How to Run Atomic Red Team on Linux and Automate Attack Simulations with Velociraptor

Are your Linux detection rules truly working — or just sitting idle?

Atomic Red Team is an outstanding framework for simulating real-world adversary behaviors. While many security professionals focus on Windows endpoints, it’s equally crucial to validate detection coverage on Linux systems. In this post, we’ll cover how to install and run Atomic Red Team on Linux and show how to integrate it with Velociraptor and SOCFortress CoPilot to run simulations without needing to log in to the endpoint directly.

Installing PowerShell on Debian Linux

Atomic Red Team uses PowerShell — even on Linux. So the first step is getting PowerShell running on your system.

On my test machine (Debian), I installed PowerShell using Microsoft’s official packages. Here’s how:

Documentation: https://learn.microsoft.com/en-us/powershell/scripting/install/install-debian?view=powershell-7.5

###################################
# Prerequisites

# Update the list of packages
sudo apt-get update

# Install pre-requisite packages.
sudo apt-get install -y wget

# Download the PowerShell package file
wget https://github.com/PowerShell/PowerShell/releases/download/v7.5.1/powershell_7.5.1-1.deb_amd64.deb

###################################
# Install the PowerShell package
sudo dpkg -i powershell_7.5.1-1.deb_amd64.deb

# Resolve missing dependencies and finish the install (if necessary)
sudo apt-get install -f

# Delete the downloaded package file
rm powershell_7.5.1-1.deb_amd64.deb

# Start PowerShell
pwsh

Installing Atomic Red Team PowerShell Modules

Next, we need the PowerShell modules Atomic Red Team relies on — including the powershell-yaml module.

Inside your PowerShell session, run:

Install-Module -Name invoke-atomicredteam,powershell-yaml -Scope CurrentUser

IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics -Force

Cloning the Atomic Red Team Repository

Atomic Red Team’s definitions live in a Git repository. Clone it locally so you can point the PowerShell module at your atomics:

git clone https://github.com/redcanaryco/invoke-atomicredteam.git /usr/local/share/powershell/Modules/Invoke-AtomicRedTeam

Running Atomic Red Team Tests on Linux

With everything installed, you can run an Atomic Red Team test directly in PowerShell.

Example:

pwsh -exec bypass -Command "Import-Module "/usr/local/share/powershell/Modules/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam.psd1" -Force; Invoke-AtomicTest T1005 -TestNumbers 2 -GetPreReqs; Invoke-AtomicTest T1005 -TestNumbers 2 -ExecutionLogPath /tmp/ARTExec.csv;"

The Challenge with Manual Execution

Running tests manually works — but it’s not scalable. You’d need to log into each endpoint to execute commands, which doesn’t fit well in larger environments or with routine testing.

We need a better way.

Automating Atomic Red Team Tests with Velociraptor

Velociraptor is a fantastic open-source DFIR and hunting tool. It can:

• Remotely execute commands
• Collect results
• Integrate with SIEM and SOAR platforms

Here’s how I integrated Atomic Red Team with Velociraptor:

1. Velociraptor supports custom artifacts. I created an artifact that:

https://raw.githubusercontent.com/socfortress/VELOCIRAPTOR-ATOMIC-RED-ARTIFACTS/refs/heads/main/Linux.AttackSimulation.AtmoticRedTeam.yaml

• Imports Atomic Red Team modules
• Executes the desired Atomic Red Team test
• Stores results in a CSV for parsing

On the velociraptor client, lets have the service run as the root user to negate any permission issues:

nano /etc/systemd/system/velociraptor_client.service

[Unit]
Description=Velociraptor client
After=syslog.target network.target

[Service]
Type=simple
Restart=always
RestartSec=120
LimitNOFILE=20000
Environment=LANG=en_US.UTF-8
User=root
ExecStart=/usr/local/bin/velociraptor_client --config /etc/velociraptor/client.config.yaml client --quiet

[Install]
WantedBy=multi-user.target

Run the Artifact

1. In Velociraptor’s GUI:

• Go to “Collect”
• Choose the artifact you created
• Specify the attack technique to run (e.g. T1005)
• Launch the job

2. Review Results

Velociraptor captures standard output, errors, and logs. You can quickly verify:

• Whether the Atomic test ran successfully
• What commands were executed
• What data was collected

Running Atomic Red Team Tests via Copilot

Beyond Velociraptor, I integrated this pipeline with our CoPilot system. CoPilot can:

• Trigger Velociraptor artifacts
• Show test results in the same interface
• Link Atomic Red Team IDs to documentation so analysts understand what each test does

This means our SOC team can launch simulations and validate detection logic — all without touching the endpoint directly.

Validating Results in Graylog

My SIEM pipeline includes Graylog, where logs from the Linux endpoint land after running Atomic Red Team simulations.

For example, running a cron-based persistence test triggered logs like:

Script executed from hidden payload
cron job created for evil.sh

Best Practices and Cautions

• Don’t run Atomic Red Team on production systems. Spin up a dedicated dev/test Linux box to avoid unintended impacts.
• Always review which techniques you plan to run — some simulations can be noisy or intrusive.
• Confirm Velociraptor runs as a user with sufficient permissions. For some Atomic Red Team tests, especially on Linux, you may need to run the Velociraptor client as root.