Skip to content

Lab 9: Purple Team Exercise — Detect What You Can't See

Difficulty: ⭐⭐⭐⭐ Expert | Duration: 3–4 hours | Chapter: 36 (Purple Team Operations)

Objectives

By the end of this lab you will have:

  1. Executed 10 ATT&CK techniques using Atomic Red Team on a Windows lab VM
  2. Hunted for artifacts from each technique in Windows Event Logs and Sysmon
  3. Written two Sigma rules for techniques that had no detection coverage
  4. Validated rules against collected log data
  5. Recorded results in a VECTR-format tracking sheet and calculated ATT&CK coverage

Prerequisites

  • Windows 10/11 or Windows Server 2019 VM (non-production)
  • PowerShell 5.1+ with script execution enabled
  • Sysmon 15+ deployed with SwiftOnSecurity config
  • A SIEM with Windows Event Log and Sysmon ingestion (Elastic, Splunk, or Sentinel free tier)
  • Do not run these tests against production systems

Part 1 — Environment Setup (30 min)

1.1 Deploy Sysmon

# Download Sysmon and SwiftOnSecurity config
Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Sysmon.zip" -OutFile Sysmon.zip
Expand-Archive Sysmon.zip -DestinationPath .\sysmon

Invoke-WebRequest -Uri "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml" -OutFile sysmonconfig.xml

# Install
.\sysmon\Sysmon64.exe -accepteula -i sysmonconfig.xml
# Verify
Get-Service sysmon64 | Select-Object Status, DisplayName

1.2 Install Atomic Red Team

# Install module
Set-ExecutionPolicy Bypass -Scope CurrentUser -Force
Install-Module -Name invoke-atomicredteam -Scope CurrentUser -Force -AllowClobber
Install-Module -Name powershell-yaml -Scope CurrentUser -Force

# Install Atomic Red Team test repository
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing)
Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1')

Import-Module Invoke-AtomicRedTeam
$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder" = "C:\AtomicRedTeam\atomics"}

# Verify
Invoke-AtomicTest T1059.001 -ShowDetailsBrief

1.3 Configure Log Collection

Ensure these Windows Event logs are being collected by your SIEM:

Log Source Event IDs Required
Security 4624, 4625, 4648, 4656, 4662, 4663, 4688, 4698, 4769
Sysmon 1, 3, 7, 8, 10, 11, 12, 13
PowerShell 4103, 4104
System 7045 
# Enable PowerShell Script Block Logging
$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"
New-Item -Path $regPath -Force | Out-Null
Set-ItemProperty -Path $regPath -Name EnableScriptBlockLogging -Value 1

# Enable Command Line Auditing
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f

Part 2 — Execute Atomic Tests (60 min)

Execute each test, record whether it succeeded, then wait 5 minutes before checking your SIEM. Record results in the tracking table at the end.

Safety First

Tests T1003.001 and T1550.002 are credential-access techniques. Run only on the designated lab VM with no domain connectivity. Ensure no production credentials exist on the machine.

Test Set A — Persistence

A1: Scheduled Task (T1053.005) 

# Review what the test does
Invoke-AtomicTest T1053.005 -TestNumbers 1 -ShowDetails

# Install prerequisites
Invoke-AtomicTest T1053.005 -TestNumbers 1 -GetPrereqs

# Execute
Invoke-AtomicTest T1053.005 -TestNumbers 1

# After 5 min: check SIEM for Event ID 4698 (scheduled task created)
# Query (KQL):
# SecurityEvent | where EventID == 4698 | where TimeGenerated > ago(10m)
# | project TimeGenerated, Computer, TaskName, TaskContent

# Cleanup
Invoke-AtomicTest T1053.005 -TestNumbers 1 -Cleanup

A2: Registry Run Key (T1547.001) 

Invoke-AtomicTest T1547.001 -TestNumbers 1 -GetPrereqs
Invoke-AtomicTest T1547.001 -TestNumbers 1

# Check Sysmon Event 13 (registry value set)
# Sysmon | where EventID == 13
# | where TargetObject contains "\\Run\\"
# | project TimeGenerated, Image, TargetObject, Details

Invoke-AtomicTest T1547.001 -TestNumbers 1 -Cleanup

Test Set B — Credential Access

B1: LSASS Memory Dump (T1003.001) 

# Test 2 uses comsvcs.dll MiniDump (built-in Windows — no external tool)
Invoke-AtomicTest T1003.001 -TestNumbers 2 -GetPrereqs
Invoke-AtomicTest T1003.001 -TestNumbers 2

# Check Sysmon Event 10 (process access targeting lsass.exe)
# Sysmon | where EventID == 10
# | where TargetImage endswith "lsass.exe"
# | where SourceImage !startswith "C:\\Windows\\System32"

Invoke-AtomicTest T1003.001 -TestNumbers 2 -Cleanup
Remove-Item C:\Windows\Temp\lsass.dmp -ErrorAction SilentlyContinue

B2: Kerberoasting (T1558.003) 

