Purple Teaming
Discord: https://discord.gg/CqV6aJXMkA
Telegram: https://t.me/Hadess_security
Purple Team Cheat Sheet: SMB Attacks and Detection
SMB Attack Commands
Attack Type | Command | Description |
---|---|---|
Enumerating Shares |
| Lists SMB shares on the target. |
Null Session |
| Connects to the target with a null session. |
Brute Force |
| Brute-forces SMB credentials. |
Detection: Event Codes and KQL/EQL Rules
Event Code | Description | KQL/EQL Rule |
---|---|---|
4624 | An account was successfully logged on. | `SecurityEvent |
4648 | A logon was attempted using explicit credentials. | `SecurityEvent |
5145 | A network share object was checked to see whether client can be granted desired access. | `SecurityEvent |
Forensics Commands and Codes
Command | Description |
---|---|
| Extracts timeline from forensic images. |
| Sorts events in the plaso file and outputs to CSV. |
| Generates a body file from an image. |
KQL Rule: Suspicious SMB Login
EQL Rule: Excessive SMB Failures
KQL Rule: Unusual SMB Traffic
Purple Team Cheat Sheet: FTP Attacks and Detection
FTP Attack Commands
Attack Type | Command | Description |
---|---|---|
Anonymous Login |
| Attempts anonymous login to FTP server. |
Brute Force |
| Brute-forces FTP credentials. |
File Upload |
| Uploads a file to the FTP server. |
Detection: Event Codes and KQL/EQL Rules
Event Code | Description | KQL/EQL Rule |
---|---|---|
4625 | An account failed to log on. | `SecurityEvent |
4648 | A logon was attempted using explicit credentials. | `SecurityEvent |
5156 | The Windows Filtering Platform has permitted a connection. | `SecurityEvent |
Forensics Commands and Codes
Command | Description |
---|---|
| Captures FTP traffic on port 21. |
| Processes pcap file with Plaso for timeline analysis. |
| Searches for FTP-related strings in a forensic image. |
KQL Rule: Suspicious FTP Login Attempts
EQL Rule: FTP Brute Force Detection
KQL Rule: Unusual FTP File Uploads
Attack Techniques and Commands
Attack Technique | Command | Description |
---|---|---|
LLMNR Poisoning |
| Uses Responder to poison LLMNR requests. |
AS-REP Roasting |
| Extracts AS-REP hashes for users without pre-authentication. |
ForceChangePassword |
| Forces a password change for a domain user. |
GenericWrite |
| Modifies permissions for a domain object. |
Password Spraying |
| Attempts to log in with a common password. |
RunForrestRun.exe |
| Executes RunForrestRun for lateral movement. |
Abusing Vulnerable GPO |
| Creates a GPO to run a malicious task. |
Abusing MSSQL Service |
| Executes a command via SQL Server. |
Abusing Domain Trusts |
| Enumerates and abuses domain trusts. |
Detection: Event Codes and KQL/EQL Rules
Event Code | Description | KQL/EQL Rule |
---|---|---|
4742 | A computer account was changed. | `SecurityEvent |
4624 | An account was successfully logged on. | `SecurityEvent |
4672 | Special privileges assigned to new logon. | `SecurityEvent |
4688 | A new process has been created. | `SecurityEvent |
5145 | A network share object was checked. | `SecurityEvent |
Forensics Commands and Codes
Command | Description |
---|---|
| Captures SMB traffic for analysis. |
| Scans for network artifacts in a memory dump. |
| Extracts timeline from forensic images. |
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: LLMNR Poisoning Detection
EQL Rule: AS-REP Roasting Activity
KQL Rule: Unusual Process Execution
Attack Techniques and Commands
Attack Technique | Command | Description |
---|---|---|
Service Permission |
| Modifies service permissions. |
ForceChangePassword |
| Forces a password change for a domain user. |
Abuse ACLs |
| Modifies ACLs for domain objects. |
Abuse SQL Instance |
| Executes commands via SQL Server instance. |
Abuse Service |
| Creates a malicious service. |
Pass the Ticket |
| Uses stolen Kerberos tickets for authentication. |
Golden Ticket |
| Creates a Golden Ticket for domain persistence. |
Detection: Event Codes and KQL/EQL Rules
Event Code | Description | KQL/EQL Rule |
