Executes Atomic Red Team tests mapped to MITRE ATT&CK techniques, performs coverage gap analysis across the ATT&CK matrix, and runs detection validation loops to measure blue team visibility. Covers Invoke-AtomicRedTeam PowerShell execution, ATT&CK Navigator layer generation for heatmaps, Sigma rule correlation, and continuous atomic testing pipelines. Activates for requests involving purple team exercises, atomic test execution, ATT&CK coverage assessment, detection engineering validation, or adversary emulation testing.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionperforming-purple-team-atomic-testingExecute the skills CLI command in your project's root directory to begin installation:
Fetches performing-purple-team-atomic-testing from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate performing-purple-team-atomic-testing. Access via /performing-purple-team-atomic-testing in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
1
total installs
1
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
1
installs
1
this week
8.6K
stars
| name | performing-purple-team-atomic-testing |
| description | 'Executes Atomic Red Team tests mapped to MITRE ATT&CK techniques, performs coverage gap analysis across the ATT&CK matrix, and runs detection validation loops to measure blue team visibility. Covers Invoke-AtomicRedTeam PowerShell execution, ATT&CK Navigator layer generation for heatmaps, Sigma rule correlation, and continuous atomic testing pipelines. Activates for requests involving purple team exercises, atomic test execution, ATT&CK coverage assessment, detection engineering validation, or adversary emulation testing. ' |
| domain | cybersecurity |
| subdomain | purple-team |
| tags | - purple-team - atomic-red-team - mitre-attack - detection-engineering - adversary-emulation |
| version | 1.0.0 |
| author | mukul975 |
| license | Apache-2.0 |
| nist_ai_rmf | - MEASURE-2.7 - MAP-5.1 - MANAGE-2.4 |
| atlas_techniques | - AML.T0070 - AML.T0066 - AML.T0082 |
| d3fend_techniques | - Executable Denylisting - Execution Isolation - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis |
| nist_csf | - ID.RA-01 - DE.AE-07 - GV.OV-02 |
Do not use for full-scope red team engagements requiring custom implants or live adversary simulation beyond atomic tests; use Caldera, SCYTHE, or Cobalt Strike for advanced adversary emulation.
DISCLAIMER: Atomic Red Team tests execute real attack techniques. Run only on systems you own or have explicit written authorization to test. Many tests modify system state, create artifacts, or trigger security alerts. Always execute cleanup commands after testing. Never run atomic tests in production without risk acceptance from stakeholders.
mitreattack-python, pyyaml, and requests for automation scriptsSet up the execution framework and download the atomics library:
# Install the PowerShell execution module
Install-Module -Name invoke-atomicredteam -Scope CurrentUser -Force
Install-Module -Name powershell-yaml -Scope CurrentUser -Force
# Import the module
Import-Module invoke-atomicredteam
# Install atomics to default location (C:\AtomicRedTeam\atomics)
IEX (IEX (New-Object System.Net.WebClient).DownloadString(
'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1'
)); Install-AtomicRedTeam -getAtomics -Force
# Verify installation - list available techniques
$atomicsPath = "C:\AtomicRedTeam\atomics"
$techniques = Get-ChildItem $atomicsPath -Directory | Where-Object { $_.Name -match '^T\d{4}' }
Write-Host "Available techniques: $($techniques.Count)"
# Configure execution logging
$env:ARTLOG = "C:\AtomicRedTeam\logs"
if (-not (Test-Path $env:ARTLOG)) { New-Item -Path $env:ARTLOG -ItemType Directory }
Inventory available tests and select targets based on threat intelligence or gap analysis:
# List all tests for a specific technique
Invoke-AtomicTest T1059.001 -ShowDetailsBrief
# Show full details including attack commands and cleanup
Invoke-AtomicTest T1059.001 -ShowDetails
# List tests for a tactic (e.g., Persistence)
$persistenceTechniques = @(
"T1547.001", # Boot or Logon Autostart - Registry Run Keys
"T1053.005", # Scheduled Task
"T1136.001", # Create Account - Local Account
"T1543.003", # Create or Modify System Process - Windows Service
"T1546.001", # Event Triggered Execution - Change Default File Association
"T1574.001", # Hijack Execution Flow - DLL Search Order Hijacking
"T1197" # BITS Jobs
)
foreach ($tech in $persistenceTechniques) {
Write-Host "`n=== $tech ===" -ForegroundColor Cyan
try {
Invoke-AtomicTest $tech -ShowDetailsBrief
} catch {
Write-Host " No tests available" -ForegroundColor Yellow
}
}
