Welcome back, aspiring cyberwarriors!
In the previous parts of this series, we explored several ways PowerShell can be used during security testing. We walked through custom scripts and practical approaches to system testing, showed how native Windows binaries can be abused in the Survival edition, and spent time on obfuscation techniques in the Evasion edition. Each of those topics focused on how attackers think and operate. Now it is time to look at another side of professional security testing, one that is valuable for organizations that want to improve rather than just pass audits.
In this article, we focus on two tools that help bridge the gap between red teams and blue teams: Nebula and Invoke-AtomicRedTeam. These tools are designed to simulate real-world attacker behavior in a controlled way, allowing defenders to observe and improve. This kind of testing helps organizations understand not only whether something can be done, but whether it would actually be noticed when it matters. When used correctly, they support close collaboration with the blue team, helping tune detection logic and reduce blind spots.
Invoke-AtomicRedTeam
Repository: https://github.com/redcanaryco/invoke-atomicredteam
Let’s start with the Atomic Red Team. The Atomic Red Team project was developed by Red Canary to provide small, focused tests that map directly to real adversary techniques. Invoke-AtomicRedTeam is a PowerShell module that allows you to execute these tests directly from a Windows system. Each test corresponds to a technique from the MITRE ATT&CK framework, and all of them are stored in the so-called atomics folder. Inside this folder, you will find a directory for each technique, identified by its T-number. Within each of those directories, there are YAML files that describe how the attack works, what it requires, and what it does, along with a more readable markdown version for humans.
Installation
There are several ways to install Invoke-AtomicRedTeam, but one of the quickest methods is provided directly in the official documentation. It is important to understand that this requires administrative privileges and, in many cases, antivirus protections will need to be disabled on the test machine. Because of this, not every system is suitable for running these tests. The recommended approach is to use a dedicated testing machine that is connected to your SIEM and security monitoring stack. This allows you to observe alerts, logs, and detections without risking production systems.
Open PowerShell as an administrator and run the following command:
PS > IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
PS > Install-AtomicRedTeam -getAtomics -Force
The installation process can take some time, as it downloads the necessary files and prepares the testing environment.
Techniques
Once the installation is complete, you will have access to a wide range of MITRE ATT&CK techniques. Each technique may include multiple subtechniques, depending on the operating system.
A full list of available techniques can be found here.
All of them can be explored in detail, and you can list available subtechniques using a simple command such as:
PS > Invoke-AtomicTest T1012 -ShowDetailsBrief
For deeper insight into what a specific subtechnique does, you can request full details:
PS > Invoke-AtomicTest T1003-3 -ShowDetails
If a detection fails or no alert is triggered, you can hand over the exact commands and technique references so defenders can improve their rules and visibility.
Prerequisites
Some atomic tests require specific prerequisites. This may include certain software, configuration changes, or tools that must be present on the system. A common example is PDQ Deploy, which is a legitimate software deployment tool used by administrators to push updates and software across large Windows environments.
PDQ Deploy is powerful, and like many administrative tools, it can become dangerous in the wrong hands. It has been abused by ransomware groups such as LockBit to distribute malicious payloads across entire networks.
This is not unique to PDQ Deploy. Group Policy, endpoint management platforms, and even antivirus management consoles can be turned into attack tools once compromised. Certain AV management systems act like ready-made command-and-control servers, because their compromise allows an attacker to disable protection and deploy malware at scale.
Attackers also sometimes rely on Safe Mode, where many security tools do not run. By forcing systems to reboot into Safe Mode through policy changes and executing scripts from trusted shares, they can bypass protections entirely. This is why early detection is what we need. Catching an attacker before they reach this stage can save an organization from widespread damage.
Before running a test, you can check whether all prerequisites are met:
PS > Invoke-AtomicTest T1072-2 -CheckPrereqs
If something is missing, you can let the framework handle it:
PS > Invoke-AtomicTest T1072-2 -GetPrereqs
Testing
Once prerequisites are satisfied, testing can begin.
You can run all subtechniques for a technique with a single command:
PS > Invoke-AtomicTest T1106
Or you can focus on a specific subtechnique:
PS > Invoke-AtomicTest T1106-2
It is generally better to run tests individually. This gives the blue team time to observe what happens, investigate alerts, and understand what was executed. Running everything at once may overwhelm defenders and reduce the value of the exercise.
Nebula
Repository: https://github.com/MHaggis/NEBULA/tree/main
Nebula is another atomic testing framework, but it has a slightly different focus. While Atomic Red Team maps closely to MITRE ATT&CK techniques, Nebula is designed as an interactive testing environment for Windows execution and persistence methods. It is aimed at security researchers, red teamers, and blue teamers who want to understand how common techniques behave on real systems.
Nebula allows you to test WMI execution techniques, COM object abuse, persistence mechanisms, LOLBAS execution methods, and more advanced WMI scenarios.
Testing
Getting started with Nebula is straightforward.
After downloading the script from the repository, you simply open a PowerShell window with administrative privileges and run it:
PS > powershell.exe -ExecutionPolicy Bypass -File .\Nebula.ps1
Once launched, Nebula presents a menu of available tests. We will not go through every option in detail, but it quickly becomes clear how easy it is to simulate common attacks. Persistence tests include WMI subscriptions, scheduled tasks, registry keys, and other methods, usually targeting harmless executables like calc.exe.
The LOLBAS execution section includes many techniques already covered in the PowerShell Survival series. Nebula shows not only the results but also the exact commands used, which is also useful when sharing findings with the blue team.
COM objects deserve special mention here. Component Object Model objects are legitimate Windows components designed to allow software interaction. Attackers abuse them because they are trusted and often poorly monitored. By instantiating certain COM objects, attackers can execute code or bypass application controls in ways that look completely legitimate.
Report
After completing the tests, Nebula allows you to view and export detailed results directly from the main menu. These reports include execution status and relevant details, making it easy to document findings or review them with defenders.
Summary
Pentesting is not always about hacking for the sake of hacking. The real goal of security testing is to ensure that an organization is prepared for real adversaries. A cyberattack is rarely a question of if, but when. Software grows more complex every day, and new vulnerabilities appear constantly. While no system can be made perfectly secure, organizations that can detect and respond quickly will suffer far less damage.
Tools like Invoke-AtomicRedTeam and Nebula are only part of the bigger picture. They allow controlled testing of techniques that real attackers use, helping teams understand what is visible and where improvements are needed. A more comprehensive and professional approach is taught in our Red Team Operator training, where we work with full frameworks and real-world scenarios. There, we do not just study tools and techniques, but also the tactics and psychology behind real APT groups. Tools and exploits change, but human behavior and patterns tend to repeat.
Source: HackersArise
Source Link: https://hackers-arise.com/powershell-for-hackers-part-11-dropping-nukes/