Adversary Emulation

Infrastructure refers to the underlying physical or virtual components that support the operations of an organization. This can include hardware such as servers, storage devices, and networking equipment, as well as software such as operating systems, databases, and applications.

Here are some of the PURPLE team techniques for the Infrastructure category along with their descriptions, based on the MITRE ATT&CK framework:

1. Account Manipulation: This technique involves modifying account settings to gain unauthorized access to a system or network.

2. Adversary Emulation: In this technique, the purple team emulates the tactics, techniques, and procedures (TTPs) of real-world attackers to test an organization’s detection and response capabilities.

3. Application Deployment Software: The purple team uses application deployment software to deploy and test software applications in a simulated environment, allowing them to identify any vulnerabilities or weaknesses.

4. Command and Control (C2): The purple team tests an organization’s ability to detect and respond to command and control channels used by attackers to control compromised systems or exfiltrate data.

5. Data Exfiltration: The purple team simulates data exfiltration techniques used by attackers to steal sensitive information from an organization’s network, allowing them to identify any gaps in detection and response.

6. Defense Evasion: In this technique, the purple team tests an organization’s ability to detect and respond to advanced techniques used by attackers to evade detection, such as using code obfuscation or polymorphic malware.

7. Endpoint Protection: The purple team tests an organization’s endpoint protection tools and technologies to ensure they are effective in detecting and preventing malicious activity on endpoints.

8. Exploit Development: This technique involves developing custom exploits or modifying existing ones to test an organization’s ability to detect and respond to known vulnerabilities.

9. Log Collection: The purple team collects logs from various systems and applications to identify potential security issues and assess an organization’s ability to detect and respond to attacks.

10. Network Mapping: The purple team maps an organization’s network to identify vulnerabilities, such as open ports or misconfigured devices, and to simulate a real-world attacker’s reconnaissance activities.

11. Network Traffic Analysis: In this technique, the purple team analyzes network traffic to identify potential security issues, such as unusual network activity or data exfiltration.

12. Password Cracking: The purple team tests an organization’s password policies and procedures by attempting to crack passwords using various techniques, such as dictionary attacks or brute-force attacks.

13. Port Scanning: The purple team scans an organization’s network for open ports and services to identify potential vulnerabilities and assess an organization’s ability to detect and respond to attacks.

14. Privilege Escalation: This technique involves attempting to gain elevated privileges on a system or network by exploiting vulnerabilities or misconfigurations.

15. Vulnerability Scanning: The purple team scans an organization’s network for known vulnerabilities to identify potential weaknesses and assess an organization’s ability to detect and respond to attacks.

Here are some Purple Team techniques for Infrastructure categories along with their descriptions, as listed on the MITRE ATT&CK website:

1. Cloud Security Assessment: This technique involves evaluating the security posture of cloud services and applications, including testing for misconfigurations, weak authentication, and other vulnerabilities.

2. Firewall Rule Testing: This technique involves testing the effectiveness of firewall rules by attempting to bypass them or identifying gaps in coverage.

3. Penetration Testing: This technique involves attempting to exploit vulnerabilities in the infrastructure or applications to gain access to sensitive data or systems.

4. Red Team Infrastructure: This technique involves creating a simulated adversary environment to test the effectiveness of an organization’s security measures.

5. SCADA/ICS Security Assessment: This technique involves evaluating the security of SCADA/ICS systems, including testing for vulnerabilities and potential attack vectors.

6. Wireless Security Assessment: This technique involves evaluating the security of wireless networks and devices, including testing for unauthorized access, weak encryption, and other vulnerabilities.

7. Network Mapping: This technique involves mapping out an organization’s network infrastructure to identify potential attack vectors and areas of vulnerability.

8. Password Cracking: This technique involves attempting to crack passwords to gain unauthorized access to systems or applications.

9. Protocol Fuzzing: This technique involves testing the security of network protocols by sending malformed or unexpected data to identify potential vulnerabilities.

10. Software Exploitation: This technique involves attempting to exploit vulnerabilities in software applications to gain access to sensitive data or systems.

These are just some examples of Purple Team techniques for Infrastructure categories, and there may be others as well depending on the specific needs of the organization. It’s important to note that these techniques should only be used for authorized testing and assessment purposes.

