Purple Team Resources

6 minute read


The term Purple Team has stemmed from the overlap between Red and Blue Team operations whereby a Red Team may perform a Penetration Test, and the Blue Team may detect this penetration test and disrupt, degrade, or deny access to resources.


NIST Cybersecurity Framework used to support Blue Team Functions. Penetration Testing Execution Standard (PTES) used to support Red Team Functions. TTPs have been interpreted differently by various parties, and can also be applied within the standard context to the “Blue Team”; however, for the purpose of this analysis they’ll be confined to the “Red Team” or adversary.


PPT (People, Process and Technology) - Blue Team. Supports the NIST 5 Security Functions. TTP (Tactics, Techniques, Procedures) - Red Team. Covers the 5 domains of the Penetration Testing Execution Standard. Pyramid of Pain - Feedback Loop


Blue Team

PPT (People, Process and Technology)

This is defined as…

  • People: The ‘WHO’ of defending, who is available to ward off an adversary?
  • Process: The ‘HOW’ of defending, how will we prepare and defend against an adversary?
  • Technology: The ‘WHAT’ of defending, what systems do we need to support our defensive efforts?

and is used to support the following 5 NIST Cybersecurity Functions…

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Red Team

TTP (Tactics, Techniques, Procedures)

This is defined as… 1

  • Tactics: The employment and ordered arrangement of forces in relation to each other.
  • Techniques: Non-prescriptive ways or methods used to perform missions, functions, or tasks.
  • Procedures: Standard, detailed steps that prescribe how to perform specific tasks.

and is used to support the following 5 Penetration Testing Execution Standards…

  • Intelligence Gathering
  • Threat Modeling
  • Vulnerability Analysis
  • Exploitation
  • Post Exploitation

Purple Team Methodology

  • Blue detects/prevents TTPs, notifies Red who adapts TTPs.
  • Red bypasses PPTs, notifies Blue who adapts PPTs.
  • Both Red and Blue follow a Modus operandi which can change based on the opposing team.

The big picture? The Pyramid of Pain by David Bianco 2.

The relationship between the types of indicators you might use to detect an adversary’s activities and how much pain it will cause them when you are able to detect and respond at each of these levels.

In terms of Blue Team Technology:

Asset Management (Identify)


System Hardening (Protect)


Intrusion Detection and Prevention (Detect)

This section aims to provide an introduction to Sigma, Yara, Snort, Bro/Zeek and Suricata rules, how you can get started, and how these play an integral part in security as we know it today.


Sigma is created by Florian Roth and aims to be a vendor neutral, Generic Signature Format for SIEM Systems. A SIEM System is a Security Information and Event Management System which collates, aggregates, and normalises data from a variety of log sources within your environment.

In the context of a SIEM, Sigma is a way of describing useful log entries which can be used to detect an attack occurring within your environment. By using this you’re able to easily and automatically create queries for multiple different SIEMs which can then be used to setup alerting for anomalous system behavior.


Below is an example of a Sigma rule created by Florian Roth which looks for particular characters being passed in the command line to find Emotet execution.

title: Emotet Process Creation
id: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18
status: experimental
description: Detects all Emotet like process executions that are not covered by the more generic rules
author: Florian Roth
date: 2019/09/30
modified: 2019/10/16
	- https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/
	- https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/
	- https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/
	category: process_creation
	product: windows
			- '* -e* PAA*'
			- '*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*'  # $env:userprofile
			- '*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*'  # $env:userprofile
			- '*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*'  # $env:userprofile
			- '*IgAoACcAKgAnACkAOwAkA*'  # "('*');$
			- '*IAKAAnACoAJwApADsAJA*'  # "('*');$
			- '*iACgAJwAqACcAKQA7ACQA*'  # "('*');$
	condition: selection
	- CommandLine
	- ParentCommandLine
	- Unlikely
level: critical

Another example detects any files which have been downloaded through PowerShell.

title: Suspicious PowerShell Download
id: 65531a81-a694-4e31-ae04-f8ba5bc33759
status: experimental
description: Detects suspicious PowerShell download command
	- attack.execution
	- attack.t1086
author: Florian Roth
	product: windows
	service: powershell
			- '*System.Net.WebClient).DownloadString(*'
			- '*system.net.webclient).downloadfile(*'
	condition: keywords
	- PowerShell scripts that download content from the Internet
level: medium

Using Sigmac or an online utility such as Uncoder.io you can easily convert sigma rules to relevant queries for your SIEM and share common queries which can be used on multiple SIEM vendors.