---|---|---|
4672 | Special privileges assigned to new logon. | `SecurityEvent |
4688 | A new process has been created. | `SecurityEvent |
4728 | A member was added to a security-enabled global group. | `SecurityEvent |
4768 | Kerberos Authentication Ticket (TGT) was requested. | `SecurityEvent |
4769 | Kerberos Service Ticket (TGS) was requested. | `SecurityEvent |
Forensics Commands and Codes
Command | Description |
---|---|
| Captures Kerberos traffic for analysis. |
| Scans for network artifacts in a memory dump. |
| Extracts timeline from forensic images. |
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: Unusual Service Creation
EQL Rule: Abnormal Kerberos Ticket Requests
KQL Rule: Suspicious ACL Modifications
Attack Techniques and Commands
Attack Technique | Command | Description |
---|---|---|
Always Elevated |
| Modifies AD object to grant elevated privileges. |
Constrained Delegation |
| Sets constrained delegation on a target computer. |
Unconstrained Delegation Print Bug |
| Monitors for TGTs if unconstrained delegation is enabled. |
Cross Trust |
| Enumerates trust relationships between domains. |
Abuse MSSQL Service |
| Executes commands via SQL Server instance. |
Detection: Event Codes and KQL/EQL Rules
Event Code | Description | KQL/EQL Rule |
---|---|---|
4672 | Special privileges assigned to new logon. | `SecurityEvent |
4768 | Kerberos Authentication Ticket (TGT) was requested. | `SecurityEvent |
4769 | Kerberos Service Ticket (TGS) was requested. | `SecurityEvent |
4624 | An account was successfully logged on. | `SecurityEvent |
5145 | A network share object was checked. | `SecurityEvent |
Forensics Commands and Codes
Command | Description |
---|---|
| Captures Kerberos traffic for analysis. |
| Scans for network artifacts in a memory dump. |
| Extracts timeline from forensic images. |
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: Unusual Privilege Escalation
EQL Rule: Suspicious Delegation Use
KQL Rule: Abnormal SQL Server Command Execution
Attack Techniques and Commands
Attack Technique | Command | Description |
---|---|---|
Bypass AMSI | GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) | Disables AMSI in a PowerShell session. |
Always Elevated |
| Modifies AD object to grant elevated privileges. |
Constrained Delegation |
| Sets constrained delegation on a target computer. |
Pass the Ticket |
| Uses stolen Kerberos tickets for authentication. |
Abuse SQL Instance |
| Executes commands via SQL Server instance. |
Abuse GPO |
| Creates a GPO to run a malicious task. |
DSync Attack |
| Extracts credentials from AD using DCSync. |
Detection: Event Codes and KQL/EQL Rules
Event Code | Description | KQL/EQL Rule |
---|---|---|
4104 | PowerShell script block logging. | `SecurityEvent |
4672 | Special privileges assigned to new logon. | `SecurityEvent |
4768 | Kerberos Authentication Ticket (TGT) was requested. | `SecurityEvent |
4688 | A new process has been created. | `SecurityEvent |
5145 | A network share object was checked. | `SecurityEvent |
Forensics Commands and Codes
Command | Description |
---|---|
| Captures Kerberos traffic for analysis. |
| Scans for network artifacts in a memory dump. |
| Extracts timeline from forensic images. |
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: AMSI Bypass Detection
EQL Rule: Unusual Kerberos Ticket Requests
KQL Rule: Suspicious SQL Command Execution
Purple Team Cheat Sheet: Comprehensive Attack Scenario
Attack Techniques and Commands
Attack Technique | Command | Description |
---|---|---|
Map Scanning |
| Scans the target for open ports and services. |
Gobuster Directory Scanning |
| Enumerates directories on the web server. |
Gathering Usernames |
| Collects usernames for further attacks. |
Password Spraying |
| Attempts to log in with common passwords. |
Sending Phishing Emails |
| Executes a phishing campaign. |
Cracking NTLMv2 Hash |
| Cracks captured NTLMv2 hashes. |
PowerShell Remote Session |
| Establishes a remote PowerShell session. |