Techniques used by red teams to gather information about the target organization, such as identifying hosts, services, applications, and users. This can include passive techniques such as scanning public information sources or more active techniques such as social engineering.

Here are some Purple Team techniques for the Reconnaissance category with their descriptions, based on the MITRE ATT&CK framework:

1. T1590 – Network Survey: This technique involves conducting a survey of an organization’s network, identifying live hosts and open ports to gather intelligence about the target network.

2. T1592 – Active Scanning: This technique involves actively scanning a network to identify hosts, services, and vulnerabilities. The goal is to identify and assess potential attack vectors that an adversary could exploit.

3. T1593 – Passive Scanning: This technique involves passively monitoring network traffic to gather intelligence about the target network. The goal is to identify potential attack vectors without alerting the target network’s defenders.

4. T1594 – Satellite Imagery: This technique involves using satellite imagery to gather information about a target’s physical infrastructure, such as building layouts, parking lots, and other physical security measures.

5. T1595 – Search Open Websites/Domains: This technique involves searching open websites and domains for information about a target organization. This information can include employee names, email addresses, and other valuable information.

6. T1596 – Webscraping: This technique involves using automated tools to collect data from websites and other online sources. The goal is to gather intelligence about the target organization that can be used to facilitate attacks.

7. T1597 – Active Directory Enumeration: This technique involves querying Active Directory (AD) to gather information about the target network, such as user and group accounts, computers, and network shares. The goal is to identify potential attack vectors within the AD environment.

8. T1598 – Social Media Profiles: This technique involves gathering information about a target organization from social media platforms, such as LinkedIn, Twitter, and Facebook. This information can include employee names, job titles, and other valuable information.

9. T1599 – Automated Targeted Social Media Collection: This technique involves using automated tools to collect data from social media platforms based on specific keywords or topics related to the target organization. The goal is to gather intelligence about the target organization that can be used to facilitate attacks.

These are just a few examples of Purple Team techniques for the Reconnaissance category. It’s important to note that different organizations may have unique needs and challenges, so techniques should be tailored to meet those specific requirements.

Techniques used to gain a foothold into the target network, such as exploiting vulnerabilities or using social engineering to trick users into running malicious code.

Here are some examples of PURPLE team techniques for the Initial Access category along with their descriptions, based on information from the MITRE ATT&CK framework:

1. Phishing (T1566): Using social engineering tactics to send fraudulent emails, messages, or websites to individuals in order to trick them into divulging sensitive information or downloading malicious software.

2. Drive-by Compromise (T1189): Infecting a website with malicious code that can exploit vulnerabilities in a visitor’s browser to download and execute malware on their system.

3. Malicious USB Drop (T1204): Planting a USB drive or other removable storage device in a target location, hoping that an unsuspecting individual will insert it into their computer, thereby installing malware.

4. Supply Chain Compromise (T1195): Attacking a target organization through a trusted third-party supplier or vendor that has access to their systems, network, or data.

5. Watering Hole (T1567): Compromising a legitimate website that is frequented by the target individuals, in order to distribute malware and gain access to their systems.

6. Spearphishing Attachment (T1193): Using customized or tailored phishing emails with malicious attachments to gain initial access to a target network or system.

7. Spearphishing Link (T1192): Using customized or tailored phishing emails with links to malicious websites to gain initial access to a target network or system.

8. External Remote Services (T1133): Targeting public-facing systems or services, such as web servers or VPNs, that can be accessed from the internet in order to gain initial access.

9. Trusted Relationship (T1199): Leveraging a pre-existing relationship or access privileges within a target organization to gain initial access, such as through stolen credentials or insider threat activity.

These are just a few examples of PURPLE team techniques for the Initial Access category, and there are many more techniques that could be employed depending on the specific scenario and objectives of the exercise.

Techniques used to run commands or scripts on the target network, such as launching malware or creating backdoors.

Here are some PURPLE team techniques for the Execution category and their descriptions, based on the MITRE ATT&CK framework:

1. PowerShell: PowerShell is a powerful command-line tool in Windows that is commonly used for system administration tasks. Adversaries can abuse PowerShell to execute commands or scripts on a compromised system, bypassing traditional security measures.