# Requires domain environment — skip if standalone VM
# Use offline simulation with setspn
setspn -S MSSQLSvc/db01.lab.local:1433 svc-sql
Invoke-AtomicTest T1558.003 -TestNumbers 1

# Check for Event 4769 with TicketEncryptionType 0x17 (RC4)
# SecurityEvent | where EventID == 4769
# | where TicketEncryptionType == "0x17"
# | where ServiceName !endswith "$"

Invoke-AtomicTest T1558.003 -TestNumbers 1 -Cleanup

Test Set C — Defense Evasion

C1: Timestomping (T1070.006) 

Invoke-AtomicTest T1070.006 -TestNumbers 1 -GetPrereqs
Invoke-AtomicTest T1070.006 -TestNumbers 1

# Check Sysmon Event 2 (file creation time changed)
# Sysmon | where EventID == 2
# | where TimeGenerated > ago(10m)

Invoke-AtomicTest T1070.006 -TestNumbers 1 -Cleanup

C2: Disable Windows Defender (T1562.001) 

Invoke-AtomicTest T1562.001 -TestNumbers 1 -GetPrereqs
Invoke-AtomicTest T1562.001 -TestNumbers 1

# Check Event 5001 (Windows Defender disabled)
# SecurityEvent | where EventID == 5001

# IMPORTANT: Re-enable after test
Set-MpPreference -DisableRealtimeMonitoring $false
Invoke-AtomicTest T1562.001 -TestNumbers 1 -Cleanup

Test Set D — Execution

D1: PowerShell Encoded Command (T1059.001) 

Invoke-AtomicTest T1059.001 -TestNumbers 1 -GetPrereqs
Invoke-AtomicTest T1059.001 -TestNumbers 1

# Check Event 4104 (PowerShell Script Block) or Sysmon Event 1
# with CommandLine containing "-EncodedCommand" or "-enc"
# PowerShellEvent | where EventID == 4104
# | where ScriptBlockText contains "EncodedCommand"

Invoke-AtomicTest T1059.001 -TestNumbers 1 -Cleanup

D2: WMI Execution (T1047) 

Invoke-AtomicTest T1047 -TestNumbers 1 -GetPrereqs
Invoke-AtomicTest T1047 -TestNumbers 1

# Check Sysmon Event 1 for wmiprvse.exe spawning child processes
# Sysmon | where EventID == 1
# | where ParentImage endswith "WmiPrvSE.exe"
# | where Image !in ("C:\\Windows\\System32\\conhost.exe")

Invoke-AtomicTest T1047 -TestNumbers 1 -Cleanup

Test Set E — Impact

E1: Shadow Copy Deletion (T1490) 

# WARNING: This deletes shadow copies on the test VM — ensure no needed backups
Invoke-AtomicTest T1490 -TestNumbers 1 -GetPrereqs
Invoke-AtomicTest T1490 -TestNumbers 1

# Check Sysmon Event 1 for vssadmin/wbadmin/bcdedit
# Sysmon | where EventID == 1
# | where CommandLine has_any ("delete shadows", "delete catalog", "recoveryenabled no")

# No cleanup possible for deleted shadow copies

E2: File Encryption Simulation (T1486) 

# Test uses a benign Python script encrypting test files in a temp folder
Invoke-AtomicTest T1486 -TestNumbers 1 -GetPrereqs
Invoke-AtomicTest T1486 -TestNumbers 1

# Check Sysmon Event 11 for rapid file creation with unusual extensions
# Sysmon | where EventID == 11
# | summarize count=count() by bin(TimeGenerated, 1m), Extension=tostring(split(TargetFilename,".")[-1])
# | where count > 20

Invoke-AtomicTest T1486 -TestNumbers 1 -Cleanup

Part 3 — Detection Hunting (45 min)

For each test you ran, query your SIEM to determine whether an alert was generated or evidence exists.

Universal hunting template (KQL): 

// Adjust time range to your test window
let startTime = datetime('YYYY-MM-DD HH:MM:SS');
let endTime = startTime + 15m;

// Sysmon process creation
Sysmon
| where TimeGenerated between (startTime .. endTime)
| where EventID == 1
| project TimeGenerated, Computer, Image, CommandLine, ParentImage, User
| order by TimeGenerated asc

// Windows Security events
SecurityEvent
| where TimeGenerated between (startTime .. endTime)
| where EventID in (4624, 4625, 4648, 4656, 4698, 4769)
| project TimeGenerated, EventID, Activity, Account, Computer
| order by TimeGenerated asc

Part 4 — Write Detection Rules (45 min)

For any techniques with no detection coverage, write a Sigma rule.

