HackTool - PurpleSharp Execution

About the rule

Rule Type

Standard

Rule Description

Detects the execution of the PurpleSharp adversary simulation tool

Severity

Critical

Rule journey

Attack chain scenario

Initial access → Tool deployment → PurpleSharp execution → Simulated attack actions → Detection testing → Security control evasion

Impact

• Simulated threats
• Alert generation
• Detection testing
• Security evaluation

Rule Requirement

Prerequisites

• Using Windows event viewer:

To enable detailed tracking of process activity, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC) by running gpmc.msc. Create a new Group Policy Object (GPO) or modify an existing one linked to the appropriate organizational unit. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking, then enable both Audit Process Creation and Audit Process Termination by configuring the audit events and selecting the Success option. For improved process visibility, go to Administrative Templates > System > Audit Process Creation, enable the policy Include command line in process creation events, and apply the changes. Lastly, ensure the logging channel is active by creating the registry key "Microsoft-Windows-Security-Auditing/Operational" under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ if it does not already exist.

• Using Sysmon:

To set up Sysmon for process monitoring, download and install it from Microsoft Sysinternals, then open a Command Prompt with administrator privileges. Create or download a configuration file that includes process creation monitoring, and install Sysmon using the command sysmon.exe -i [configfile.xml]. Make sure the configuration includes a <ProcessCreate> rule to capture all process creation events. If it doesn’t already exist, create the registry key "Microsoft-Windows-Sysmon/Operational" under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ to enable event logging.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

• Resource Development: Develop Capabilities (T1587)

Security Standards

Enabling this rule will help you meet the security standard's requirements listed below:

• NIST SP 800-53: SI-4 – System Monitoring: Requires organizations to monitor systems to detect potential security events in real time.
  Triggering this rule helps detect the use of adversary simulation tools like PurpleSharp, indicating that monitoring controls are effectively identifying potential threat emulation activities.
• NIST SP 800-53: AU-6 – Audit Review, Analysis, and Reporting: Mandates the analysis of audit logs to identify suspicious or unauthorized activity.
  Triggering this rule provides actionable audit data when PurpleSharp is executed, supporting the review and analysis of adversarial simulation attempts.
• NIST SP 800-53: IR-5 – Incident Monitoring: Focuses on mechanisms for monitoring and detecting security incidents across the enterprise.
  Triggering this rule alerts incident response teams to test or unauthorized adversary simulations, helping ensure that monitoring processes are working as intended.
• NIST SP 800-137: Continuous Monitoring (ISCM): Emphasizes the need for ongoing awareness of security threats and system vulnerabilities.
  Triggering this rule enables security teams to continuously assess detection capabilities against simulation tools, improving overall visibility and response readiness.
• NIST SP 800-61: Computer Security Incident Handling Guide: Outlines best practices for identifying, managing, and mitigating security incidents.
  Triggering this rule helps validate incident detection procedures and ensures security teams are alerted to emulated attack behavior, facilitating timely investigation and handling.

Author

Florian Roth (Nextron Systems)

Future actions

Known False Positives

This rule will be triggered when security teams run PurpleSharp during authorized adversary simulation or red team exercises. It may also trigger alerts during scheduled testing of detection and response capabilities in controlled environments.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Validation: Confirm whether the execution was part of a sanctioned simulation or red team activity by cross-referencing internal testing schedules.
5. Documentation: Record the incident details, including timestamp, source, and outcome, to improve detection rules and refine future adversary simulation exercises.

Mitigation