2. WMI: Windows Management Instrumentation (WMI) is a framework for managing Windows systems through scripting. Adversaries can use WMI to execute commands or scripts on a compromised system, again bypassing traditional security measures.

3. Scheduled Tasks: Scheduled tasks are scripts or commands that are set to execute at specific times on a Windows system. Adversaries can use scheduled tasks to execute commands or scripts on a compromised system, often with elevated privileges.

4. Service Execution: Adversaries can use services, which are programs that run in the background on a Windows system, to execute commands or scripts on a compromised system. They can use existing services or create new ones to execute their code.

5. Registry Run Keys / Startup Folder: Adversaries can add their code to the registry run keys or the startup folder in Windows to execute their code every time the system boots up. This technique allows them to maintain persistence on a compromised system.

6. Component Object Model Hijacking: Component Object Model (COM) is a Microsoft technology that allows software components to communicate with each other. Adversaries can hijack COM objects to execute their code on a compromised system, bypassing traditional security measures.

7. Dll Search Order Hijacking: Adversaries can hijack the dynamic link library (DLL) search order on a Windows system to execute their code. This technique allows them to execute their code whenever an application tries to load a specific DLL.

8. Hooking: Adversaries can use hooking techniques to intercept function calls in Windows applications and execute their code instead. This technique allows them to bypass traditional security measures, such as antivirus software.

9. Scripting: Adversaries can use scripting languages, such as Python or JavaScript, to execute commands or scripts on a compromised system. This technique allows them to bypass traditional security measures, as many antivirus programs do not detect or block scripting languages.

10. User Execution: Adversaries can trick users into executing their code by sending phishing emails, disguising their code as legitimate software, or using other social engineering techniques. This technique relies on human error rather than technical vulnerabilities, making it difficult to detect and prevent.

Techniques used to maintain access to the target network over an extended period, such as setting up scheduled tasks or installing rootkits.

Here are some PURPLE team techniques for the Persistence category along with their descriptions:

1. Service Registry Permissions Weakness (T1060): The PURPLE team can exploit weak permissions on Windows service registry keys to gain persistent access to a system. They can also modify registry keys to establish persistence.

2. Scheduled Task (T1053): The PURPLE team can create a scheduled task that runs on a recurring basis to maintain persistence on a system. They can use this technique to execute a malicious payload or to run a legitimate utility in a malicious way.

3. Boot or Logon Autostart Execution (T1547): The PURPLE team can modify the Windows Registry to execute their own code or a malicious payload at boot or logon, thereby establishing persistence. They can also use legitimate Windows startup programs in a malicious way to achieve persistence.

4. Component Object Model Hijacking (T1122): The PURPLE team can hijack a Component Object Model (COM) object to achieve persistence. They can modify the COM object’s settings to point to a malicious payload, which will execute every time the COM object is launched.

5. Group Policy Modification (T1484): The PURPLE team can modify Group Policy settings to establish persistence on a system. They can change Group Policy settings to execute a malicious payload or to run a legitimate utility in a malicious way.

6. Trusted Developer Utilities Abuse (T1127): The PURPLE team can abuse trusted developer utilities to maintain persistence on a system. They can use these utilities to execute a malicious payload or to run a legitimate utility in a malicious way.

7. Registry Run Keys / Startup Folder (T1547.001): The PURPLE team can modify the Registry Run keys or the Startup folder to execute a malicious payload at boot or logon, thereby establishing persistence.

8. New Service (T1050): The PURPLE team can create a new service on a system to establish persistence. They can use this service to execute a malicious payload or to run a legitimate utility in a malicious way.

9. Modify Existing Service (T1031): The PURPLE team can modify an existing service on a system to establish persistence. They can change the service’s executable path to point to a malicious payload, which will execute every time the service is launched.

10. Component Object Model and Distributed COM (T1175): The PURPLE team can abuse the Component Object Model and Distributed COM to achieve persistence. They can modify the COM object’s settings to point to a malicious payload, which will execute every time the COM object is launched.

Note: These techniques are intended to be used by PURPLE teams during controlled, authorized testing scenarios to identify security weaknesses and improve defenses. It is important to always obtain proper authorization and follow ethical guidelines when performing security testing.

