This document discusses PurpleSharp, a tool for simulating cyber attacks within Active Directory environments. PurpleSharp executes adversary techniques listed in MITRE ATT&CK and generates telemetry to help detection teams build, test, and improve detection controls. The document outlines how PurpleSharp can be deployed remotely, impersonate users, vary techniques, and focus on Active Directory. It also advertises a library of pre-made JSON playbooks that simulate AD discovery, lateral movement, and purple teaming with PurpleSharp.
6. #BHUSA @BLACKHATEVENTS
Adversary Simulation
■ A requirement to write detection analytics
■ Unit and functional testing for detection engineering
■ End-to-end validation of detection posture
8. #BHUSA @BLACKHATEVENTS
■ Executes adversary techniques
within Windows AD environments
■ Follows MITRE ATT&CK (50+
supported)
■ C# -> NET, Win32 Api
Goal:
Generate attack telemetry that
enables detection teams to build, test
and enhance detection controls.
github.com/mvelazc0/PurpleSharp
www.purplesharp.com
9. #BHUSA @BLACKHATEVENTS
Enter PurpleSharp
■ Flexible
■ Remote simulation deployment
■ User impersonation
■ Technique variations
■ Active Directory focus
12. #BHUSA @BLACKHATEVENTS
Remote Simulation Deployment
■ Leverages Windows native features
WMI, SMB & Named pipes.
■ Requirements
Network connectivity
Administrative credentials
13. #BHUSA @BLACKHATEVENTS
Remote Simulation Deployment
■ 3 modules instrument the
simulation: Orchestrator, Scout &
Simulator
■ They synchronize on simulation
details over named pipes using
serialized objects.
■ Similar to PsExec but using
Win32_process WMI class
14. #BHUSA @BLACKHATEVENTS
User impersonation
First approach:
DuplicateTokenEx
CreateProcessWithTokenW
ImpersonateLoggedOnUser
15. #BHUSA @BLACKHATEVENTS
User impersonation
■ Scout starts the Simulator as a child
process of explorer.exe using PPID
spoofing (T1134.004)
■ Simulation behavior runs under the
context of the logged user
■ Breaks process relationship between
the Scout and Simulator
17. #BHUSA @BLACKHATEVENTS
Technique variations
■ Execute the same technique in
different variations
■ Attempt to bypass detection
■ Helps validate detection resilience
CreateRemoteServiceCmdline
T1059.001 - PowerShell
18. #BHUSA @BLACKHATEVENTS
Technique variations
CreateRemoteServiceCmdline
T1021.002 - Remote Services
#1: sc.exe to create a remote service
#2: CreateService to a create remote
service
#3: ChangeServiceConfig to modify an
existing service*
*Initial idea: github.com/Mr-Un1k0d3r/SCShell
20. #BHUSA @BLACKHATEVENTS
Active Directory focus
■ Techniques targeting AD are the
priority
■ Simulator is able to interact with AD
and domain members in the
context of the logged user
■ LDAP support for random target
selection ( no passwords required )
host_target_type & user_target_type
23. #BHUSA @BLACKHATEVENTS
Active Directory Discovery
■ Playbook #1: AD Discovery with
native tools
■ Playbook #2: AD Discovery with
PowerShell.exe
■ Playbook #3: AD Discovery with LDAP
queries
T1033 - System User Discovery
T1018 - Remote System Discovery
T1482 - Domain Trust Discovery
T1087.001 - Local Account Discovery
T1069.002 - Domain Group Discovery
T1087.001 - Local Account Discovery
T1087.002 - Domain Account Discovery
T1201 - Password Policy Discovery
24. #BHUSA @BLACKHATEVENTS
Lateral Movement
■ Playbook #1: Remote Service (T1021.002) & Scheduled Task (T1053)
Using Win32 Api CreateService and native binaries
■ Playbook #2: WMI (T1047) and WinRM (T1021.006)
Using the .NET libraries
■ Playbook #3: Remote Service (T1021.002)
Using Win32 Api ChangeServiceConfig
26. #BHUSA @BLACKHATEVENTS
Active Directory Purple Team Playbook
■ Library of ready-to-use JSON
playbooks for PurpleSharp
■ github.com/mvelazc0/PurpleAD/