top of page
BruCON-2022-102 (1).png

Operational Purple Teaming for Defenders

3-day in-person course

This hands-on training, tailored for blue teamers, delivers a unique and immersive experience in defensive security  through live attack simulations. Participants will confront a simulated adversary, APT 0x00, within a realistic corporate  network environment, enhancing skills in threat detection and incident response. Designed for cybersecurity  professionals, threat hunters, incident responders, SOC analysts, and IT experts with an interest in cyber defense, this  training bridges red and blue teams in collaborative exercises that enhance organizational resilience against real-world  cyber threats. 


Over three days, participants will progress through escalating stages of simulated attacks, starting with fundamental  detection strategies and advancing to complex attack techniques, including webshells, credential dumping, and lateral  movement. Through guided threat hunting and detection engineering exercises, participants will develop and apply  detection rules to locate and neutralize adversarial activity. Purple team sessions enable collaborative learning between  offensive and defensive roles, fostering an understanding of both red and blue strategies. 


Leveraging tools like Elastic SIEM, Sysmon, Velociraptor, and Vectr, students will gain hands-on experience in telemetry  collection, incident response, and stealthy threat identification. By the end of the training, participants will be able to create and implement custom detection queries, develop proactive threat-hunting strategies, and strengthen collaboration between red and blue teams to enhance their organizations' overall security posture.

Course Overview


This hands-on training connects red and blue in a series of live attack-defense exercises and demos. The group of participants will work as one team against a simulated threat actor, APT 0x00, with full disclosure of the attacker’s progress and technical insights on the executed techniques. The adversary’s capability and stealth will steadily improve

over the course of the training.


The attacker is simulated by a red team specialist, who will share valuable insights about commonly used threat actor techniques used in the attack. Together with a blue team instructor, you will learn how to hunt for these techniques, build detections that can help defend your organization and eradicate the attacker. Examples of covered techniques we

will learn how to hunt for:

  • Webshells.

  • Process Injection.

  • Credential dumping from LSASS.

  • Lateral Movement via Service Execution.

  • In-memory C# assembly execution.

  • Persistence.

  • Kerberoasting.

  • AD Enumeration via BloodHound.

  • Resource-Based Constrained Delegation Attacks.

  • LAPS abuse.

  • Headless RDP.


The first day focuses on threat hunting and detection engineering. APT 0x00 kicks off a campaign to breach the corporate Active Directory environment. The attacker relies on a mix of Metasploit (https://www.metasploit.com) and Sliver Command and Control (https://github.com/BishopFox/sliver) to infiltrate the environment. Participants will learn how tocollect telemetry on specific techniques and build detections.


The red team instructor will provide insights on the red team side during regular purple team meetings. This input enables the detection engineering process, where new detection rules are created in collaboration with the training participants. The blue team will use defensive security tools such as Elastic stack with security (EDR) (https://www.elastic.co), with additional log sources from Sysmon (https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon).


Day two adds a live incident response component to the training. APT 0x00 becomes more advanced and initiates a new campaign against the lab environment overnight. Students join the blue team side during the aftermath of the attack. Students retrace the attacker’s steps using Velociraptor (https://github.com/Velocidex/velociraptor) for incident response.


On the final day, the threat actor reaches its peak performance with maximum stealth. The threat actor added a new Command and Control framework to the mix (Havoc) and focused on more complex implementations of some of the previously identified attacker techniques. The attacker has a solid presence in the network. Access to the same defensive

tooling (Elastic incl. Security, Velociraptor) will be granted to the students to identify and stop the attacks as the threat actor progresses through the environment. The defenders will have to use their knowledge from the previous two days to detect the attacker and eradicate his footholds. Can the adversary be stopped before it reaches its goals?


Throughout all days, the red team specialist discloses technical details about the executed techniques. The attack can also be followed via Vectr (https://docs.vectr.io) to make it easier to hunt for certain activities. All days culminate in a lessons-learned moment. Every day, there are B33R objectives where participants can earn some top-quality Belgian beers.


During the evenings, participants have the option to continue playing around in the lab.


Agenda


Students will be guided by a Red Team and Blue Team instructor during the exercise. This training does NOT cover the latest attacker techniques but aims to provide a mix of stealthy and less-stealthy attack techniques and propose detection strategies to augment your organization’s defensive capability.


Day 1

The red team instructor simulates APT 0x00 and provides technical insights in the attacker techniques. The blue team  instructor provides insight in detection. The goal of this day is to learn how to detect specific attack techniques. Topics  covered include: 

  • Introduction to the lab environment. 

  • Machines. 

    • Networks. 

    • Elastic (SIEM) with security detection rules and additional log sources: 

      • Sysmon. 

      • PowerShell logs. 

      • Application logs. 

    • Elastic Agent with Security in detection mode (Free EDR). 

    • Velociraptor for artifact collection and live incident response. 

  • Testing VPN connection. 

  • Preparation and introduction to the exercise. 

  • Introduction to red, blue & purple teaming. 