Techniques used to gain higher levels of access to the target network, such as exploiting weaknesses in access control mechanisms or stealing credentials.

Here is a list of PURPLE team techniques for the Privilege Escalation category, along with their descriptions:

1. Exploitation of Vulnerability (T1213): An attacker exploits a vulnerability in an operating system, application, or service to elevate privileges.

2. Exploitation of Remote Services (T1210): An attacker gains elevated privileges by exploiting a vulnerable remote service running on a system.

3. Access Token Manipulation (T1134): An attacker manipulates access tokens to gain elevated privileges, such as stealing a token from a logged-in user or creating a new token.

4. DLL Injection (T1055): An attacker injects a malicious DLL into a legitimate process running with elevated privileges, allowing them to execute code with the same level of access.

5. Process Injection (T1055): An attacker injects a malicious process into a legitimate process running with elevated privileges, allowing them to execute code with the same level of access.

6. Exploitation of Windows Admin Shares (T1077): An attacker exploits the default administrative shares on Windows systems (such as C$ or ADMIN$) to gain elevated privileges.

7. Registry Run Keys / Startup Folder (T1060): An attacker adds a malicious executable to the system’s Registry Run keys or Startup folder, causing it to execute with elevated privileges when the system boots up.

8. Scheduled Tasks (T1053): An attacker creates a scheduled task to execute a malicious executable with elevated privileges.

9. Password Cracking (T1110): An attacker uses various techniques to crack passwords, such as brute force or dictionary attacks, in order to gain access to accounts with elevated privileges.

10. Exploitation of Service Credentials (T1134): An attacker gains access to a service account’s credentials and uses them to elevate privileges.

11. Bypass User Account Control (T1088): An attacker uses techniques to bypass User Account Control (UAC) on Windows systems in order to execute code with elevated privileges.

12. Exploitation of Authentication Protocol (T1212): An attacker exploits vulnerabilities in authentication protocols, such as Kerberos, to gain elevated privileges.

Note: These techniques are just a few examples and not an exhaustive list of all techniques in the Privilege Escalation category. For more information, please refer to the MITRE ATT&CK framework.

Techniques used to avoid detection by security measures, such as using encryption or obfuscation to hide malicious code.

Here’s a list of PURPLE team techniques for Defense Evasion category along with their descriptions from the MITRE ATT&CK framework:

1. Obfuscated Files or Information (T1027) – Modify the code or data of an existing file to evade detection from security tools.

2. File Deletion (T1107) – Delete files that may be used to track or identify an attacker’s actions or the presence of malware.

3. Hidden Files and Directories (T1564.001) – Use hidden files or directories to conceal malicious activity or tools.

4. Timestomp (T1070.006) – Modify the timestamps of files to make them appear as if they were created or modified at a different time, potentially evading detection.

5. DLL Side-Loading (T1073.003) – Exploit the way Windows loads DLLs to run malicious code while evading detection.

6. Obfuscated Files or Information (T1027) – Use various techniques to obfuscate the code or data of an existing file, including encryption or compression.

7. Code Signing (T1116) – Sign malicious code with a valid digital certificate to make it appear legitimate and evade detection.

8. Hiding Artifacts (T1564.004) – Conceal artifacts of an attacker’s activity by hiding them in an unexpected location, such as in the registry or system file.

9. Masquerading (T1036) – Disguise malicious activity as legitimate traffic or application to evade detection by security tools.

10. Rootkit (T1014) – Install a rootkit to hide the presence of malware or an attacker’s actions, making it difficult to detect and remove.

These techniques are used by attackers to evade detection and bypass security controls. By emulating these techniques, Purple team can help identify and address gaps in the organization’s defenses.

Techniques used to obtain credentials for accessing target systems, such as using keyloggers or phishing attacks.

Here are some Purple Team techniques for the Credential Access category with their descriptions, as listed on the MITRE ATT&CK framework:

1. Kerberoasting: This technique involves extracting Kerberos tickets for service accounts that use the RC4 encryption type, and then cracking the password offline to obtain plaintext credentials.

2. Brute Force: Attackers can use brute force techniques to guess passwords for accounts with weak or commonly-used passwords, or by using password lists.

