Red teaming is an authorised emulation of real attackers’ TTPs (Tactics, Techniques and Procedures) from MITRE ATT&CK, pretending to be a threat actor, and attempting intrusion against an organisation.


Atomic Read Team is a tool that allow to easily run “fake” attacks based on known TTPs in order to test detection and prevention systems [Link]. It used a PoweShell module called Invoke-AtomicRedTeam to execute the desired attack’s procedure [Link].

Install Execution Framework Only

Install-Module -Name invoke-atomicredteam,powershell-yaml -Scope CurrentUser

Install Execution Framework and Atomics Folder

IEX (IWR '' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics -Force

Importing the Module in the PowerShell Session

Import-Module "~\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force

List Atomic Tests and Check Any

Invoke-AtomicTest All -ShowDetailsBrief
Invoke-AtomicTest All -ShowDetailsBrief -anyOS
Invoke-AtomicTest T1016-8 -ShowDetailsBrief
Invoke-AtomicTest T1016-8 -ShowDetails
Invoke-AtomicTest T1016-8 -CheckPrereqs

Then, Execute!

Invoke-AtomicTest T1016-8
Invoke-AtomicTest T1016-8 -PromptForInputArgs
Invoke-AtomicTest T1016-8 -Interactive

Other Options

Invoke-AtomicTest T1089 -Cleanup
Invoke-AtomicTest T1218.010 -ExecutionLogPath 'C:\log.csv'
Invoke-AtomicRunner -listOfAtomics .\testsList.csv -PauseBetweenAtomics 30

Start the Atomic GUI



Caldera is an Automated Adversary Emulation Platform developed by MITRE [Link]. Its code can be found at [Link].

Both, Red and Blue teams can use this platform to install their Agents and monitor the operations occur.

Install and start Caldera on Kali

sudo apt install caldera -y

Note the credentials for both teams on the terminal:

Navigate to http://localhost:8888/.

Each team (Red and Blue) will have its own dashboard but they both look and work the same way:

Setup the Agents.

  • Important points to setup:
    • Select the Agent based on criteria like the desired communication protocol: TCP, HTTP, HTTPS, etc.
    • Enter the IP or hostname of Caldera Server and make sure it is reachable from the Agents.
    • It will produce multiple deployment commands that can copied and pasted on the end-points (Agents):
      • Caldera’s default Red team’s agent,
      • Blue team’s agent,
      • With a randomised name for quick start in background,
      • One that compiles in the end-point (requires GoLang),
      • Another that uses GIST C2,
      • And one that is capable of P2P communication.

Check the Adversary Profiles and define what will be emulated.

  • Important points to setup:
    • Re search the Abilities database for TTPs that match the organisation attach surface.

Create an Operation with the Adversary Profile chosen.

  • Important points to setup:
    • Study what adversaries are more likely to target your organisation or industry.
      • The adversaries are based on real threat actors observer behaviours and their abilities.

Create an Operation with the Adversary Profile chosen.

  • Important points to setup:
    • Create a new Operation and select the Adversary you want to emulate.
    • Adjust the desired obfuscation level and how much noise it will cause in the network.

Now, monitor the operation as it unfolds.


Run Atomic Red Team from a Container with:

docker run -it redcanary/invoke-atomicredteam:latest

Run Caldera from a Container with:

docker run -it -d mitre/caldera