PurpleSharp
Description
PurpleSharp is an open source adversary simulation tool written in C# that executes adversary techniques within Windows Active Directory environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection engineering program. PurpleSharp leverages the MITRE ATT&CK Framework and executes different techniques across the attack life cycle: execution, persistence, privilege escalation, credential access, lateral movement, etc
Purpose
PurpleSharp enables DetectionLab users to easily simulate adversary techniques to generate attack telemetry with the goal of:
- Build new detection analytics
- Enhance existing detection analytics
- Validate detection resiliency
Configuration Details
- The latest release of PurpleSharp is automatically downloaded by
install-redteam.ps1 - No configuration is necessary, the binary is all you need to simulate attacks.
Sample Usage
PurpleSharp supports several modes of simulation execution:
- Local: Execute techniques on a local host
- Remote: Execute techniques on a remote host
- Commandline: Execute techniques with command line parameters
- JSON: Execute techniques with a JSON file as input
A few examples below:
Execute 3 process injection techniques locally:
PurpleSharp.exe /t T1055.002,T1055.003,T1055.004
Execute the same process injection techniques on a remote host (network connectivity and administrative access required):
PurpleSharp.exe /rhost 192.168.1.1 /ruser admin /d lab.local /t T1055.002,T1055.003,T1055.004
Execute 3 simulation playbooks containing different techniques with a JSON file as input.
PurpleSharp.exe /pb variations.json
For more information and examples, visit the documentation and look at the demos.
Data Location
This tool is located in C:\Tools\PurpleSharp\
Logs are generated in the same folder as PurpleSharp.exe