Operational Purple Teaming for Defenders

Training Description

This hands-on training connects red and blue in a series of live attack-defense exercises and demos. The group of participants will work as one team against a simulated threat actor, APT 0x00, with full disclosure of the attacker’s progress and technical insights on the executed techniques. The adversary’s capability and stealth will steadily improve over the course of the training.

Participants are dropped in a simulated corporate network environment, which they must defend from a threat actor over the course of the training. The attacker is simulated by a red team specialist, who will share valuable insights about commonly used threat actor techniques used in the attack. Together with a blue team instructor, you will learn how to hunt for these techniques, build detections that can help defend your organization and eradicate the attacker. Examples of covered techniques we will learn how to hunt for:

• Webshells.

• Process Injection.

• Credential dumping from LSASS.

• Lateral Movement via Service Execution.

• In-memory C# assembly execution.

• Persistence.

• Kerberoasting.

• AD Enumeration via BloodHound.

• Resource-Based Constrained Delegation Attacks.

• Headless RDP.

Day 1

The first day focuses on threat hunting and detection engineering. APT 0x00 kicks off a campaign to breach the corporate Active Directory environment. The attacker relies on a mix of Metasploit and Sliver Command and Control to infiltrate the environment. Participants will learn how to collect telemetry on specific techniques and build detections.

The red team instructor will provide insights on the red team side during regular purple team meetings. This input enables the detection engineering process, where new detection rules are created in collaboration with the training participants. The blue team will use defensive security tools such as Elastic stack with security (EDR), with additional log sources from Sysmon and Velociraptor for incident response.

The red team instructor simulates APT 0x00 and provides technical insights in the attacker techniques. The blue team instructor provides insight in detection. The goal of this day is to learn how to detect specific attack techniques. Topics covered include:

• Introduction to the lab environment.

  • Machines.

  • Networks.

  • Elastic (SIEM) with security detection rules and additional log sources:

    • Sysmon.

    • PowerShell logs.

    • Application logs.

  • Elastic Agent with Security in detection mode (Free EDR).

  • Velociraptor for artifact collection and live incident response.

• Testing VPN connection.

• Preparation and introduction to the exercise.

• Introduction to red teaming.

• Introduction to Command and Control.

• Purple Teaming: Attacker techniques, threat hunting & detection engineering:

  • Establishing a foothold in the lab via exploitation.

  • BloodHound and active directory attacks.

  • Process Injection.

  • In-memory C# assembly execution.

  • Credential dumping.

  • Persistence.

  • Lateral movement.

  • …

• Lessons learned.

Day 2

Day two adds a live incident response component to the training. APT 0x00 becomes more advanced and initiates a new campaign against the lab environment overnight. Students join the blue team side during the aftermath of the attack. Students retrace the attacker’s steps and learn to eradicate the attacker from the environment.

The red team instructor simulates a more advanced version of APT 0x00 and provides technical insights in the attacker techniques. During the day, students are guided by the blue team instructor to reconstruct the timeline of a pre-executed attack. The goal of this day is to identify and eradicate the attacker based on knowledge from day 1.

• Preparation and introduction to the exercise.

• Anomaly detection in the lab environment.

• Investigating alerts and IoCs to discover underlying techniques.

• Purple Teaming: More advanced attacker techniques, threat hunting & detection engineering.

• Live response to the ongoing attack.

• Eradication of the threat actor in the environment.

• Lessons learned.

Day 3

On the final day, the threat actor reaches its peak performance with maximum stealth. The threat actor added a new Command and Control framework to the mix (Havoc) and focused on more complex implementations of some of the previously identified attacker techniques. The attacker has a solid presence in the network. Access to the same defensive tooling (Elastic incl. Security, Velociraptor) will be granted to the students to identify and stop the attacks as the threat actor progresses through the environment. The defenders will have to use their knowledge from the previous two days to detect the attacker and eradicate his footholds. Can the adversary be stopped before it reaches its goals?

The red team instructor simulates the stealthiest version of APT 0x00 and provides technical insights in the attacker techniques. During the day, students are guided by the blue team instructor to track and stop the live ongoing threat actor campaign. The goal of this day is to stop the threat actor before it reaches its goals.

• Preparation and introduction to the exercise.

• Identification and elimination of attacker footholds.

• Identifying anomalies in the lab environment.

• Investigating alerts and IoCs to discover underlying techniques.

• Purple Teaming: More advanced attacker techniques, threat hunting & detection engineering.

• Live response to the ongoing attack.

• Eradication of the threat actor in the environment.

• Lessons learned.

Throughout all days, the red team specialist discloses technical details about the executed techniques. The attack can also be followed via Vectr (https://docs.vectr.io) to make it easier to hunt for certain activities. All days culminate in a lessons-learned moment. Every day, there are B33R objectives where participants can earn some top-quality Belgian beers. During the evenings, participants have the option to continue playing around in the lab.

Target Audience

This technical training is intended for IT professionals who want to expand their knowledge on red teaming, threat hunting and detection engineering. Students will combat a live ongoing cyberattack and experience hands-on how a meaningful collaboration between offensive and defensive security teams can improve an organization’s defensive capabilities against real threat actors. The target audience includes:

• Cyber Security Professionals

• Threat Hunters

• Incident Handlers

• SOC Analysts

• Detection Engineers

• IT Professionals with an interest in technical cyber security

We cover a range of simple to more complex attack techniques. Beginners and more advanced professionals will get the most from the course.

Type

This is a 3-day technical training, which can be stretched in a 5-day course to accomodate the audience.

Requirements

Students should be able to participate with their own OS, if it supports Wireguard VPN and has a web browser on board. It is recommended to use a Linux virtual machine with a desktop environment to participate in the training.

Organization:

• One room, equipped with a projector and screen.

• A stable internet connection for all students as our lab is in AWS.

Previously Hosted / Planned

• Thomas More University Belgium (November-December 2024): Simplified version delivered during"Hacking Advanced" courses for 3rd bachelors where students would join the red team in attacking a lab environment (2 days), the blue team in defending the environment (2 days) and battle each other on the final 2 days.

• BruCON 0x10 (September 2024): Organized as the 3-day Operational Purple Teaming for Defenders training. Participants join only on the defensive side.

• X33fCON (June 2024): Built on the experience from BruCON and Thomas More, the training was recreated to focus on the defensive side. Organized as the 3-day Operational Purple Teaming for Defenders training. Participants join only on the defensive side.

• Thomas More University Belgium (November-December 2023): Simplified version delivered during"Hacking Advanced" courses for 3rd bachelors where students would join the red team in attacking a lab environment (2 days), the blue team in defending the environment (2 days) and battle each other on the final 2 days.

• Thomas More University Belgium (November-December 2022): Simplified version delivered during"Hacking Advanced" courses for 3rd bachelors where students would join the red team in attacking a lab environment (2 days), the blue team in defending the environment (2 days) and battle each other on the final 2 days.

• BruCON 0x0D (September 2022): Organized as Red <3 Blue: Attack-Defense Purple Team Training. Participants joined both the offensive and defensive side.

• Internal audience at DXC Technology (March 2022): Participants joined both the offensive and defensive side.

• Thomas More University Belgium (November-December 2021): Simplified version delivered during"Hacking Advanced" courses for 3rd bachelors where students would join the red team in attacking a lab environment (2 days), the blue team in defending the environment (2 days) and battle each other on the final 2 days.

• TThomas More University Belgium (November-December 2020): Simplified version delivered during"Hacking Advanced" courses for 3rd bachelors where students would join the red team in attacking a lab environment (2 days), the blue team in defending the environment (2 days) and battle each other on the final 2 days.