Creating a Symlink |
| Creates a symbolic link to escalate privileges. |
Using Check-File Command |
| Checks for the presence of a specific file. |
Transferring Files with nc.exe |
| Transfers files using |
Detection: Event Codes and KQL/EQL Rules
Event Code | Description | KQL/EQL Rule |
---|---|---|
4624 | An account was successfully logged on. | `SecurityEvent |
4688 | A new process has been created. | `SecurityEvent |
5145 | A network share object was checked. | `SecurityEvent |
4720 | A user account was created. | `SecurityEvent |
1102 | The audit log was cleared. | `SecurityEvent |
Forensics Commands and Codes
Command | Description |
---|---|
| Captures HTTP traffic for analysis. |
| Scans for network artifacts in a memory dump. |
| Extracts timeline from forensic images. |
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: Unusual Network Traffic
EQL Rule: Suspicious Process Creation
KQL Rule: Abnormal File Access
Purple Team Cheat Sheet: Web-Based Attack Scenario
Attack Techniques and Commands
Attack Technique | Command | Description |
---|---|---|
Nmap Scanning |
| Scans the target for open ports and services. |
Web Enumeration with Wappalyzer |
| Identifies technologies used on the web server. |
Analyzing .git Directory |
| Analyzes the .git directory for sensitive information. |
Exploiting Ruby on Rails |
| Exploits vulnerabilities in Ruby on Rails. |
Capturing Request in Burp |
| Captures and modifies HTTP requests for exploitation. |
Getting a Reverse Shell |
| Gains shell access on the target system. |
Cracking Password Hashes |
| Cracks password hashes to gain credentials. |
Bypassing Two-Factor Authentication |
| Bypasses 2FA using the .google_authenticator file. |
Synchronizing Time for Exploit |
| Synchronizes system time for time-based exploits. |
Gaining Root Access with GTFOBins |
| Uses GTFOBins for privilege escalation. |
Detection: Event Codes and KQL/EQL Rules
Event Code | Description | KQL/EQL Rule |
---|---|---|
4624 | An account was successfully logged on. | `SecurityEvent |
4688 | A new process has been created. | `SecurityEvent |
5145 | A network share object was checked. | `SecurityEvent |
4720 | A user account was created. | `SecurityEvent |
1102 | The audit log was cleared. | `SecurityEvent |
Forensics Commands and Codes
Command | Description |
---|---|
| Captures HTTP traffic for analysis. |
| Scans for network artifacts in a memory dump. |
| Extracts timeline from forensic images. |
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: Unusual Network Traffic
EQL Rule: Suspicious Process Creation
KQL Rule: Abnormal File Access
Purple Team Cheat Sheet: Recon to Exploitation Scenario
Attack Techniques and Commands
Stage | Technique | Command | Description |
---|---|---|---|
Recon | Nmap Scanning |
| Scans the target for open ports and services. |
Recon | File Analysis |
| Analyzes the executable file for type and content. |
Recon | SMB Enumeration |
| Enumerates SMB shares on the target. |
Recon | SMB File Transfer |
| Transfers files via SMB. |
Exploitation | Crafting Malicious Binary |
| Creates a reverse shell executable. |
Exploitation | YML File Creation |
| Creates a .yml file for the exploit. |
Exploitation | SMB File Transfer |
| Uploads .yml file via SMB. |
Exploitation | Reverse Shell |
| Listens for an incoming reverse shell connection. |
Exploitation | Redis Exploitation |
| Exploits Redis to retrieve data. |
Exploitation | Password Decryption |
| Decrypts a password using a provided script. |
Detection: Event Codes and KQL/EQL Rules
Event Code | Description | KQL/EQL Rule |
---|---|---|
4624 | An account was successfully logged on. | `SecurityEvent |
4688 | A new process has been created. | `SecurityEvent |
5145 | A network share object was checked. | `SecurityEvent |
1102 | The audit log was cleared. | `SecurityEvent |
4768 | Kerberos Authentication Ticket (TGT) was requested. | `SecurityEvent |
Forensics Commands and Codes
Command | Description |
---|---|
| Captures SMB traffic for analysis. |