For more information on writing Sigma Rules, refer to Florian Roth’s Blog Post


Yara is created by the team behind VirusTotal and aims to be a pattern matching swiss army knife, which can be used by malware analysts to categorise and identify malware samples based on patterns within text or binaries.


rule silent_banker : banker
		description = "This is just an example"
		threat_level = 3
		in_the_wild = true

		$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
		$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}

		$a or $b or $c

For more information on writing Yara Rules, refer to the Yara Documentation


Snort is created by the team at Cisco Talos and is an Open Source Intrusion Prevention System (IPS) which is able to make decisions on whether to allow or drop network traffic in real time based on rules you create for it.

In the context of an Intrusion Prevention System, Snort sits as a Network Intrusion Detection and Prevention System which allows you to monitor network traffic in order to prevent among other things data leakage, exfiltration, and Command and Control (C2) Beacons.


This example matches on any DNS request or response containing the content “77616E6E61636F6F6B69652E6D696E2E707331”.

alert udp any any <> any 53 (msg: "Suspicious DNS request";content:"77616E6E61636F6F6B69652E6D696E2E707331"; nocase; sid:2000123;rev:1;)

These examples by the US-CERT are 3 different SNORT rules to detect the Open-Source RAT known as Quasar.

alert tcp $EXTERNAL_NET :1024 -> $HOME_NET any (msg:"Non-Std TCP Server Traffic contains '|40 00 00 00|' (Quasar RAT Initial Packet)"; sid:10000; rev:1; flow:established,from_server; dsize:68; content:"|40 00 00 00|"; depth:4; fast_pattern;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Client Header contains 'Host|3a 20|ip-api com', URI '/json/' (Quasar RAT)"; sid:10002; rev:1; flow:established,to_server; content:"Host|3a 20|ip-api|2e|com|0d 0a|"; http_header; fast_pattern:only; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.3|3b| rv|3a|48.0) Gecko/20100101 Firefox/48.0|0d 0a|"; http_header; content:"/json/"; http_uri; depth:6; urilen:6,norm; priority:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Client Header contains 'User-Agent|3a 20|Mozilla/5.0 (Macintosh|3b| Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A', TTL 65-128 (Quasar RAT)"; sid:10001; rev:1; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/5.0 (Macintosh|3b| Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A|0d 0a|"; http_header; fast_pattern:only; priority:2;)

For more information on writing Snort Rules, refer to the Snort Manual or Snort Infographic



For more information on writing Zeek Rules, refer to the Zeek Documentation


alert http $HOME_NET any -> $EXTERNAL_NET any  (msg: "Powershell Empire HTTP Request "; flow: established, to_server; content:".php"; http_uri;  pcre:"/session=[a-zA-Z0-9+/]{20,300}([a-zA-Z0-9+/]{1}[a-zA-Z0-9+/=]{1}|==)/ACi"; flowbits:set,empire; classtype:shellcode-detect; sid: 3016007; rev: 1; metadata:created_at 2018_09_03,by al0ne;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "Powershell Empire HTTP Response "; flow: established,to_client; content:"200"; http_stat_code; flowbits: isset,empire; content:"Cache-Control: no-cache, no-store, must-revalidate"; http_header; content: "Server: Microsoft-IIS/7.5"; http_header; distance: 0; classtype:shellcode-detect; sid: 3016008; rev: 1; metadata:created_at 2018_09_03,by al0ne;)

For more information on writing Suricata Rules, refer to the Suricata Documentation or look into some open source rules.

More information on how this differs to Snort can also be found in the Suricata Documentation

Live Triage and Forensics (Respond)


System Remediation and Lessons Learned (Recover)


In terms of Red Team Tactics:


In terms of Red Team Techniques:


In terms of Red Team Procedures:


Reference/Supporting Material

1 2