PurpleSharp is an open source adversary simulation tool written in C# that executes adversary techniques within Windows Active Directory environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection engineering program. PurpleSharp leverages the MITRE ATT&CK Framework and executes different techniques across the attack life cycle: execution, persistence, privilege escalation, credential access, lateral movement, etc
PurpleSharp enables DetectionLab users to easily simulate adversary techniques to generate attack telemetry with the goal of:
install-redteam.ps1
PurpleSharp supports several modes of simulation execution:
A few examples below:
Execute 3 process injection techniques locally:
PurpleSharp.exe /t T1055.002,T1055.003,T1055.004
Execute the same process injection techniques on a remote host (network connectivity and administrative access required):
PurpleSharp.exe /rhost 192.168.1.1 /ruser admin /d lab.local /t T1055.002,T1055.003,T1055.004
Execute 3 simulation playbooks containing different techniques with a JSON file as input.
PurpleSharp.exe /pb variations.json
For more information and examples, visit the documentation and look at the demos.
This tool is located in C:\Tools\PurpleSharp\
Logs are generated in the same folder as PurpleSharp.exe