| Scans for network artifacts in a memory dump. |
| Extracts timeline from forensic images. |
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: Unusual SMB Traffic
EQL Rule: Suspicious Process Execution
KQL Rule: Abnormal File Access Patterns
Purple Team Cheat Sheet: Credential and Connection Scenario
Attack Techniques and Commands
Stage | Technique | Command | Description |
---|---|---|---|
Credential Dumping | Enumerating Credentials |
| Enumerates credentials on WSO2. |
Credential Dumping | Using Mimikatz |
| Dumps credentials using Mimikatz. |
Credential Decryption | Decrypting Credentials |
| Decrypts credentials. |
Port Forwarding | Setting up Port Forwarding |
| Sets up port forwarding. |
RDP Connection | Connecting via RDP with Remmina |
| Connects via RDP using Remmina. |
RDP Connection | Using FreeRDP |
| Connects via RDP using FreeRDP. |
Detection: Event Codes, KQL/EQL, Sysmon, and Wazuh Rules
Event Code | Description | KQL/EQL Rule | Sysmon/Wazuh Rule |
---|---|---|---|
4624 | An account was successfully logged on. | `SecurityEvent | where EventID == 4624` |
4688 | A new process has been created. | `SecurityEvent | where EventID == 4688` |
5145 | A network share object was checked. | `SecurityEvent | where EventID == 5145` |
4672 | Special privileges assigned to new logon. | `SecurityEvent | where EventID == 4672` |
3389 | RDP Connection Attempt. | `NetworkTraffic | where DestinationPort == 3389` |
Forensics Commands and Codes
Command | Description |
---|---|
| Captures RDP traffic for analysis. |
| Scans for network artifacts in a memory dump. |
| Extracts timeline from forensic images. |
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: Unusual Credential Access
EQL Rule: Suspicious RDP Activity
Sysmon/Wazuh Rule: Mimikatz Execution Detection
Purple Team Cheat Sheet: Credential and Exploitation Scenario
Attack Techniques and Commands
Stage | Technique | Command | Description |
---|---|---|---|
Credential Enumeration | Finding LAPS Group Members |
| Identifies LAPS group members. |
Credential Access | Dumping Credentials with PowerSploit |
| Dumps credentials using PowerSploit. |
Credential Access | Using Credentials for Access |
| Uses dumped credentials for access. |
Credential Access | Getting AD Object with Credentials |
| Retrieves AD objects using credentials. |
Local Admin Passwords | Retrieving Local Admin Passwords |
| Retrieves local admin passwords. |
Port Forwarding | Setting up Port Forwarding with Meterpreter |
| Sets up port forwarding using Meterpreter. |
Exploitation | Using MS17-010 Exploit |
| Exploits MS17-010 for admin shell. |
Flag Retrieval | Retrieving Flags |
| Retrieves flags from WS02 and WS04. |
Post-Exploitation | Running Mimikatz |
| Runs Mimikatz on WS02 to dump credentials. |
Detection: Event Codes and KQL Rules
Event Code | Description | KQL Rule |
---|---|---|
4624 | An account was successfully logged on. | `SecurityEvent |
4688 | A new process has been created. | `SecurityEvent |
5145 | A network share object was checked. | `SecurityEvent |
4672 | Special privileges assigned to new logon. | `SecurityEvent |
7045 | A new service was installed. | `SecurityEvent |
Forensics Commands and Codes
Command | Description |
---|---|
| Captures SMB traffic for analysis. |
| Scans for network artifacts in a memory dump. |
| Extracts timeline from forensic images. |
Full Raw KQL Rules for Detecting Malicious Patterns
KQL Rule: Unusual Credential Access
KQL Rule: Suspicious Port Forwarding Activity
KQL Rule: Exploitation Attempts Detection
Purple Team Cheat Sheet: Phishing to Network Recon Scenario
Attack Techniques and Commands
Stage | Technique | Command | Description |
---|---|---|---|
Phishing | Creating Phishing HTA |
| Generates a phishing HTA file. |
Web Server Setup | Hosting HTA on Apache2 |
| Hosts the HTA file on Apache2 server. |
Listener Setup | Setting up Metasploit Listener |
| Sets up a listener in Metasploit. |
Share Enumeration | Viewing Shares on Network |
