest T1059.003`	Windows Command Shell
`Invoke-AtomicTest T1059.004`	Unix Shell
`Invoke-AtomicTest T1059.006`	Python execution
`Invoke-AtomicTest T1053.005`	Scheduled Task/Job

Persistence

Command	Description
`Invoke-AtomicTest T1547.001`	Registry Run Keys
`Invoke-AtomicTest T1053.005`	Scheduled Task
`Invoke-AtomicTest T1543.003`	Windows Service
`Invoke-AtomicTest T1136.001`	Local Account creation
`Invoke-AtomicTest T1098`	Account Manipulation

Privilege Escalation

Command	Description
`Invoke-AtomicTest T1548.002`	Bypass User Account Control
`Invoke-AtomicTest T1055`	Process Injection
`Invoke-AtomicTest T1134`	Access Token Manipulation
`Invoke-AtomicTest T1068`	Exploitation for Privilege Escalation

Defense Evasion

Command	Description
`Invoke-AtomicTest T1027`	Obfuscated Files or Information
`Invoke-AtomicTest T1070.004`	File Deletion
`Invoke-AtomicTest T1562.001`	Disable or Modify Tools
`Invoke-AtomicTest T1218.010`	Regsvr32
`Invoke-AtomicTest T1036`	Masquerading

Credential Access

Command	Description
`Invoke-AtomicTest T1003.001`	LSASS Memory dump
`Invoke-AtomicTest T1003.002`	Security Account Manager
`Invoke-AtomicTest T1003.003`	NTDS.dit
`Invoke-AtomicTest T1110.001`	Password Spraying
`Invoke-AtomicTest T1555.003`	Credentials from Web Browsers

Discovery

Command	Description
`Invoke-AtomicTest T1087.001`	Local Account Discovery
`Invoke-AtomicTest T1087.002`	Domain Account Discovery
`Invoke-AtomicTest T1018`	Remote System Discovery
`Invoke-AtomicTest T1083`	File and Directory Discovery
`Invoke-AtomicTest T1057`	Process Discovery

Lateral Movement

Command	Description
`Invoke-AtomicTest T1021.001`	Remote Desktop Protocol
`Invoke-AtomicTest T1021.002`	SMB/Windows Admin Shares
`Invoke-AtomicTest T1021.003`	Distributed Component Object Model
`Invoke-AtomicTest T1021.006`	Windows Remote Management
`Invoke-AtomicTest T1550.002`	Pass the Hash

Collection

Command	Description
`Invoke-AtomicTest T1005`	Data from Local System
`Invoke-AtomicTest T1039`	Data from Network Shared Drive
`Invoke-AtomicTest T1113`	Screen Capture
`Invoke-AtomicTest T1123`	Audio Capture
`Invoke-AtomicTest T1115`	Clipboard Data

Command and Control

Command	Description
`Invoke-AtomicTest T1071.001`	Web Protocols
`Invoke-AtomicTest T1071.004`	DNS
`Invoke-AtomicTest T1090.003`	Multi-hop Proxy
`Invoke-AtomicTest T1573.002`	Asymmetric Cryptography

Exfiltration

Command	Description
`Invoke-AtomicTest T1041`	Exfiltration Over C2 Channel
`Invoke-AtomicTest T1048.003`	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
`Invoke-AtomicTest T1567.002`	Exfiltration to Cloud Storage

Impact

Command	Description
`Invoke-AtomicTest T1485`	Data Destruction
`Invoke-AtomicTest T1486`	Data Encrypted for Impact
`Invoke-AtomicTest T1490`	Inhibit System Recovery
`Invoke-AtomicTest T1498`	Network Denial of Service

Advanced Usage

Custom Parameters

Command	Description
`Invoke-AtomicTest T1003.001 -InputArgs @{"output_file"="C:\temp\lsass.dmp"}`	Pass custom parameters
`Invoke-AtomicTest T1087.001 -InputArgs @{"username"="testuser"}`	Specify username parameter

Batch Execution

Command	Description
`Invoke-AtomicTest T1003.001,T1003.002,T1003.003`	Execute multiple tests
`Get-AtomicTechnique \| ForEach-Object {Invoke-AtomicTest $_.Technique}`	Execute all available tests

