Deployment Environments

Invoke-AtomicRedTeam can be run inside isolated execution environments, such as container environments, virtual clusters, or secure local sandboxes.

1. Docker Deployment

You can run containerized tests inside isolated instances using the official multi-architecture Dockerfile support for Windows and Linux containers.

Build and Run locally

Build the image using the provided Dockerfile located inside the docker/ folder:

docker build -t invoke-atomicredteam:latest docker/ -f docker/Dockerfile

Launch the container interactively. This initiates a PowerShell session with the module pre-loaded and the definitions directory mapped under default search directories:

docker run -it invoke-atomicredteam:latest pwsh

Image Internals

The image installs required packages (build-essential, at, curl, nmap, ssh, etc.) to satisfy standard test dependencies, installs the execution framework, and mounts system configuration profiles:

FROM mcr.microsoft.com/powershell:latest
SHELL ["pwsh", "-Command"]
RUN IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing); \
    Install-AtomicRedTeam -getAtomics
RUN New-Item $PROFILE -Force
COPY ./setup.ps1 .
RUN ./setup.ps1

2. Kubernetes Orchestration

Deploy the execution container to a Kubernetes namespace using the configured deployment manifest (kubernetes/k8s-deployment.yaml):

apiVersion: apps/v1
kind: Deployment
metadata:
  name: atomicred
  namespace: atomic-red
  labels:
    app: atomicred
spec:
  replicas: 1
  selector:
    matchLabels:
      app: atomicred
  template:
    metadata:
      labels:
        app: atomicred
    spec:
      containers:
        - name: atomicred
          image: redcanary/invoke-atomicredteam
          imagePullPolicy: "IfNotPresent"
          command: ["sleep", "3560d"]
          securityContext:
            privileged: true
      nodeSelector:
        kubernetes.io/os: linux

Apply the manifest to your cluster:

kubectl apply -f kubernetes/k8s-deployment.yaml

Run command sequences directly within the pod's container context:

kubectl exec -it deployment/atomicred -n atomic-red -- pwsh -Command "Invoke-AtomicTest T1003 -ShowDetailsBrief"

3. Windows Sandbox Environment

For quick testing on a local Windows host without making permanent configuration changes, utilize the Windows Sandbox configuration file (sandbox/art.wsb):

  1. Double-click art.wsb to spin up an isolated, temporary instance of Windows Sandbox.
  2. The sandbox automatically runs the login command to download and run the bootstrap script setupsandbox.ps1:

    Set-ExecutionPolicy Bypass -Scope Process -Force;
    Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
    # Fetches and installs the module with definitions inside sandbox workspace
    Install-AtomicRedTeam -getAtomics -Force;

  3. An isolated powershell session with loaded variables will launch. You can now execute and observe attack commands safely without leaving residual artifacts on your host system.

Common Pitfalls

  • Isolation Limits: When running inside containerized environments, certain low-level actions (such as kernel-level operations, driver loading, or system reboots) will not function as expected due to shared kernel models. Use virtualization-based environments (like virtual machines or Windows Sandbox) for tests that require deep operating system modifications.
  • Missing Tooling: Minimal container images lack administrative binaries that exist on standard operating systems. Utilize -GetPrereqs inside the deployment container to install required tools prior to testing.

To view execution guidelines, refer to the Usage Guide. To configure persistent environment paths, see Configuration.