Home
Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the atomics folder of Red Canary's Atomic Red Team project. The "atomics folder" contains a folder for each Technique defined in the MITRE ATT&CK™ Framework. Inside of each of these "T#" folders you'll find a yaml file that defines the attack procedures for each atomic test as well as an easier to read markdown (md) version of the same data.
-
Executing atomic tests may leave your system in an undesirable state. You are responsible for understanding what a test does before executing.
-
Ensure you have permission to test before you begin.
-
It is recommended to set up a test machine for atomic test execution that is similar to the build in your environment. Be sure you have your collection/EDR solution in place, and that the endpoint is checking in and active.
Invoke-AtomicRedTeam installation and usage instructions can be found on the index to the right (in the sidebar).
There are a series of short instructional videos on this YouTube channel.
You can also find an in-depth 1 hour webcast here, with hands-on lab documents here.
Also a good general overview of the value of attack emulation is found here.