Defending enterprise networks against attackers continues to present a difficult challenge for blue teams. Prevention has fallen short; improving detection & response capabilities has proven to be a step in the right direction. However, without the telemetry produced by adversary behavior, building new and testing existing detection capabilities will be constrained. PurpleSharp is an open source adversary simulation tool written in C# that executes adversary techniques within Windows Active Directory environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection engineering program. PurpleSharp leverages the MITRE ATT&CK Framework and executes different techniques across the attack life cycle: execution, persistence, privilege escalation, credential access, lateral movement, etc
5. ✘ Executes adversary techniques
within Windows Active
Directory environments
✘ Follows the MITRE ATT&CK
Framework (50+ supported)
✘ C# -> .NET or Win32 API
Goal:
✘ Generate attack telemetry
that enables detection teams
to build, test and enhance
detection controls.
github.com/mvelazc0/PurpleSharp
www.purplesharp.com
11. Remote Simulation Deployment
✘ Leverages Windows native
features: SMB, WMI and Named
pipes
✘ Requirements
Network connectivity
Administrative credentials
12. Remote Simulation Deployment
✘ 3 modules instrument the
simulation: Orchestrator, Scout
& Simulator
✘ They synchronize on simulation
details over named pipes using
serialized objects.
15. User Impersonation
✘ Scout starts the Simulator as a
child process of explorer.exe
using PPID spoofing (T1134.004)
✘ Simulation behavior runs under
the context of the logged user
✘ Breaks process relationship
between the Scout and
Simulator
18. Technique Variations
✘ Execute the same technique in
different variations
✘ Attempt to bypass detection
✘ Helps validate detection
resilience
19. T1021.002 - Remote Services
#1: sc.exe to create remote
service
#2: CreateService to create a
remote service
#3: ChangeServiceConfig to
modify an existing service
Initial idea:
github.com/Mr-Un1k0d3r/SCShell
21. Active Directory ‘support’
✘ PurpleSharp is able to interact
with AD and domain members
in the context of the logged
user
✘ LDAP support for random
target selection
host_target_type & user_target_type