PurpleSharp
Defending enterprise networks against attackers continue to present a difficult challenge for blue teams. Prevention has fallen short; improving detection & response capabilities has proven to be a step in the right direction. However, without the telemetry produced by adversary behavior, building new and testing existing detection capabilities will be constrained.
PurpleSharp is an open-source adversary simulation tool written in C# that executes adversary techniques within Windows Active Directory environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection engineering program. It leverages the MITRE ATT&CK Framework and executes different techniques across the attack life cycle: execution, persistence, privilege escalation, credential access, lateral movement, etc. It currently supports 37 unique ATT&CK techniques.
PurpleSharp was first presented at Derbycon IX. An updated version of PurpleSharp will be released on August 6th as part of BlackHat Arsenal 2020.
Goals / Use Cases
The attack telemetry produced by simulating techniques with PurpleSharp aids detection teams in:
- Building new detection analytics
- Testing existing detection analytics
- Validating detection resiliency
- Identifying gaps invisibility
- Identifying issues with event logging pipeline
Tutorial
Copyright (c) 2019, Mauricio Velazco
All rights reserved.
