The Atomic Family is a suite of open-source projects designed to help security teams test their detection and response coverage. The four projects are: Atomic Red Team, Invoke-Atomic, AtomicTestHarnesses, and Chain Reactor.
Atomic Red Team
Atomic Red Team is a library of tests intended to simulate adversarial activity on endpoints. Most atomic tests are lightweight and portable, and each test is mapped to a MITRE ATT&CK® technique. Running an atomic test is often as simple as executing a command or two, so it’s relatively easy to add Atomic Red Team to an existing testing plan.
Invoke-Atomic is a PowerShell-based framework for developing and executing atomic tests. The framework is cross-platform, so security teams can execute tests on Windows, macOS, and Linux endpoints. It’s also possible to execute tests remotely, which makes it easier to test across a network.
Invoke-Atomic is easy to use: the framework has built-in functions to help users install atomic tests, execute them, and restore endpoints to their pre-test states.
AtomicTestHarnesses is a PowerShell module that simulates and validates attack technique execution. The details of a technique can vary from attack to attack; AtomicTestHarnesses accounts for this by allowing users to execute many variations of a technique at once. AtomicTestHarnesses also validates the telemetry generated during execution, so users always know whether their simulations were successful.
Users can install and use AtomicTestHarnesses on its own, or use it alongside Invoke-Atomic to improve testing coverage.
Chain Reactor is a tool for testing detection and response coverage on Linux machines. Chain Reactor creates executables that can perform sequences of actions like process creation and network connection. These executables are fully customizable, and intended to simulate the multiple stages that comprise a real-world attack.
Chain Reactor allows users to compile tests from Atomic Red Team and elsewhere into portable, sharable files.