| Enumerates shared resources on the network. |
User Enumeration | Displaying Domain User Accounts |
| Lists user accounts on the domain. |
User Information | Viewing User Info |
| Displays information about a specific domain user. |
Group Enumeration | Viewing Domain Group Members |
| Lists members of a specific domain group. |
Drive Enumeration | Listing Logical Drives |
| Enumerates logical drives on the system. |
Network Recon | Pinging Servers for IP Addresses |
| Pings servers to discover IP addresses. |
Flag Retrieval | Accessing the Flag |
| Retrieves a flag from a specified location. |
KeePass Database | Found KeePass Database and Key File |
| Identifies KeePass database and key file. |
Detection: Event Codes and KQL Rules
Event Code | Description | KQL Rule |
---|---|---|
4624 | An account was successfully logged on. | `SecurityEvent |
4688 | A new process has been created. | `SecurityEvent |
5145 | A network share object was checked. | `SecurityEvent |
4768 | Kerberos Authentication Ticket (TGT) was requested. | `SecurityEvent |
1102 | The audit log was cleared. | `SecurityEvent |
Forensics Commands and Codes
Command | Description |
---|---|
| Captures HTTP traffic for analysis. |
| Scans for network artifacts in a memory dump. |
| Extracts timeline from forensic images. |
Full Raw KQL Rules for Detecting Malicious Patterns
KQL Rule: Suspicious Web Server Activity
KQL Rule: Unusual Network Share Access
KQL Rule: Abnormal User Enumeration Activity
Attack Techniques and Commands
Stage | Technique | Command | Description |
---|---|---|---|
Credential Use | Using epugh_adm Credentials |
| Uses credentials to access multiple systems. |
Lateral Movement | RDP with gopikrishna |
| Uses RDP for lateral movement. |
Malware Execution | Running pOwnedshell.exe |
| Executes malware with administrative privileges. |
Credential Dumping | Invoke Mimikatz from pOwnedshell |
| Dumps credentials using Mimikatz. |
Credential Use | Pass-the-Hash with Mimikatz |
| Uses pass-the-hash technique for authentication. |
Golden Ticket Attack | Perform DCSync |
| Extracts krbtgt hash for Golden Ticket creation. |
Golden Ticket Attack | Generate Golden Ticket |
| Creates a Golden Ticket for domain access. |
Golden Ticket Attack | Use Golden Ticket |
| Uses the Golden Ticket for authentication. |
Detection: Event Codes and KQL Rules
Event Code | Description | KQL Rule |
---|---|---|
4624 | An account was successfully logged on. | `SecurityEvent |
4688 | A new process has been created. | `SecurityEvent |
5145 | A network share object was checked. | `SecurityEvent |
4768 | Kerberos Authentication Ticket (TGT) was requested. | `SecurityEvent |
4672 | Special privileges assigned to new logon. | `SecurityEvent |
Forensics Commands and Codes
Command | Description |
---|---|
| Captures RDP traffic for analysis. |
| Scans for network artifacts in a memory dump. |
| Extracts timeline from forensic images. |
Full Raw KQL Rules for Detecting Malicious Patterns
KQL Rule: Suspicious RDP Activity
KQL Rule: Abnormal Process Execution
KQL Rule: Golden Ticket Usage Detection
Purple Team Cheat Sheet: Golden Ticket Attack Scenario
Attack Technique and Command
Technique | Command | Description |
---|---|---|
Golden Ticket Attack |
| Generates a Golden Ticket using Mimikatz. |
Detection: Event Codes and KQL/EQL Rules
Event Code | Description | KQL/EQL Rule |
---|---|---|
4768 | Kerberos TGT Requested | `SecurityEvent |
4672 | Special Privileges Assigned to New Logon | `SecurityEvent |
4624 | Successful Account Logon | `SecurityEvent |
Forensics Commands and Codes
Command | Description |
---|---|
| Extracts timeline from forensic images. |
| Scans for network artifacts in a memory dump. |
| Captures Kerberos traffic for analysis. |
Full Raw KQL/EQL Rules for Detecting Golden Ticket Usage
KQL Rule: Unusual Kerberos Ticket Granting Ticket Requests
EQL Rule: Anomalous Kerberos Privilege Assignments
KQL Rule: Suspicious Logon Types
Purple Team Cheat Sheet: Silver Ticket Attack Scenario
