Operational Purple Teaming for Defenders

This hands-on training, tailored for blue teamers, delivers a unique and immersive experience in defensive security through live attack simulations. Participants will confront a simulated adversary, APT 0x00, within a realistic corporate network environment, enhancing skills in threat detection and incident response. Designed for cybersecurity professionals, threat hunters, incident responders, SOC analysts, and IT experts with an interest in cyber defense, this training bridges red and blue teams in collaborative exercises that enhance organizational resilience against real-world cyber threats. Over two days, participants will progress through escalating stages of simulated attacks, starting with fundamental detection strategies and advancing to complex attack techniques, including webshells, credential dumping, and lateral movement. Through guided threat hunting and detection engineering exercises, participants will develop and apply detection rules to locate and neutralize adversarial activity. Purple team sessions enable collaborative learning between offensive and defensive sides, fostering an understanding of both red and blue strategies. Leveraging tools like Elastic SIEM, Sysmon, Velociraptor, and Vectr, students will gain hands-on experience in telemetry collection, incident response, and threat identification. By the end of the training, participants will be able to create and implement custom detection queries, develop proactive threat-hunting strategies, and strengthen collaboration between red and blue teams to enhance their organizations’ overall security posture.

Participants are dropped in a simulated corporate network environment, which they must defend from a threat actor over the course of the training. The attacker is simulated by a red team specialist, who will share valuable insights about commonly used threat actor techniques used in the attack. Together with a blue team instructor, you will learn how to hunt for these techniques, build detections that can help defend your organization and eradicate the attacker. Examples of covered techniques we will learn how to hunt for:

Webshells.
Process Injection.
Credential dumping from LSASS.
Lateral Movement via Service Execution.
In*memory C# assembly execution.
Persistence.
Kerberoasting.
AD Enumeration via BloodHound.
Resource*Based Constrained Delegation Attacks.
LAPS abuse.
Headless RDP.

The first day focuses on threat hunting and detection engineering. APT 0x00 kicks off a campaign to breach the corporate Active Directory environment. The attacker relies on a mix of Metasploit (https://www.metasploit.com) and Sliver Command and Control (https://github.com/BishopFox/sliver) to infiltrate the environment. Participants will learn how to collect telemetry on specific techniques and build detections. The red team instructor will provide insights on the red team side during regular purple team meetings. This input enables the detection engineering process, where new detection rules are created in collaboration with the training participants. The blue team will use defensive security tools such as Elastic stack with security (EDR) (https://www.elastic.co), with additional log sources from Sysmon (https://learn.microsoft.com/en*us/sysinternals/downloads/sysmon) and Velociraptor (https://github.com/Velocidex/velociraptor) for incident response. Day two adds a live incident response component to the training. APT 0x00 becomes more advanced and initiates a new campaign against the lab environment overnight. Students join the blue team side during the aftermath of the attack. Students retrace the attacker’s steps and learn to eradicate the attacker from the environment.

Day 1 Schedule

The red team instructor simulates APT 0x00 and provides technical insights in the attacker techniques. The blue team instructor provides insight in detection. The goal of this day is to learn how to detect specific attack techniques. Topics covered include:

Introduction to the lab environment.
- Machines.
- Networks.
- Elastic (SIEM) with security detection rules and additional log sources:
  - Sysmon.
  - PowerShell logs.
  - Application logs.
- Elastic Agent with Security in detection mode (Free EDR).
- Velociraptor for artifact collection and live incident response.
Testing VPN connection.
Preparation and introduction to the exercise.
Introduction to red, blue & purple teaming.
Purple Teaming: Attacker techniques, threat hunting & detection engineering:
- Establishing a foothold in the lab via exploitation.
- BloodHound and active directory attacks.
- Process Injection.
- In*memory C# assembly execution.
- Credential dumping.
- Persistence.
- Lateral movement via service execution.
- dcsync
- …
Lessons learned.

Day 2 Schedule

The red team instructor simulates a more advanced version of APT 0x00 and provides technical insights in the attacker techniques. During the day, students are guided by the blue team instructor to reconstruct the timeline of two pre*executed attacks. The goal of this day is to identify and eradicate the attacker based on knowledge from day 1.

Preparation and introduction to the exercise.
Anomaly detection in the lab environment.
Investigating alerts and IoCs to discover underlying techniques.
Purple Teaming: More advanced attacker techniques, threat hunting & detection engineering.
- Establishing a foothold in the lab via exploitation of a different vulnerability.
- Resource*Based Constrained Delegation attacks.
- Phishing.
- Kerberoasting.
- Lateral Movement via WinRM
- LAPS abuse.
- Headless RDP
- …
Live response to the ongoing attack.
Eradication of the threat actor in the environment.
Lessons learned.

Key Takeaways

We hope after this training you will be able to:

Better understand attacker techniques.
Build custom threat hunt queries and detection rules to identify attackers hiding in the shadows.
Trigger more interaction between red and blue teamers in your organization.
Identify how red and blue can work together to identify and close the gaps in your defense, improving detection and response capability.
Better understand how both sides operate.

Hardware Requirements

Students should be able to participate with their own OS, if it supports Wireguard VPN and has a web browser on board. It is recommended to use a Linux virtual machine with a desktop environment to participate in the training. A custom Ubuntu Desktop VM with the necessary tools pre*installed will also be available.

About the Speakers

Dennis Van Elst

Dennis Van Elst is a red team operator, infosec lecturer and purple team advocate. At DXC, he actively promotes collaboration between the Strikeforce Red Team and internal Blue Teams, such as Threat Hunting, Digital Forensics, Incident Response and Threat Intel. This resulted in several internal workshops focusing topics like defense evasion, active directory attacks and edge attacks, where the Red Team mimics various threat actor techniques and the Blue Team validates and improves detection. At Thomas More Belgium, he teaches second-bachelor students the basics of Ethical Hacking & Penetration Testing. Third-bachelor students are pitted against each other in red team - blue team exercises, where one side of the class attacks a simulated corporate environment and the other side defends, using free and open-source software. His view on information security is that the practical approach results in a better understanding of both the offensive and defensive perspective, ultimately improving both sides. The best way to completely understand a technical topic is by doing it!

Thomas Eugène

Thomas Eugène is the Incident Response Manager in the CSIRT of Zetes. He works to increase the maturity of the incident response process and prepare the organization to face future security challenges.

In the past, Thomas was part of the CERT.be Team, supporting and coordinating the incident response team, publishing, and providing advisories to improve security for Belgian citizens and companies.

After that, he joined DXC Technology as a threat hunter and incident responder. He actively hunted for new threats in large customer environments and supported the incident response cases. He also worked in the DXC Threat and Vulnerability Management team. This experience resulted in a good overview of the differences and the needs of both the offensive and the defensive side.

He is a strong believer in the importance of the collaboration between blue and red teams. He will deliver the training from the blue team’s point of view.