Recently, we conducted another internal Purple Team Assessment. The goal of this type of exercise is to deliberately combine the expertise of attackers (Red Team) and defenders (Blue Team). The combination of Red and Blue results in the Purple Team approach.
During our Purple Team Assessment, multi-stage attacks were simulated in two lab environments (Microsoft and Elastic). These simulations reflected realistic attack scenarios, enabling us not only to strengthen knowledge and skills but also to test the effectiveness and functionality of the mechanisms used to detect and defend against cyberattacks.
Attack Scenario
As part of the Purple Team Assessment, a realistic attack path targeting an Active Directory environment was simulated:
- Identification of a valid user account through Username Enumeration
- Compromise of a user account using Password Spraying
- Analysis of the Active Directory structure and identification of weaknesses
- Compromise of a service account through Kerberoasting
- Privilege escalation on a local system by exploiting a service misconfiguration
- Extraction of Domain Administrator credentials from SAM and LSASS
- Lateral movement using Pass-the-Hash
- Compromise of the Domain Controller via DCSync
In addition, two independent tests commonly performed during penetration testing engagements were carried out. Both focused on frequently encountered misconfigurations in Active Directory environments:
- Exploitation of an ESC1 misconfiguration in Active Directory Certificate Services (AD CS) to obtain elevated privileges
- Takeover of a privileged user account through the abuse of Shadow Credentials
TERMS EXPLAINED
- Username Enumeration: The process of identifying valid usernames within an IT environment.
- Password Spraying: An attack technique in which a small number of commonly used passwords are tested against many user accounts.
- Kerberoasting: The extraction of encrypted service account data with the goal of recovering passwords offline.
- SAM (Security Account Manager): A Windows database that stores local user accounts and credential information.
- LSASS (Local Security Authority Subsystem Service): A Windows process responsible for authentication and credential management.
- Pass-the-Hash: The use of stolen password hash data without knowing the actual password.
- DCSync: An attack technique that allows credentials to be extracted directly from Active Directory.
- ESC1: A critical misconfiguration in Active Directory Certificate Services that can enable privilege escalation.
- Shadow Credentials: An attack technique that enables account takeover through the manipulation of certificate-based authentication credentials.
Why attackers and defenders deliberately work together
The participants in a Purple Team Assessment do not work against each other. Instead, they pursue a common objective: improving attack detection capabilities and accelerating incident response.
To achieve this, attacks were planned and executed by the Red Team in multiple phases. Following each phase, both teams jointly reviewed the findings. The Blue Team presented its detections and attempted to reproduce the attack activity, while the Red Team provided additional insights and corrections where necessary.
Turning findings into actionable improvements
The collaborative analysis and rapid feedback loops within a Purple Team Assessment create a deep understanding of the technical and strategic approaches used by both teams. This provides immediate value to all participants. As expected, not every simulated attack was detected immediately during the assessment. The identified gaps help the defenders (Blue Team) further optimize detection capabilities within the Security Operations Center (SOC).
Example: Shadow Credentials
Shadow Credentials represent an identity-based attack against Active Directory. During the Purple Team Assessment, it became apparent that Microsoft-native detection mechanisms already provided broad visibility into these activities. However, reliable detection within Elastic SIEM required the integration of additional audit logs. In particular, Domain Object Auditing was necessary to record changes to Active Directory objects and enable dependable detection of the attack.
At the same time, the assessment provided the attackers (Red Team) with a valuable shift in perspective: Which activities are actually visible within a SOC, and which can only be detected with significant effort – or potentially not at all? These lessons learned directly influence future Red Team engagements. Unlike traditional penetration tests, these engagements place a stronger emphasis on simulating realistic adversary behavior while actively avoiding detection.
Following an exercise of this kind, it is critical to incorporate the lessons learned into existing mechanisms and processes. As a result, initial improvements within the SOC have already been implemented. These include additional detection rules and refinements to our logging policy – enhancements that directly benefit our customers.
After the assessment is before the assessment
We are currently establishing Purple Team Assessments as a recurring event and a permanent component of our security strategy: continuous, realistic, and collaborative. The next assessment will focus on a larger lab environment, more sophisticated attack techniques, and an expanded attack scenario. True to the motto: after Purple Teaming is before Purple Teaming. And between assessments, both teams continue to refine and enhance their capabilities behind the scenes – always preparing to challenge each other even more in the next exercise.