Attack Technique and Command
Technique | Command | Description |
---|---|---|
Silver Ticket Attack |
| Generates a Silver Ticket for a specific service using Mimikatz. |
Detection: Event Codes and KQL/EQL Rules
Event Code | Description | KQL/EQL Rule |
---|---|---|
4769 | Kerberos Service Ticket (TGS) was requested | `SecurityEvent |
4672 | Special Privileges Assigned to New Logon | `SecurityEvent |
4624 | Successful Account Logon | `SecurityEvent |
Forensics Commands and Codes
Command | Description |
---|---|
| Extracts timeline from forensic images. |
| Scans for network artifacts in a memory dump. |
| Captures Kerberos traffic for analysis. |
Full Raw KQL/EQL Rules for Detecting Silver Ticket Usage
KQL Rule: Unusual Kerberos Service Ticket Requests
EQL Rule: Anomalous Kerberos Service Ticket Assignments
KQL Rule: Suspicious Logon Types
Purple Team Cheat Sheet: Kerberoasting Attack Scenario
Attack Technique and Command
Technique | Command | Description |
---|---|---|
Kerberoasting |
| Uses GetUserSPNs.py to request service tickets for service accounts. |
Kerberoasting |
| Uses Mimikatz to list and export service tickets. |
Detection: Event Codes and KQL/EQL Rules
Event Code | Description | KQL/EQL Rule |
---|---|---|
4769 | Kerberos Service Ticket (TGS) was requested | `SecurityEvent |
4672 | Special Privileges Assigned to New Logon | `SecurityEvent |
Forensics Commands and Codes
Command | Description |
---|---|
| Captures Kerberos traffic for analysis. |
| Scans for network artifacts in a memory dump. |
| Extracts timeline from forensic images. |
Full Raw KQL/EQL Rules for Detecting Kerberoasting
KQL Rule: Unusual Kerberos Service Ticket Requests
EQL Rule: Anomalous Kerberos Service Ticket Activity
Purple Team Cheat Sheet: Pass the Ticket Attack Scenario
Attack Technique and Command
Technique | Command | Description |
---|---|---|
Pass the Ticket |
| Uses Mimikatz to pass a Kerberos ticket for authentication. |
Pass the Ticket |
| Uses PowerShell and Mimikatz to pass a Kerberos ticket. |
Detection: Event Codes and KQL/EQL Rules
Event Code | Description | KQL/EQL Rule |
---|---|---|
4624 | An account was successfully logged on. | `SecurityEvent |
4672 | Special Privileges Assigned to New Logon | `SecurityEvent |
4768 | Kerberos Authentication Ticket (TGT) was requested | `SecurityEvent |
Forensics Commands and Codes
Command | Description |
---|---|
| Captures Kerberos traffic for analysis. |
| Scans for network artifacts in a memory dump. |
| Extracts timeline from forensic images. |
Full Raw KQL/EQL Rules for Detecting Pass the Ticket Usage
KQL Rule: Suspicious Kerberos Ticket Use
EQL Rule: Anomalous Kerberos Ticket Assignments
KQL Rule: Abnormal Kerberos TGT Requests
Purple Team Cheat Sheet: DCSync Attack Scenario
Attack Technique and Command
Technique | Command | Description |
---|---|---|
DCSync |
| Uses Mimikatz to simulate the behavior of a Domain Controller and request account password data. |
Detection: Event Codes and KQL/EQL Rules
Event Code | Description | KQL/EQL Rule |
---|---|---|
4662 | An operation was performed on an object | `SecurityEvent |
4672 | Special Privileges Assigned to New Logon | `SecurityEvent |
4768 | Kerberos Authentication Ticket (TGT) was requested | `SecurityEvent |
Forensics Commands and Codes
Command | Description |
---|---|
| Captures Kerberos traffic for analysis. |
| Scans for network artifacts in a memory dump. |
| Extracts timeline from forensic images. |
Full Raw KQL/EQL Rules for Detecting DCSync Usage
KQL Rule: Unusual Directory Service Access
EQL Rule: Anomalous Directory Replication Requests
KQL Rule: Suspicious Kerberos TGT Requests
Purple Team Cheat Sheet: AS-REP Roasting Attack Scenario
Attack Technique and Command
Technique | Command | Description |
---|---|---|
AS-REP Roasting |
| Uses GetNPUsers.py to request AS-REP for users without pre-authentication. |
AS-REP Roasting |
| Uses Rubeus to perform AS-REP roasting on the domain. |
Detection: Event Codes and KQL/EQL Rules
Event Code | Description | KQL/EQL Rule |