# Get all atomic techniques from YAML files programmatically
$allAtomics = Get-ChildItem "$atomicsPath\T*\T*.yaml" -Recurse |
ForEach-Object {
$yaml = Get-Content $_.FullName -Raw | ConvertFrom-Yaml
[PSCustomObject]@{
TechniqueId = $yaml.attack_technique
TechniqueName = $yaml.display_name
TestCount = $yaml.atomic_tests.Count
Platforms = ($yaml.atomic_tests.supported_platforms | Sort-Object -Unique) -join ", "
}
}
$allAtomics | Sort-Object TechniqueId | Format-Table -AutoSize
Write-Host "Total techniques with tests: $($allAtomics.Count)"
Write-Host "Total individual tests: $(($allAtomics | Measure-Object -Property TestCount -Sum).Sum)"
Run tests with pre/post logging for detection validation:
# Execute a single test by technique ID (runs all tests for that technique)
Invoke-AtomicTest T1059.001
# Execute a specific test by number
Invoke-AtomicTest T1059.001 -TestNumbers 1
# Execute by test name
Invoke-AtomicTest T1059.001 -TestNames "Mimikatz - Cradled Invoke Expression"
# Execute by GUID
Invoke-AtomicTest T1059.001 -TestGuids "2e803f96-4e33-4c2c-b0c8-1c10cbb3945f"
# Execute with prerequisite check and installation
Invoke-AtomicTest T1059.001 -TestNumbers 1 -CheckPrereqs
Invoke-AtomicTest T1059.001 -TestNumbers 1 -GetPrereqs
Invoke-AtomicTest T1059.001 -TestNumbers 1
# Execute with timeout (seconds)
Invoke-AtomicTest T1003.001 -TimeoutSeconds 120
# Cleanup after testing
Invoke-AtomicTest T1059.001 -TestNumbers 1 -Cleanup
# Execute with full logging wrapper
function Invoke-AtomicWithLogging {
param(
[string]$TechniqueId,
[int[]]$TestNumbers,
[string]$LogPath = "C:\AtomicRedTeam\logs"
)
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$logFile = Join-Path $LogPath "${TechniqueId}_${timestamp}.json"
$result = @{
technique_id = $TechniqueId
test_numbers = $TestNumbers
start_time = (Get-Date).ToString("o")
hostname = $env:COMPUTERNAME
username = $env:USERNAME
results = @()
}
foreach ($testNum in $TestNumbers) {
$testResult = @{
test_number = $testNum
status = "unknown"
start_time = (Get-Date).ToString("o")
}
try {
# Show what will execute
$details = Invoke-AtomicTest $TechniqueId -TestNumbers $testNum -ShowDetails 2>&1
$testResult["details"] = $details | Out-String
# Execute the test
Invoke-AtomicTest $TechniqueId -TestNumbers $testNum -Confirm:$false
$testResult["status"] = "executed"
} catch {
$testResult["status"] = "failed"
$testResult["error"] = $_.Exception.Message
}
$testResult["end_time"] = (Get-Date).ToString("o")
$result.results += $testResult
# Wait for SIEM ingestion
Start-Sleep -Seconds 30
}
$result["end_time"] = (Get-Date).ToString("o")
$result | ConvertTo-Json -Depth 10 | Set-Content $logFile
Write-Host "Log written to: $logFile" -ForegroundColor Green
return $result
}
# Usage
Invoke-AtomicWithLogging -TechniqueId "T1059.001" -TestNumbers @(1, 2, 3)
Query your SIEM to confirm whether atomic tests generated alerts:
Splunk SPL Queries for Detection Validation:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-- T1059.001: PowerShell Execution
index=windows sourcetype="WinEventLog:Microsoft-Windows-PowerShell/Operational"
EventCode=4104
| eval script_block=ScriptBlockText
| where len(script_block) > 500
| stats count by host, script_block
| sort -count
-- T1003.001: LSASS Memory Credential Dumping
index=windows sourcetype="WinEventLog:Security" EventCode=4663
ObjectName="*lsass*"
| stats count by host, SubjectUserName, ProcessName
| where count > 0
-- T1547.001: Registry Run Key Persistence
index=windows sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=13
TargetObject="*\\CurrentVersion\\Run*"
| stats count by host, Image, TargetObject, Details
-- T1053.005: Scheduled Task Creation
index=windows sourcetype="WinEventLog:Security" EventCode=4698
| stats count by host, SubjectUserName, TaskName, TaskContent
| sort -count
-- Generic: Hunt for Atomic Red Team artifacts
index=windows (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational"
OR sourcetype="WinEventLog:Security")
| search "*AtomicRedTeam*" OR "*atomic*" OR "*Invoke-AtomicTest*"
| stats count by sourcetype, EventCode, host
Elastic / KQL Queries:
━━━━━━━━━━━━━━━━━━━━━
-- PowerShell script block logging
event.code: "4104" and powershell.file.script_block_text: *
-- Sysmon process creation from AtomicRedTeam paths
event.code: "1" and process.executable: *AtomicRedTeam*
-- Registry modification (persistence)
event.code: "13" and registry.path: *CurrentVersion\\Run*
-- Credential access indicators
event.code: "10" and winlog.event_data.TargetImage: *lsass.exe*
Generate a coverage matrix comparing tested vs. detected techniques:
#!/usr/bin/env python3
"""ATT&CK coverage gap analysis - compares atomic test results against SIEM detections."""
