Validate Your Security Detection Rules
Security engineering isn’t finished when the rule deploys. It’s finished when you can fire a real-world technique at the endpoint, watch the alert pop, and see the evidence end-to-end — collection, enrichment, and triage.
In this guide you’ll learn how to do exactly that with three free tools:
- Atomic Red Team — Generates small, self-contained adversary techniques mapped to MITRE ATT&CK.
- Velociraptor — Executes those techniques remotely and captures detailed forensic output.
- SOCFortress CoPilot — One-click launcher that chains everything together and tracks the results.
By the end you’ll have a repeatable “attack box” that anyone in the SOC can use to validate Wazuh (or any Sysmon-backed SIEM) rules in minutes.
Prerequisites
- Windows 10/11 test VM (recommended)
- PowerShell 5.1 or 7+
- Velociraptor server and client
- SOCFortress CoPilot
- Wazuh / Graylog stack with Sysmon logs ingested
Why dedicate a test VM?
These techniques can change registry keys, create scheduled tasks, or drop binaries. Keep production endpoints clean and spin up a disposable “hack-sim” box instead.
Step 1 — Install Atomic Red Team
Open an elevated PowerShell prompt on the Windows test VM and run:
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics -ForceThis creates C:\AtomicRedTeam and installs the Invoke-AtomicTest module.
Step 2 — Import the Velociraptor Artifact
- Copy Windows.AttackSimulation.AtomicRedTeam.yaml (https://raw.githubusercontent.com/socfortress/VELOCIRAPTOR-ATOMIC-RED-ARTIFACTS/refs/heads/main/Windows.AttackSimulation.AtomicRedTeam.yaml).
- In the Velociraptor GUI choose Artifacts → Add Artifact → Paste YAML → Save.
- You’ll now see Windows.AttackSimulation.AtomicRedTeam in your artifact list.
Two useful flags inside the YAML:
- InstallAtomicRed — disable if you already ran the PowerShell installer.
- CleanupExecutionArtifacts — disable when you want to see the persistence objects left behind.
Step 3 — Launch Your First Test in Velociraptor
- Select your Windows test client.
- Click Collect → Windows.AttackSimulation.AtomicRedTeam.
- Disable InstallAtomicRed and CleanupExecutionArtifacts.
- Find technique T1053.005 — Scheduled Task: Startup and enable the first test.
- Launch the collection.
When the job finishes, open Task Scheduler. You should see a task named T1053_005_OnStartup that runs cmd.exe /c calc.exe on every boot — exactly what an attacker (or Atomic Test) would do.
Step 4 — One-Click Execution from CoPilot
Manual clicks are fine for a demo, but analysts prefer a single button:
- In CoPilot go to Alerts → Atomic Red Team.
- Click T1053.005 and hit Simulate Attack.
- Pick your Windows Velociraptor-enrolled endpoint.
- Click Simulate.
CoPilot calls Velociraptor’s API, passes the artifact parameters, and tracks the run in an auditable record.
Step 5 — Verify the Alert in Wazuh / Graylog
Search for Sysmon Process-Create events where Image is schtasks.exe and the command line includes /create and T1053_005_OnStartup. You should see both the creation and, if you re-run with cleanup, the matching /delete operation. That confirms the full telemetry path — endpoint ➜ log shipper ➜ Wazuh rule ➜ alert — works as expected.
Conclusion
By weaving Atomic Red Team, Velociraptor, and CoPilot into a single workflow, you turn theory into evidence: every rule you write can be challenged, observed, and proven in minutes. This closes the loop between detection engineering and real-world behavior, eliminates blind spots before attackers find them, and gives your SOC an always-ready test bench that scales with every rule update. Treat this process as routine maintenance — run a handful of atomic tests after each change, keep a “green board” of passing simulations, and your Wazuh stack will evolve with the threat landscape instead of drifting behind it.
Need Help?
The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.
Website: https://www.socfortress.co/
Contact Us: https://www.socfortress.co/contact_form.html