Exercise 4.1 — Write a Sigma rule for T1490 (Shadow Copy Deletion)

Template to complete:

title: [YOUR TITLE]
id: [GENERATE UUID]
status: experimental
description: [DESCRIBE WHAT YOU ARE DETECTING]
references:
  - https://attack.mitre.org/techniques/T1490/
author: [YOUR NAME]
date: [TODAY]
tags:
  - attack.impact
  - attack.t1490
logsource:
  category: process_creation
  product: windows
detection:
  selection_vssadmin:
    Image|endswith: '\vssadmin.exe'
    CommandLine|contains: [FILL IN COMMAND LINE PATTERNS]
  selection_wbadmin:
    Image|endswith: '\wbadmin.exe'
    CommandLine|contains: [FILL IN]
  selection_bcdedit:
    Image|endswith: '\bcdedit.exe'
    CommandLine|contains: [FILL IN]
  condition: [FILL IN — union the three selections]
falsepositives:
  - [WHAT LEGITIMATE ACTIVITY COULD TRIGGER THIS?]
level: [critical/high/medium/low]

Reference answer (attempt before reading):

Reveal Answer 
title: Ransomware Shadow Copy and Backup Deletion
id: a9b3c4d5-e6f7-8g9h-i0j1-k2l3m4n5o6p7
status: stable
description: Detects deletion of shadow copies and backup disabling used by ransomware
references:
  - https://attack.mitre.org/techniques/T1490/
author: Nexus SecOps Lab 9
date: 2026-03-17
tags:
  - attack.impact
  - attack.t1490
logsource:
  category: process_creation
  product: windows
detection:
  selection_vssadmin:
    Image|endswith: '\vssadmin.exe'
    CommandLine|contains|all:
      - 'delete'
      - 'shadows'
  selection_wbadmin:
    Image|endswith: '\wbadmin.exe'
    CommandLine|contains|all:
      - 'delete'
      - 'catalog'
  selection_bcdedit:
    Image|endswith: '\bcdedit.exe'
    CommandLine|contains:
      - 'recoveryenabled no'
      - 'bootstatuspolicy ignoreallfailures'
  selection_wmic:
    Image|endswith: '\wmic.exe'
    CommandLine|contains|all:
      - 'shadowcopy'
      - 'delete'
  condition: 1 of selection_*
falsepositives:
  - Legitimate backup software managing shadow copies
  - System administrators performing maintenance (rare)
level: critical

Exercise 4.2 — Write a Sigma rule for T1547.001 (Registry Run Key)

Write the rule yourself, then validate it produces results against your test data.

Part 5 — Results Tracking (15 min)

Complete the purple team tracking table:

Technique Name Executed Alert Fired Rule Written Coverage
T1053.005 Scheduled Task ☐ Yes ☐ No ☐ Yes ☐ No ☐ N/A ☐ Written
T1547.001 Registry Run Key ☐ Yes ☐ No ☐ Yes ☐ No ☐ N/A ☐ Written
T1003.001 LSASS Dump ☐ Yes ☐ No ☐ Yes ☐ No ☐ N/A ☐ Written
T1558.003 Kerberoasting ☐ Yes ☐ No ☐ Yes ☐ No ☐ N/A ☐ Written
T1070.006 Timestomping ☐ Yes ☐ No ☐ Yes ☐ No ☐ N/A ☐ Written
T1562.001 Disable Defender ☐ Yes ☐ No ☐ Yes ☐ No ☐ N/A ☐ Written
T1059.001 PowerShell Encoded ☐ Yes ☐ No ☐ Yes ☐ No ☐ N/A ☐ Written
T1047 WMI Execution ☐ Yes ☐ No ☐ Yes ☐ No ☐ N/A ☐ Written
T1490 Shadow Copy Del. ☐ Yes ☐ No ☐ Yes ☐ No ☐ N/A ☐ Written
T1486 File Encryption ☐ Yes ☐ No ☐ Yes ☐ No ☐ N/A ☐ Written

Coverage Score: 

Detection Coverage = (Techniques Detected / Techniques Executed) × 100

Graded Questions

  1. (2 pts) Which two techniques in the test set are most commonly not detected by default Windows logging, and why?

  2. (3 pts) Your T1003.001 test was not detected despite Sysmon Event 10 being present in the logs. What are three possible reasons the SIEM did not alert?

  3. (2 pts) Explain the difference between "Detected" and "Detected Post-Hoc" as VECTR outcome states. Why does the distinction matter for SOC operations?

  4. (3 pts) You find that your Sigma rule for T1490 generates 5 false positives per week from a legitimate backup tool. Describe the process for tuning the rule without losing detection capability.

  5. (2 pts) A new analyst asks why purple team exercises are more valuable than traditional red team engagements. Write a 3-sentence response explaining the feedback loop advantage.

  6. (3 pts) Calculate the ATT&CK coverage percentage for the "Defense Evasion" tactic based on your test results. What additional atomics would you run to improve coverage?

Cleanup Checklist

# Remove all atomic artifacts
Get-ScheduledTask | Where-Object {$_.TaskName -like "*atomic*"} | Unregister-ScheduledTask -Confirm:$false

# Re-enable Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $false
Start-Service WinDefend

# Remove temp files
Remove-Item C:\Windows\Temp\lsass.dmp -ErrorAction SilentlyContinue
Remove-Item C:\AtomicRedTeam\ExecART -Recurse -ErrorAction SilentlyContinue

# Clear test registry keys
Remove-Item "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AtomicTest*" -ErrorAction SilentlyContinue

# Verify Sysmon still running
Get-Service sysmon64 | Select-Object Status