import json
import os
import yaml
from pathlib import Path
from datetime import datetime
def load_atomics_inventory(atomics_path):
"""Parse all atomic test YAML files to build technique inventory."""
inventory = {}
atomics_dir = Path(atomics_path)
for yaml_file in atomics_dir.glob("T*/T*.yaml"):
try:
with open(yaml_file, "r", encoding="utf-8") as f:
data = yaml.safe_load(f)
tech_id = data.get("attack_technique", "")
if not tech_id:
continue
tests = data.get("atomic_tests", [])
inventory[tech_id] = {
"name": data.get("display_name", "Unknown"),
"test_count": len(tests),
"platforms": list(set(
p for t in tests
for p in t.get("supported_platforms", [])
)),
"tests": [
{
"name": t.get("name", "Unnamed"),
"description": t.get("description", ""),
"platforms": t.get("supported_platforms", []),
"executor": t.get("executor", {}).get("name", "unknown"),
}
for t in tests
],
}
except Exception as e:
print(f"[WARN] Failed to parse {yaml_file}: {e}")
return inventory
def load_execution_logs(log_dir):
"""Load atomic test execution logs."""
executed = {}
log_path = Path(log_dir)
if not log_path.exists():
return executed
for log_file in log_path.glob("T*_*.json"):
try:
with open(log_file, "r") as f:
data = json.load(f)
tech_id = data.get("technique_id", "")
if tech_id:
if tech_id not in executed:
executed[tech_id] = {
"executions": [],
"last_executed": data.get("end_time", ""),
}
executed[tech_id]["executions"].append({
"timestamp": data.get("start_time", ""),
"results": data.get("results", []),
})
except Exception as e:
print(f"[WARN] Failed to parse {log_file}: {e}")
return executed
def load_detection_results(detection_file):
"""Load SIEM detection validation results (JSON export from SIEM queries)."""
if not os.path.exists(detection_file):
return {}
with open(detection_file, "r") as f:
data = json.load(f)
detections = {}
for entry in data:
tech_id = entry.get("technique_id", "")
if tech_id:
detections[tech_id] = {
"detected": entry.get("detected", False),
"alert_count": entry.get("alert_count", 0),
"rule_name": entry.get("rule_name", ""),
"confidence": entry.get("confidence", "unknown"),
"data_sources": entry.get("data_sources", []),
}
return detections
# MITRE ATT&CK tactic ordering for structured output
TACTIC_ORDER = [
"reconnaissance", "resource-development", "initial-access",
"execution", "persistence", "privilege-escalation",
"defense-evasion", "credential-access", "discovery",
"lateral-movement", "collection", "command-and-control",
"exfiltration", "impact",
]
# Tactic-to-technique mapping for common techniques (subset for illustration)
TACTIC_TECHNIQUE_MAP = {
"execution": [
"T1059", "T1059.001", "T1059.003", "T1059.004", "T1059.005",
"T1059.006", "T1059.007", "T1047", "T1053", "T1053.005",
"T1129", "T1203", "T1569", "T1569.002",
],
"persistence": [
"T1547", "T1547.001", "T1547.004", "T1547.009",
"T1053.005", "T1136", "T1136.001", "T1543", "T1543.003",
"T1546", "T1546.001", "T1546.003", "T1574", "T1574.001",
"T1197", "T1505", "T1505.003",
],
"credential-access": [
"T1003", "T1003.001", "T1003.002", "T1003.003",
"T1003.004", "T1003.005", "T1003.006",
"T1110", "T1110.001", "T1110.003",
"T1555", "T1555.003", "T1552", "T1552.001",
"T1558", "T1558.003",
],
"defense-evasion": [
"T1070", "T1070.001", "T1070.004",
"T1218", "T1218.001", "T1218.003", "T1218.005",
"T1218.010", "T1218.011",
"T1027", "T1140", "T1562", "T1562.001",
"T1036", "T1036.005",
],
"discovery": [
"T1082", "T1083", "T1087", "T1087.001", "T1087.002",
"T1016", "T1049", "T1057", "T1069", "T1069.001",
"T1069.002", "T1518", "T1518.001",
],
"lateral-movement": [
"T1021", "T1021.001", "T1021.002", "T1021.003",
"T1021.004", "T1021.006", "T1570",
],
"command-and-control": [
"T1071", "T1071.001", "T1071.004",
"T1105", "T1132", "T1573", "T1573.001",
"T1219", "T1090",
],
"exfiltration": [
"T1041", "T1048", "T1048.003", "T1567",
],
"impact": [
"T1485", "T1486", "T1489", "T1490", "T1491",
],
}
def generate_coverage_report(atomics_inventory, execution_logs, detection_results):
"""Generate comprehensive coverage gap analysis."""