3. Password Spraying: Password spraying involves using a single password (usually a commonly-used one) and trying it against many accounts, rather than trying many passwords against a single account.

4. Credential Dumping: This technique involves stealing password hashes or plaintext passwords from Windows operating systems, domain controllers, and domain members.

5. Mimikatz: Mimikatz is a post-exploitation tool that can extract plaintext passwords, Kerberos tickets, and other authentication tokens from memory on Windows systems.

6. Lateral Movement: Attackers can move laterally through a network to access additional systems and resources, using previously acquired credentials to authenticate.

7. Golden Ticket: This technique involves forging a Kerberos ticket-granting ticket (TGT) to bypass Kerberos authentication and gain access to domain resources.

8. Pass the Hash: Pass the Hash is a technique that involves stealing password hashes and using them to authenticate to other systems without having to crack the hash or obtain the plaintext password.

9. Domain Trusts: Attackers can exploit trusts between different domains or forests to gain access to resources in a trusted domain.

10. Remote Desktop Protocol (RDP) Hijacking: Attackers can hijack RDP sessions to gain access to systems and steal credentials.

These are just a few examples of Purple Team techniques in the Credential Access category. It’s important to note that these techniques are often used in combination with other techniques to achieve specific goals, and that Purple Teams may use a variety of tactics to test and improve the security posture of an organization.

Techniques used to move laterally within the target network, such as pivoting through compromised hosts or using stolen credentials.

Here are some examples of PURPLE team techniques for the Lateral Movement category and their descriptions, based on the MITRE ATT&CK framework:

1. Remote Services: A technique that involves using legitimate remote services such as SSH or RDP to remotely access and control systems on the network.
2. Exploitation of Remote Services: A technique that involves exploiting vulnerabilities in remote services to gain unauthorized access to systems on the network.
3. Replication Through Removable Media: A technique that involves using removable media such as USB drives to copy and execute malware on systems connected to the network.
4. Remote Desktop Protocol Hijacking: A technique that involves hijacking an active remote desktop session to gain unauthorized access to a system.
5. Pass the Ticket: A technique that involves stealing and using Kerberos tickets to impersonate users and move laterally across the network.
6. Remote File Copy: A technique that involves copying files from one system to another over the network using tools such as SMB or FTP.
7. Windows Admin Shares: A technique that involves accessing administrative shares on Windows systems to move laterally across the network.
8. PowerShell: A technique that involves using PowerShell to execute malicious code and move laterally across the network.
9. Scheduled Tasks: A technique that involves creating and modifying scheduled tasks on systems to execute malicious code and move laterally across the network.
10. Service Execution: A technique that involves executing malicious code as a service on a target system to maintain persistence and move laterally across the network.

Techniques used to gather data of interest, such as exfiltrating sensitive data or stealing intellectual property.

Here’s a list of some PURPLE team techniques for the Collection category, along with their brief descriptions based on the reference link provided:

1. Data Transfer to Cloud Account (T1537.002): In this technique, an attacker transfers stolen data to a cloud-based account for storage and later retrieval.

2. Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048): This technique involves using non-command-and-control (C2) protocols, such as HTTP or DNS, to exfiltrate data from a compromised network without encryption.

3. Exfiltration Over Physical Medium (T1052): An attacker can use physical media, such as a USB drive or a mobile device, to exfiltrate data from a compromised network.

4. Exfiltration Over Alternative Protocol (T1048.003): In this technique, an attacker exfiltrates data using an alternative protocol, such as SMTP, FTP, or IMAP, instead of the standard HTTP or HTTPS protocols.

5. Input Capture (T1056): This technique involves capturing user input, such as keystrokes or mouse clicks, to gather sensitive information, such as login credentials.

6. Screen Capture (T1113): An attacker can capture screenshots or record videos of the victim’s screen to gather sensitive information, such as passwords or account numbers.

7. Remote Data Staging (T1074.002): In this technique, an attacker stages stolen data on a compromised system before exfiltrating it to a remote server.

8. Remote File Copy (T1105): An attacker can use tools such as SCP, RCP, or SMB to copy files from a compromised system to a remote server.

