OpenSkillIndex← back to search
claude-code

Anthropic-Cybersecurity-Skills performing-threat-emulation-with-atomic-red-team

'Executes Atomic Red Team tests for MITRE ATT&CK technique validation using the atomic-operator Python framework.

install
source · Clone the upstream repo
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/mukul975/Anthropic-Cybersecurity-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/performing-threat-emulation-with-atomic-red-team" ~/.claude/skills/mukul975-anthropic-cybersecurity-skills-performing-threat-emulation-with-atomic- && rm -rf "$T"
manifest: skills/performing-threat-emulation-with-atomic-red-team/SKILL.md
source content

Performing Threat Emulation with Atomic Red Team

When to Use

  • When conducting security assessments that involve performing threat emulation with atomic red team
  • When following incident response procedures for related security events
  • When performing scheduled security testing or auditing activities
  • When validating security controls through hands-on testing

Prerequisites

  • Familiarity with threat intelligence concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Instructions

Use atomic-operator to execute Atomic Red Team tests and validate detection coverage against MITRE ATT&CK techniques.

from atomic_operator import AtomicOperator

operator = AtomicOperator()
# Run a specific technique test
operator.run(
    technique="T1059.001",  # PowerShell execution
    atomics_path="./atomic-red-team/atomics",
)

Key workflow:

  1. Clone the atomic-red-team repository for test definitions
  2. Select ATT&CK techniques matching your detection rules
  3. Execute atomic tests using atomic-operator
  4. Check SIEM/EDR for corresponding alerts
  5. Document detection gaps and update rules

Examples

# Parse atomic test YAML definitions
import yaml
with open("atomics/T1059.001/T1059.001.yaml") as f:
    tests = yaml.safe_load(f)
for test in tests.get("atomic_tests", []):
    print(f"Test: {test['name']}")
    print(f"  Platforms: {test.get('supported_platforms', [])}")