report = {
"generated_at": datetime.utcnow().isoformat() + "Z",
"summary": {},
"tactics": {},
"gaps": [],
"recommendations": [],
}
total_available = len(atomics_inventory)
total_executed = len(execution_logs)
total_detected = sum(1 for d in detection_results.values() if d.get("detected"))
report["summary"] = {
"total_techniques_with_atomics": total_available,
"total_techniques_executed": total_executed,
"total_techniques_detected": total_detected,
"execution_coverage_pct": round(
(total_executed / total_available * 100) if total_available else 0, 1
),
"detection_coverage_pct": round(
(total_detected / total_executed * 100) if total_executed else 0, 1
),
}
# Per-tactic analysis
for tactic, technique_ids in TACTIC_TECHNIQUE_MAP.items():
tactic_data = {
"techniques_available": 0,
"techniques_executed": 0,
"techniques_detected": 0,
"gaps": [],
}
for tech_id in technique_ids:
if tech_id in atomics_inventory:
tactic_data["techniques_available"] += 1
executed = tech_id in execution_logs
detected = detection_results.get(tech_id, {}).get("detected", False)
if executed:
tactic_data["techniques_executed"] += 1
if detected:
tactic_data["techniques_detected"] += 1
if executed and not detected:
gap = {
"technique_id": tech_id,
"technique_name": atomics_inventory[tech_id]["name"],
"tactic": tactic,
"status": "BLIND_SPOT",
"detail": "Test executed but no detection triggered",
}
tactic_data["gaps"].append(gap)
report["gaps"].append(gap)
elif not executed and tech_id in atomics_inventory:
gap = {
"technique_id": tech_id,
"technique_name": atomics_inventory[tech_id]["name"],
"tactic": tactic,
"status": "NOT_TESTED",
"detail": "Atomic test available but not yet executed",
}
tactic_data["gaps"].append(gap)
avail = tactic_data["techniques_available"]
tactic_data["coverage_pct"] = round(
(tactic_data["techniques_detected"] / avail * 100) if avail else 0, 1
)
report["tactics"][tactic] = tactic_data
# Generate prioritized recommendations
blind_spots = [g for g in report["gaps"] if g["status"] == "BLIND_SPOT"]
if blind_spots:
report["recommendations"].append({
"priority": "CRITICAL",
"action": f"Write detection rules for {len(blind_spots)} blind spot techniques",
"techniques": [g["technique_id"] for g in blind_spots],
})
low_coverage_tactics = [
t for t, d in report["tactics"].items() if d["coverage_pct"] < 30
]
if low_coverage_tactics:
report["recommendations"].append({
"priority": "HIGH",
"action": f"Expand testing in low-coverage tactics: {', '.join(low_coverage_tactics)}",
"detail": "These tactics have less than 30% detection coverage",
})
return report
def generate_navigator_layer(atomics_inventory, execution_logs, detection_results,
layer_name="Purple Team Coverage"):
"""Generate ATT&CK Navigator layer JSON for heatmap visualization."""
