// Execute and validate adversary emulation tests using Atomic Red Team. Covers standard atomics, custom atomics (T9999.XXX), deployment workflows, and detection validation.
Generate MITRE ATT&CK Navigator layers for coverage visualization, threat actor mapping, and gap analysis. Produces JSON files compatible with the Navigator web app.
Create grouped detection narratives that tie individual rules into coherent threat stories. Covers Splunk Analytic Stories, Elastic detection rule groups, and Sentinel analytics grouping.
Build and manage adversary emulation lab environments for any SIEM. Covers Splunk Attack Range, Elastic Security labs, Azure Sentinel labs, and Docker-based setups. Maps data source requirements to infrastructure components.
Expert CTI analyst specializing in detection engineering, MITRE ATT&CK mapping, behavioral analysis, and intelligence-driven detection creation. SIEM-agnostic methodology that works with Splunk SPL, KQL, Sigma, and Elastic. Use when analyzing threat reports, creating detections, mapping MITRE techniques, or developing behavioral analytics.
Create, deploy, and execute custom Atomic Red Team tests (T9999.XXX series) for detection validation. Covers YAML authoring, Ansible deployment, and manual alternatives.
Map MITRE ATT&CK techniques to required data sources across Windows, Linux, cloud, network, and EDR telemetry. Includes CIM, ECS, Sigma, and KQL (Sentinel) field mapping comparisons.
| name | Atomic Red Team Testing |
| description | Execute and validate adversary emulation tests using Atomic Red Team. Covers standard atomics, custom atomics (T9999.XXX), deployment workflows, and detection validation. |
Required environment variables:
| Variable | Description | Example |
|---|---|---|
$SIEM_PLATFORM | Target SIEM for validation | splunk, sentinel, elastic |
$ATTACK_RANGE_PATH | Path to Attack Range installation | /opt/attack-range |
$ATTACK_RANGE_VENV | Path to Attack Range Python venv | /opt/attack-range/.venv |
$ATOMICS_PATH | Path to atomic-red-team atomics folder | /opt/atomic-red-team/atomics |
$CUSTOM_ATOMICS_PATH | Path to custom atomics (T9999.XXX) | /opt/custom-atomics |
Target placeholders used in this guide:
<TARGET_IP> — IP address of the test endpoint<TARGET_NAME> — Hostname of the test endpoint (e.g., ar-win-1)Detection engineering is iterative. The goal is NOT to run every atomic against every target — it is to generate the specific telemetry your detection needs and confirm the detection fires.
Core principles:
# List available tests for a technique
Invoke-AtomicTest T1059.001 -ShowDetailsBrief
# Run a specific test number
Invoke-AtomicTest T1059.001 -TestNumbers 1
# Run with prerequisite check and install
Invoke-AtomicTest T1059.001 -TestNumbers 1 -GetPrereqs
Invoke-AtomicTest T1059.001 -TestNumbers 1
# Cleanup after test
Invoke-AtomicTest T1059.001 -TestNumbers 1 -Cleanup
cd "$ATTACK_RANGE_PATH"
source "$ATTACK_RANGE_VENV/bin/activate"
# Run a standard atomic remotely
python attack_range.py simulate -t T1059.001 --target <TARGET_NAME>
# Run specific test number
python attack_range.py simulate -t T1059.001 -tn 1 --target <TARGET_NAME>
ansible <TARGET_NAME> -m win_shell -a "Invoke-AtomicTest T1059.001 -TestNumbers 1" \
--extra-vars "ansible_host=<TARGET_IP>"
When no standard atomic exists for your detection scenario, create a custom atomic using the T9999.XXX numbering scheme. This avoids collisions with upstream Atomic Red Team technique IDs.
| Range | Purpose |
|---|---|
| T9999.001–T9999.099 | Windows endpoint atomics |
| T9999.100–T9999.199 | Linux endpoint atomics |
| T9999.200–T9999.299 | Cloud / SaaS atomics |
| T9999.300–T9999.399 | Network / protocol atomics |
attack_technique: T9999.001
display_name: "Custom - Suspicious PowerShell Download Cradle"
atomic_tests:
- name: "PowerShell download cradle with Net.WebClient"
auto_generated_guid: <generate-a-uuid>
description: |
Simulates a PowerShell download cradle using Net.WebClient.
Designed to trigger detections for T1059.001 + T1105.
supported_platforms:
- windows
executor:
command: |
powershell.exe -NoProfile -Command "(New-Object Net.WebClient).DownloadString('http://127.0.0.1/test')"
name: command_prompt
elevation_required: false
$CUSTOM_ATOMICS_PATH/T9999.XXX/T9999.XXX.yamlansible <TARGET_NAME> -m win_copy \
-a "src=$CUSTOM_ATOMICS_PATH/T9999.001/ dest=C:\\AtomicRedTeam\\atomics\\T9999.001\\" \
--extra-vars "ansible_host=<TARGET_IP>"
Invoke-AtomicTest T9999.001 -TestNumbers 1
The standard workflow is: Deploy → Execute → Wait → Validate
Ensure the target has Invoke-AtomicRedTeam installed and any custom atomics are synced.
Run the atomic test (see above). Note the exact execution time.
Telemetry takes time to reach your SIEM. Typical delays:
| Data Source | Expected Delay |
|---|---|
| Sysmon (via UF) | 30–90 seconds |
| Windows Security Events | 30–120 seconds |
| EDR telemetry | 15–60 seconds |
| Cloud audit logs | 1–5 minutes |
| Network flow data | 1–5 minutes |
Recommendation: Wait at least 2 minutes before querying, then retry at 5 minutes if nothing appears.
Check for telemetry first, then run the detection. Commands differ by SIEM:
Splunk (SPL):
// Check raw telemetry arrived
index=* sourcetype=* "<expected_process_name>" earliest=-15m
// Run the actual detection search
| your_detection_search_here
Sentinel (KQL):
// Check raw telemetry arrived
DeviceProcessEvents
| where Timestamp > ago(15m)
| where FileName == "<expected_process_name>"
// Or for SecurityEvent-based logs
SecurityEvent
| where TimeGenerated > ago(15m)
| where Process == "<expected_process_name>"
Elastic (EQL in Dev Tools or Discover):
// Check raw telemetry arrived (via Security → Timelines or Discover)
process where process.name == "<expected_process_name>"
and @timestamp > "now-15m"
Sigma (compile first, then test in target SIEM):
# Compile to your backend
sigma convert -t splunk -p sysmon rule.yml
sigma convert -t microsoft365defender rule.yml
sigma convert -t elasticsearch rule.yml
Atomic executed
└─ Telemetry in SIEM?
├─ NO → Check: UF running? Correct sourcetype? Parsing errors?
└─ YES → Detection fires?
├─ NO → Check: Field names? Time window? Logic errors?
└─ YES → Document result ✓ → Move to next test
splunk status)elastic-agent status)systemctl status filebeat)-GetPrereqs firstSet-ExecutionPolicy Bypass -Scope Processelevation_required fieldyamllint T9999.XXX.yaml)auto_generated_guid1. Identify coverage gap (technique with no detection)
2. Write detection rule (SPL / Sigma / KQL)
3. Find or create atomic test for the technique
4. Deploy atomic to test environment
5. Execute atomic
6. Validate telemetry arrives
7. Validate detection fires
8. Document results (log_decision in knowledge graph)
9. Submit detection PR with test evidence
This workflow ensures every detection is tested before merge — not just syntactically valid but actually capable of catching the behavior it claims to detect.