---|---|---|
4768 | Kerberos Authentication Ticket (TGT) was requested | `SecurityEvent |
4769 | Kerberos Service Ticket (TGS) was requested | `SecurityEvent |
4771 | Kerberos pre-authentication failed | `SecurityEvent |
Forensics Commands and Codes
Command | Description |
---|---|
| Captures Kerberos traffic for analysis. |
| Scans for network artifacts in a memory dump. |
| Extracts timeline from forensic images. |
Full Raw KQL/EQL Rules for Detecting AS-REP Roasting
KQL Rule: Unusual Kerberos TGT Requests without Pre-Authentication
EQL Rule: Anomalous Kerberos Pre-Authentication Failures
KQL Rule: Suspicious Kerberos Service Ticket Requests
Purple Team Cheat Sheet: GenericWrite Attack Scenario
Attack Technique and Command
Technique | Command | Description |
---|---|---|
GenericWrite |
| Uses PowerView to modify the ACL of a domain object, granting GenericWrite rights to an attacker. |
GenericWrite |
| Adds an ACL entry to a domain object, granting full rights to an attacker. |
Detection: Event Codes and KQL/EQL Rules
Event Code | Description | KQL/EQL Rule |
---|---|---|
5136 | A directory service object was modified | `SecurityEvent |
4662 | An operation was performed on an object | `SecurityEvent |
4728 | A member was added to a security-enabled global group | `SecurityEvent |
Forensics Commands and Codes
Command | Description |
---|---|
| Extracts timeline from forensic images. |
| Scans for network artifacts in a memory dump. |
| Captures network traffic for analysis. |
Full Raw KQL/EQL Rules for Detecting GenericWrite Usage
KQL Rule: Unusual Directory Service Object Modifications
EQL Rule: Anomalous ACL Changes
KQL Rule: Suspicious Group Membership Changes
Purple Team Cheat Sheet: Domain Trust Attack Scenario
Attack Technique and Command
Technique | Command | Description |
---|---|---|
Domain Trust Exploitation |
| Uses PowerView to enumerate domain trusts. |
Domain Trust Exploitation |
| Enumerates domain trusts using PowerSploit. |
Detection: Event Codes and KQL/EQL Rules
Event Code | Description | KQL/EQL Rule |
---|---|---|
4769 | Kerberos Service Ticket (TGS) was requested | `SecurityEvent |
4672 | Special Privileges Assigned to New Logon | `SecurityEvent |
4624 | Successful Account Logon | `SecurityEvent |
Forensics Commands and Codes
Command | Description |
---|---|
| Captures Kerberos traffic for analysis. |
| Scans for network artifacts in a memory dump. |
| Extracts timeline from forensic images. |
Full Raw KQL/EQL Rules for Detecting Domain Trust Abuse
KQL Rule: Unusual Kerberos Service Ticket Requests Across Domains
EQL Rule: Anomalous Domain Trust Activity
KQL Rule: Suspicious Cross-Domain Logon Types
Purple Team Cheat Sheet: SEBackup Privilege, SeLoadDriverPrivilege, and ForceChangePassword Abuse
Attack Techniques and Commands
Technique | Command | Description |
---|---|---|
SEBackup Privilege Abuse |
| Uses PowerSploit to exploit SEBackup privilege on a target computer. |
SeLoadDriverPrivilege Module |
| Uses a custom module to load a driver using SeLoadDriverPrivilege. |
ForceChangePassword Abuse |
| Forces a password change for a domain user using PowerView. |
Detection: Event Codes and KQL/EQL Rules
Event Code | Description | KQL/EQL Rule |
---|---|---|
4672 | Special Privileges Assigned to New Logon | `SecurityEvent |
4688 | A new process has been created | `SecurityEvent |
4728 | A member was added to a security-enabled global group | `SecurityEvent |
Forensics Commands and Codes
Command | Description |
---|---|
| Extracts timeline from forensic images. |
| Scans for network artifacts in a memory dump. |
| Captures network traffic for analysis. |
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: Unusual Use of SEBackup Privilege
EQL Rule: Suspicious Driver Loading Activity
KQL Rule: Abnormal Changes to User Passwords
Purple Team Cheat Sheet: DLL Sideloading Attack Scenario
Attack Technique and Command
Technique | Command | Description |
---|---|---|
DLL Sideloading |
