Atomic Red Team Extension v2: Three-Step Workflow + Linux & macOS Support
Hey everyone,
We just shipped a major update to the Atomic Red Team extension. This is a breaking change to the request format, so read on if you’re using it today.
What changed
The old extension had a single Run Tests action that did everything: installed the Atomic Red Team framework, ran your tests, and (optionally) cleaned up. This made it opaque, slow, and impossible to run multiple test batches without reinstalling the entire framework each time.
The new version splits this into three explicit actions:
1. Prepare Host (prepare_host) Installs the ART framework and configures the host for testing. On Windows, this adds a scoped Defender exclusion for C:\AtomicRedTeam. On Linux/macOS, it installs PowerShell Core if needed and puts ART in /opt/AtomicRedTeam.
2. Run Tests (run_tests) Executes one or more MITRE ATT&CK technique IDs on a host that’s already been prepared. You can call this repeatedly without re-preparing.
3. Cleanup Host (cleanup_host) Removes the ART framework, the Defender exclusion (Windows), and the powershell-yaml module. Run this when you’re done testing.
Linux and macOS support
The extension is no longer Windows-only. You can now run Atomic Red Team tests on:
- Windows 7+ / Server 2012+ (uses built-in Windows PowerShell)
- Linux Ubuntu/Debian, RHEL/CentOS/Fedora, Rocky, Alma, Amazon Linux (PowerShell Core installed automatically if missing)
- macOS x64 and arm64 (PowerShell Core installed automatically via .pkg)
The sensor selector in the UI now shows sensors on all three platforms. The extension auto-detects the platform from the sensor ID and uses the correct scripts.
New request format
Before (old single action):
{
"action": "run_tests",
"data": {
"sid": "<sensor_id>",
"rules": ["T1003", "T1059.001"],
"clean": true
}
}
After (three-step workflow):
Step 1 Prepare the host:
{
"action": "prepare_host",
"data": {
"sid": "<sensor_id>"
}
}
Step 2 Run tests (can be called multiple times):
{
"action": "run_tests",
"data": {
"sid": "<sensor_id>",
"rules": ["T1003", "T1059.001"],
"clean": true
}
}
Step 3 Cleanup when done:
{
"action": "cleanup_host",
"data": {
"sid": "<sensor_id>"
}
}
Webhook events
Each step emits structured webhook events so you can track progress programmatically:
- prepare_started prepare_success / prepare_failed
- run_started test_result (one per technique) run_success / run_failed
- cleanup_started cleanup_success / cleanup_failed
All events include a job_id that stays consistent across the entire chain, plus sid, platform, and ident.
Other improvements
- Removed the UAC elevation hack the LC sensor already runs as SYSTEM, so the old VBScript workaround was dead code.
- Removed programmatic Defender disable Set-MpPreference -DisableRealtimeMonitoring silently fails on modern Windows due to Tamper Protection. We now use a scoped path exclusion instead, which is how the upstream ART project is designed to be used.
- Automatic upgrade if you already have the old version installed, the extension will update within 24h, or if you want it now, unsubscribe + resubscribe.
Quick how-to
1. Install or update the Atomic Red Team extension from the LimaCharlie marketplace.
2. In the extension UI, you’ll see three tabs: Prepare Host, Run Tests, and Cleanup Host.
3. Select a sensor (Windows, Linux, or macOS) and click Prepare Host. Wait for the prepare_success webhook event.
4. Switch to Run Tests, select the same sensor, pick your techniques from the dropdown, and run. You’ll get a test_result event for each technique.
5. When you’re done, click Cleanup Host to restore the endpoint.
If you have any questions or run into issues, let us know in this thread.