9. Replication Through Removable Media (T1091): An attacker can use removable media, such as a USB drive or a CD, to replicate malware or steal data from a compromised system.

10. System Information Discovery (T1082): This technique involves collecting system information, such as OS version, hardware configuration, and installed software, to aid in later stages of the attack.

Note: The descriptions provided above are brief summaries. For more detailed information on these techniques, please refer to the reference link provided.

Techniques used to communicate with compromised hosts and manage the attack, such as setting up command and control servers or using encrypted channels.

Here is a list of some of the purple team techniques for the Command and Control category, along with their descriptions from the MITRE ATT&CK framework:

1. C2 Obfuscation – The adversary hides command and control traffic to avoid detection. Examples include the use of encryption, TOR, and other obfuscation techniques.

2. C2 Protocol Development – Adversaries develop new command and control protocols to evade detection by security solutions. This involves the creation of new network protocols or the modification of existing protocols.

3. C2 Redirector – Adversaries use redirectors to route command and control traffic through multiple hosts to evade detection. This technique may involve the use of compromised web servers or other publicly accessible infrastructure.

4. C2 Multi-Stage Channels – Adversaries use multi-stage command and control channels to evade detection. This involves the use of multiple communication channels or protocols to establish a persistent connection to a compromised system.

5. C2 Domain Fronting – Adversaries use legitimate web services to hide command and control traffic. This involves sending command and control traffic through a legitimate domain in order to evade detection.

6. C2 Exfiltration Over Alternative Protocol – Adversaries use alternative protocols to exfiltrate data to evade detection. This involves sending data over non-standard network protocols or using covert channels to avoid detection by security solutions.

7. C2 via Cloud Services – Adversaries use cloud services to evade detection. This involves using legitimate cloud services, such as Amazon Web Services (AWS), Google Cloud Platform, or Microsoft Azure, to host command and control infrastructure.

8. C2 Over Commonly Used Port – Adversaries use commonly used ports, such as Port 80 or 443, to send command and control traffic to evade detection. This involves sending traffic over ports that are commonly used for legitimate traffic.

9. C2 over Web Service – Adversaries use web services to send command and control traffic to evade detection. This involves sending traffic over web services, such as Google Drive, Dropbox, or OneDrive, to avoid detection.

10. C2 Exfiltration Over Web Service – Adversaries use web services to exfiltrate data to evade detection. This involves sending data over web services, such as Google Drive, Dropbox, or OneDrive, to avoid detection by security solutions.

Techniques used to exfiltrate stolen data or other assets, such as uploading data to remote servers or using removable media.

Here’s a list of PURPLE team techniques for Exfiltration category with their descriptions:

1. Data Compressed: The adversary compresses data to reduce its size, making it easier to exfiltrate over the network or store on disk.

2. Data Encrypted: The adversary encrypts data to prevent detection or interception during exfiltration. This may include using asymmetric or symmetric encryption.

3. Data Encoded: The adversary encodes data to evade detection during exfiltration. This may include using Base64 or other encoding schemes.

4. Data Fragmentation: The adversary splits data into smaller pieces to avoid detection during exfiltration. This may include using TCP or ICMP packets.

5. Data Obfuscation: The adversary obfuscates data by changing its format or structure, making it more difficult to identify during exfiltration.

6. Exfiltration Over Alternative Protocol: The adversary uses alternative protocols, such as DNS or HTTP, to exfiltrate data. This may be used to bypass network detection mechanisms.

7. Exfiltration Over C2 Channel: The adversary uses a command-and-control (C2) channel to exfiltrate data, making it more difficult to detect and block.

8. Exfiltration Over Other Network Medium: The adversary exfiltrates data using other network mediums, such as Bluetooth or USB, to bypass network detection mechanisms.

9. Exfiltration Over Physical Medium: The adversary physically exfiltrates data using removable storage or other means, bypassing network detection mechanisms.

10. Exfiltration Over Unencrypted/Unauthenticated Protocols: The adversary uses unencrypted or unauthenticated protocols, such as FTP or Telnet, to exfiltrate data, making it easier to intercept and identify.

These techniques are used by adversaries to exfiltrate data from target environments, and they can help the purple team identify weaknesses in defensive strategies and develop effective mitigation measures.