FAQs

Answers to some common questions about Atomic Red Team.

What is Atomic Red Team?

Atomic Red Team is a library of simple tests that every security team can execute to test their controls. Tests are focused, have few dependencies, and are defined in a structured format that can be used by automation frameworks.

How can Atomic Red Team help me?

Atomic Red Team serves many needs: validating visibility, testing detection coverage, and emulating adversary behaviors. However, it’s increasingly clear that while the platform was designed with the intention of helping security teams execute simple red team exercises (as the name implies), it may be just as useful as an educational resource. Check out this blog post to see how it can help you gain development experience, become familiar with tools and tech, hone your analytical skill set, and even network with other security professionals.

How well does Atomic Red Team cover the MITRE ATT&CK® techniques?

We can visualize how well Atomic Red Team covers the MITRE ATT&CK tactics, techniques, and procedures by viewing the available atomic tests on the MITRE ATT&CK Navigator. The colored items on the matrix indicate that at least one atomic test exists for the given technique.

• All Operating Systems
• Windows
• Linux
• macOS

How can I get started?

Check out the getting started page of the Wiki.

Are there Atomic Tests for Linux and macOS?

Yes.

You can find a listing of Linux tests here and macOS tests here.

How did the Atomic Red Team project get started?

For some history on how this project began, see the "Looking Back" blog post.

What does Red Canary do?

Red Canary provides managed detection and response, open-source tools, and education for the information security community.

Couldn't antivirus vendors use this tool and render it useless?

No.

It is possible, if not probable, that antivirus vendors could use the Atomic Red Team project to build weak detections, giving an impression of better attack coverage than they really have. An example of a weak detection is alerting on any file executed out of the default installation directory of C:\AtomicRedTeam or downloaded from the Atomic Red Team repository. The primary suggestion for dealing with this is to use input arguments when defining atomic tests. This allows the user to specify a custom URL to download files from or otherwise change up the known Atomic Red team signature at runtime in an unpredictable way.

Does Atomic Red Team negate the need for a traditional red team?

No.

There will always be things that red teams can do that can't be scripted. For example, realistic phishing emails from a believable source, vishing, credential stuffing, zero-day exploitation, and so on.

Can I chain multiple atomic tests together to emulate specific attack groups?

Yes.

You can manually chain tests together by running individual atomic tests back to back but there is no automated solution for emulating a specific attack group as a whole. But stayed tuned, this feature has been requested and is in the works.

Can I run an Atomic Red Team test on a remote machine where Atomic Red Team is not installed?

Yes.

Take a look at the Remote test execution section of the Invoke-AtomicRedTeam Wiki.

Is there a notification when new atomic tests are added?

Yes.

The Atomic Red Team Slack Workspace has a public channel called "#atomic-git" where notifications for all contributions are posted.

Does Atomic Red Team cover cloud infrastructure attacks?

Yes!

Look for tests which have a iaas as a supported platform.