Atomic Red Team

Q&A from the “Automating Atomic Red Team” Webcast

Casey Smith, Michael Haag

Share this

There was a great turnout for the latest Atomic Red Team webcast! Thanks to all the people that attended. We had some outstanding audience questions on the new YAML structure, use cases, and CALDERA, MITRE’s automated adversary emulation system. We’ll use this post to go through some of the Q&A in case you couldn’t attend or had to jump off early.

If you missed the live webcast, view the on-demand recording at your convenience.

As we discussed, we really want the next chapter of Atomic Red Team to be highly interactive. So please join us on Slack with your questions, feedback, and ideas! Remember…

Atomic Red Team


Audience Q & A

Is the directory structure for the additional files necessary for standardized testing? For example, are the payload files always intended to be in the ../src/ directory?

With the restructure, we moved all payloads into the respective MITRE ATT&CK™ Technique directory. For example, T1117 which discusses Regsvr32 has the associated .sct payload in the same directory as the YAML file. Moving forward, any additional payloads will be added to the correct ATT&CK technique directory.

Will Atomic Red Team and Caldera support the Industrial Control System (ICS) techniques immediately?

Atomic Red Team technique additions move as fast as the contributors. For more information on contributing to Atomic Red Team, visit: https://atomicredteam.io.

Did Blake say in the beginning of this discussion that MITRE will deprecate the ATT&CK matrix?

This summer MITRE will be rolling out a new website that will be STIX/TAXII based. Additional information may be found here on MITRE’s website.

What is the difference between Atomic Red Team and CALDERA?

CALDERA is an automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks.

Atomic Red Team is an arsenal of technique methods to automate or manually run in your environment to assess visibility across your security stack.

Can we run Caldera on VMs? For example, a server on one VM and agents on others?

Yes, the CALDERA server can run on a VM and is agent-based (Windows only) so it can be installed on Windows VMs.

Additionally, Chris Long implemented CALDERA into the DetectionLab project to allow for quick assessments of multiple products.

Are there plans to create a tool or specific process to automate tests within the Atomic Red Team project? Or is the intent for teams to build out their own automation tools to work with the YAML files?

Both. Lee Holmes provided a PowerShell framework to get started with automation within the Atomic Red Team project. We are working to convert it to YAML. Uber METTA by Chris Gates is also working to integrate Atomic YAML.


Thanks again to everyone who attended the webcast. We’re already planning our next one and look forward to addressing some of the topics we’ve been discussing with others in the community.

Atomic Red Team is designed to be a collaborative effort, so keep the ideas and contributions coming. See you on Slack!