Logging and Output

Command	Description
`Invoke-AtomicTest T1003.001 -LoggingModule "Attire-ExecutionLogger"`	Enable logging
`Invoke-AtomicTest T1003.001 -ExecutionLogPath "C:\logs\atomic.log"`	Specify log path
`Invoke-AtomicTest T1003.001 -TimeoutSeconds 60`	Set execution timeout

Configuration

Config File (config.yaml)

# Atomic Red Team Configuration
atomics_folder: "C:\\AtomicRedTeam\\atomics"
log_folder: "C:\\AtomicRedTeam\\logs"
default_timeout: 120
check_prereqs: true
get_prereqs: false
cleanup: true

Environment Variables

Variable	Description
`$env:ATOMIC_RED_TEAM_PATH`	Path to Atomic Red Team directory
`$env:ATOMIC_LOG_PATH`	Path for execution logs
`$env:ATOMIC_TIMEOUT`	Default timeout for tests

Linux/macOS Usage

Installation

Command	Description
`git clone https://github.com/redcanaryco/atomic-red-team.git`	Clone repository
`cd atomic-red-team`	Navigate to directory
`chmod +x atomics//src/`	Make scripts executable

Execution

Command	Description
`bash atomics/T1059.004/src/T1059.004.sh`	Execute bash-based test
`python3 atomics/T1059.006/src/T1059.006.py`	Execute Python-based test
`./atomics/T1083/src/T1083-1.sh`	Execute specific test variant

Integration with SIEM

Splunk Integration

Command	Description
`Invoke-AtomicTest T1003.001 -LoggingModule "Splunk"`	Log to Splunk
`index=atomic_red_team technique=T1003.001`	Search Splunk for test results

ELK Stack Integration

Command	Description
`Invoke-AtomicTest T1003.001 -LoggingModule "Elasticsearch"`	Log to Elasticsearch

Custom Test Development

Test Structure

attack_technique: T1003.001
display_name: "LSASS Memory"
atomic_tests:
- name: Dump LSASS.exe Memory using ProcDump
  auto_generated_guid: 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
  description: |
    The memory of lsass.exe is often dumped for offline credential theft attacks.
  supported_platforms:
  - windows
  input_arguments:
    output_file:
      description: Path where resulting dump should be placed
      type: Path
      default: C:\Windows\Temp\lsass_dump.dmp
  executor:
    command: |
      procdump.exe -accepteula -ma lsass.exe #{output_file}
    name: command_prompt

Custom Test Execution

Command	Description
`Invoke-AtomicTest -AtomicsFolder "C:\CustomAtomics" T9999.001`	Execute custom test

Reporting and Analysis

Command	Description
`Get-AtomicTestResults`	Get execution results
`Export-AtomicTestResults -Format CSV -Path "results.csv"`	Export results to CSV
`Get-AtomicCoverage`	Show MITRE ATT&CK coverage
`Show-AtomicTestMatrix`	Display test matrix

Automation and Scheduling

PowerShell Scheduled Jobs

$trigger = New-JobTrigger -Daily -At "2:00 AM"
Register-ScheduledJob -Name "AtomicRedTeam" -Trigger $trigger -ScriptBlock {
    Import-Module Invoke-AtomicRedTeam
    Invoke-AtomicTest T1003.001 -Cleanup
}

Continuous Testing

Command	Description
`Start-AtomicContinuousTesting -Techniques @("T1003.001","T1087.001") -Interval 3600`	Run tests every hour

Security Considerations

Run tests in isolated environments only
Ensure proper cleanup after test execution
Monitor for false positives in security tools
Document all test executions for compliance
Use least privilege principles
Implement proper access controls
Regular backup before testing
Coordinate with security operations center

Best Practices

Start with low-impact techniques
Always run prerequisite checks first
Use cleanup functions after testing
Document test results and observations
Coordinate with blue team activities
Test in non-production environments first
Implement proper logging and monitoring
Regular updates to test library
Validate detection capabilities
Create custom tests for specific environments

Troubleshooting

Command	Description
`Get-Help Invoke-AtomicTest -Full`	Get detailed help
`Test-AtomicTestInputArgs T1003.001`	Validate input arguments
`Get-AtomicTestPrerequisites T1003.001`	Check prerequisites
`Repair-AtomicTest T1003.001`	Attempt to fix test issues

Common Issues

Antivirus interference with test execution
Missing prerequisites or dependencies
Insufficient privileges for test execution
Network connectivity issues for external resources
Path-related issues on different operating systems