layer = {
"name": layer_name,
"versions": {
"attack": "15",
"navigator": "5.1",
"layer": "4.5",
},
"domain": "enterprise-attack",
"description": f"Purple team atomic testing coverage - Generated {datetime.utcnow().isoformat()}Z",
"filters": {"platforms": ["Windows", "Linux", "macOS"]},
"sorting": 0,
"layout": {
"layout": "side",
"aggregateFunction": "average",
"showID": True,
"showName": True,
},
"hideDisabled": False,
"techniques": [],
"gradient": {
"colors": ["#ff6666", "#ffeb3b", "#66bb6a"],
"minValue": 0,
"maxValue": 100,
},
"legendItems": [
{"label": "No Coverage (Blind Spot)", "color": "#ff6666"},
{"label": "Logged Only (Partial)", "color": "#ffeb3b"},
{"label": "Alert/Detection Active", "color": "#66bb6a"},
{"label": "Not Tested", "color": "#d3d3d3"},
],
"metadata": [],
"links": [],
"showTacticRowBackground": True,
"tacticRowBackground": "#dddddd",
"selectTechniquesAcrossTactics": True,
"selectSubtechniquesWithParent": False,
}
for tech_id, tech_data in atomics_inventory.items():
executed = tech_id in execution_logs
detection = detection_results.get(tech_id, {})
detected = detection.get("detected", False)
confidence = detection.get("confidence", "none")
if detected and confidence in ("high", "medium"):
score = 100
color = "#66bb6a" # Green - high confidence detection
comment = f"DETECTED - {detection.get('rule_name', 'Alert active')}"
elif detected:
score = 50
color = "#ffeb3b" # Yellow - logged/partial
comment = "PARTIAL - Detection exists but low confidence"
elif executed:
score = 0
color = "#ff6666" # Red - blind spot
comment = "BLIND SPOT - Test executed, no detection"
else:
score = 0
color = "#d3d3d3" # Gray - not tested
comment = f"NOT TESTED - {tech_data['test_count']} atomic tests available"
technique_entry = {
"techniqueID": tech_id,
"tactic": "",
"color": color,
"comment": comment,
"score": score,
"enabled": True,
"metadata": [
{"name": "tests_available", "value": str(tech_data["test_count"])},
{"name": "executed", "value": str(executed)},
{"name": "detected", "value": str(detected)},
],
"links": [],
"showSubtechniques": False,
}
layer["techniques"].append(technique_entry)
return layer
def print_coverage_report(report):
"""Print formatted coverage report to console."""
print("=" * 72)
print("PURPLE TEAM ATOMIC TESTING - COVERAGE GAP ANALYSIS")
print("=" * 72)
print(f"Generated: {report['generated_at']}")
print()
s = report["summary"]
print("EXECUTIVE SUMMARY")
print("-" * 40)
print(f" Techniques with atomics: {s['total_techniques_with_atomics']}")
print(f" Techniques executed: {s['total_techniques_executed']}")
print(f" Techniques detected: {s['total_techniques_detected']}")
print(f" Execution coverage: {s['execution_coverage_pct']}%")
print(f" Detection coverage: {s['detection_coverage_pct']}%")
print()
print("PER-TACTIC COVERAGE")
print("-" * 72)
print(f"{'Tactic':<25} {'Available':>9} {'Executed':>9} {'Detected':>9} {'Coverage':>9}")
print("-" * 72)
for tactic in TACTIC_ORDER:
if tactic in report["tactics"]:
t = report["tactics"][tactic]
bar = "#" * int(t["coverage_pct"] / 5) + "." * (20 - int(t["coverage_pct"] / 5))
print(
f" {tactic:<23} {t['techniques_available']:>9} "
f"{t['techniques_executed']:>9} {t['techniques_detected']:>9} "
f"{t['coverage_pct']:>8.1f}%"
)
print()
blind_spots = [g for g in report["gaps"] if g["status"] == "BLIND_SPOT"]
if blind_spots:
print("CRITICAL BLIND SPOTS (executed but not detected)")
print("-" * 72)
for gap in blind_spots:
print(f" [!] {gap['technique_id']} - {gap['technique_name']}")
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Keeps context tight: performing-purple-team-atomic-testing is the kind of skill you can hand to a new teammate without a long onboarding doc.
Solid pick for teams standardizing on skills: performing-purple-team-atomic-testing is focused, and the summary matches what you get after install.
I recommend performing-purple-team-atomic-testing for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
performing-purple-team-atomic-testing fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
We added performing-purple-team-atomic-testing from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Useful defaults in performing-purple-team-atomic-testing — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
performing-purple-team-atomic-testing has been reliable in day-to-day use. Documentation quality is above average for community skills.
performing-purple-team-atomic-testing is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Registry listing for performing-purple-team-atomic-testing matched our evaluation — installs cleanly and behaves as described in the markdown.
performing-purple-team-atomic-testing reduced setup friction for our internal harness; good balance of opinion and flexibility.
showing 1-10 of 49