  • Purple Teaming: Attacker techniques, threat hunting & detection engineering: 

    • Establishing a foothold in the lab via exploitation. 

    • BloodHound and active directory attacks. 

    • Process Injection. 

    • In-memory C# assembly execution. 

    • Credential dumping.

    • Persistence. 

    • Lateral movement via service execution. 

    • dcsync 


Day 2

The red team instructor simulates a more advanced version of APT 0x00 and provides technical insights in the attacker  techniques. During the day, students are guided by the blue team instructor to reconstruct the timeline of two pre executed attacks. The goal of this day is to identify and eradicate the attacker based on knowledge from day 1. 

  • Preparation and introduction to the exercise. 

  • Anomaly detection in the lab environment. 

  • Investigating alerts and IoCs to discover underlying techniques. 

  • Purple Teaming: More advanced attacker techniques, threat hunting & detection engineering.

    • Establishing a foothold in the lab via exploitation of a different vulnerability.

    • Resource-Based Constrained Delegation attacks. 

    • Phishing. 

    • Kerberoasting. 

    • Lateral Movement via WinRM 

    • LAPS abuse. 

    • Headless RDP 

    • … 

  • Live response to the ongoing attack. 

  • Eradication of the threat actor in the environment. 

  • Lessons learned. 


Day 3

The red team instructor simulates the stealthiest version of APT 0x00 and provides technical insights in the attacker  techniques. During the day, students are guided by the blue team instructor to track and stop the live ongoing threat  actor campaign. The goal of this day is to stop the threat actor before it reaches its goals. 

  • Preparation and introduction to the exercise. 

  • Identification and elimination of attacker footholds. 

  • Identifying anomalies in the lab environment. 

  • Investigating alerts and IoCs to discover underlying techniques. 

  • Purple Teaming: More advanced attacker techniques, threat hunting & detection engineering.

  • Live response to the ongoing attack. 

  • Eradication of the threat actor in the environment. 

  • Lessons learned. 


Key Takeaways

We hope that after this training you will be able to:

  • Better understand and identify attacker techniques.

  • Build custom threat hunt queries and detection rules to identify attackers hiding in the shadows.

  • Implement decoy objects to proactively identify certain common attacks.

  • Identify how red and blue can work together to identify and close the gaps in your defense, improving detection and response capability.


Target Audience

 

This technical training is intended for IT professionals who want to expand their knowledge on red teaming, threat  hunting and detection engineering. Students will combat a live ongoing cyberattack and experience hands-on how a  meaningful collaboration between offensive and defensive security teams can improve an organization’s defensive  capabilities against real threat actors. The target audience includes: 

  • Cyber Security Professionals 

  • Threat Hunters 

  • Incident Handlers 

  • SOC Analysts 

  • Detection Engineers 

  • IT Professionals with an interest in technical cyber security


Training level


All. We cover a range of simple to more complex attack techniques. Beginners and more advanced professionals will get the most from the course.

Pre-requisites


Students should be able to participate with their own OS, if it supports Wireguard VPN and has a web browser on board. It is recommended to use a Linux virtual machine with a desktop environment to participate in the training. A custom  Ubuntu Desktop VM with the necessary tools pre-installed will also be available. 

Trainer Bio


Dennis Van Elst is a red team operator, infosec lecturer and purple team advocate.

At DXC, he actively promotes collaboration between the Strikeforce Red Team and

internal Blue Teams, such as Threat Hunting, Digital Forensics, Incident Response and

Threat Intel. This resulted in several internal workshops focusing topics like defense

evasion, active directory attacks and edge attacks, where the Red Team mimics various

threat actor techniques and the Blue Team validates and improves detection.


At Thomas More Belgium, he teaches second-bachelor students the basics of Ethical

Hacking & Penetration Testing. Third-bachelor students are pitted against each other in

red team - blue team exercises, where one side of the class attacks a simulated

corporate environment and the other side defends, using free and open-source

software.


His view on information security is that the practical approach results in a better

understanding of both the offensive and defensive perspective, ultimately improving

both sides. The best way to completely understand a technical topic is by doing it!


LinkedIn: https://be.linkedin.com/in/dennis-van-elst

Twitter (X): @0xbad53c

GitHub: https://github.com/0xbad53c

Blog: https://red.0xbad53c.com

Thomas Eugène is the Incident Response Manager in the CSIRT of Zetes. He works to

increase the maturity of the incident response process and prepare the organization to

face future security challenges.


In the past, Thomas was part of the CERT.be Team, supporting and coordinating the incident response team, publishing, and providing advisories to improve security for Belgian citizens and companies.


After that, he joined DXC Technology as a threat hunter and incident responder. He

actively hunted for new threats in large customer environments and supported the

incident response cases. He also worked in the DXC Threat and Vulnerability Management

team. This experience resulted in a good overview of the differences and the needs of

both the offensive and the defensive side.


He is a strong believer in the importance of the collaboration between blue and red

teams. He will deliver the training from the blue team's point of view.

bottom of page