| Places a malicious DLL in a directory where a legitimate application will load it. |
Detection: Event Codes, KQL/EQL, Sysmon, and Wazuh Rules
Event Code | Description | KQL/EQL Rule | Sysmon/Wazuh Rule |
---|---|---|---|
4688 | A new process has been created | `SecurityEvent | where EventID == 4688 and NewProcessName contains 'legitimate_application.exe'` |
7 | Image loaded (Sysmon) | `Sysmon | where EventID == 7 and ImageLoaded contains 'evil.dll'` |
1 | Process creation (Sysmon) | `Sysmon | where EventID == 1 and ParentImage contains 'legitimate_application.exe'` |
Forensics Commands and Codes
Command | Description |
---|---|
| Extracts timeline from forensic images. |
| Lists loaded DLLs in a memory dump. |
| Captures network traffic for analysis. |
Full Raw KQL/EQL Rules for Detecting DLL Sideloading
KQL Rule: Suspicious DLL Load Patterns
EQL Rule: Anomalous DLL Loading Activity
Sysmon/Wazuh Rule: Malicious DLL Load Detection
Purple Team Cheat Sheet: Process Hollowing and Process Doppelgänging
Attack Techniques and Commands
Technique | Command | Description |
---|---|---|
Process Hollowing |
| Uses a PowerShell script to perform process hollowing. |
Process Doppelgänging |
| Executes Process Doppelgänging using a custom tool or script. |
Detection: Event Codes, KQL/EQL, Sysmon, and Wazuh Rules
Event Code | Description | KQL/EQL Rule | Sysmon/Wazuh Rule |
---|---|---|---|
4688 | A new process has been created | `SecurityEvent | where EventID == 4688 and NewProcessName contains 'notepad.exe'` |
1 | Process creation (Sysmon) | `Sysmon | where EventID == 1 and ParentImage contains 'svchost.exe'` |
7 | Image loaded (Sysmon) | `Sysmon | where EventID == 7 and ImageLoaded contains 'malicious.dll'` |
Forensics Commands and Codes
Command | Description |
---|---|
| Extracts timeline from forensic images. |
| Lists running processes in a memory dump. |
| Captures network traffic for analysis. |
Full Raw KQL/EQL Rules for Detecting Process Hollowing and Doppelgänging
KQL Rule: Suspicious Process Creation Patterns
EQL Rule: Anomalous Process Execution
Sysmon/Wazuh Rule: Malicious Image Load Detection
Purple Team Cheat Sheet: Abusing Delegation in Active Directory
Attack Techniques and Commands
Technique | Command | Description |
---|---|---|
Unconstrained Delegation Abuse |
| Configures a computer for unconstrained delegation using PowerShell. |
Constrained Delegation Abuse |
| Sets constrained delegation on a target computer to an attacker's account. |
Resource-Based Constrained Delegation Abuse |
| Abuses resource-based constrained delegation by assigning a service account to the target computer. |
Detection: Event Codes, KQL/EQL, Sysmon, and Wazuh Rules
Event Code | Description | KQL/EQL Rule | Sysmon/Wazuh Rule |
---|---|---|---|
5136 | A directory service object was modified | `SecurityEvent | where EventID == 5136 and ObjectClass == 'computer' and AttributeLDAPDisplayName == 'msDS-AllowedToDelegateTo'` |
4742 | A computer account was changed | `SecurityEvent | where EventID == 4742 and ObjectType == 'computer'` |
4672 | Special Privileges Assigned to New Logon | `SecurityEvent | where EventID == 4672` |
Forensics Commands and Codes
Command | Description |
---|---|
| Extracts timeline from forensic images. |
| Scans for network artifacts in a memory dump. |
| Captures network traffic for analysis. |
Full Raw KQL/EQL Rules for Detecting Delegation Abuse
KQL Rule: Unusual Changes to Computer Objects
EQL Rule: Anomalous Computer Account Modifications
Sysmon/Wazuh Rule: Suspicious Computer Account Changes
Purple Team Cheat Sheet: Scheduling Tasks in Windows and Linux
Attack Techniques and Commands
Technique | Command | Description |
---|---|---|
Windows Task Scheduling |
| Creates a scheduled task in Windows to execute a malicious file. |
Linux Cron Job Scheduling | `echo "* * * * * /path/to/malicious.sh" | crontab -` |
Detection: Event Codes, KQL/EQL, Sysmon, and Wazuh Rules
Event Code | Description | KQL/EQL Rule | Sysmon/Wazuh Rule |
---|---|---|---|
4698 |