Executes Purple Team exercises coordinating red team attack simulations and blue team detection validation with MITRE ATT&CK mapped scenarios and real-time testing. For SOC teams verifying detections and fixing gaps.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
以下情况使用本技能:
Performs purple team exercises coordinating red team adversary emulation with blue team detection validation using MITRE ATT&CK scenarios. Validates SOC detections, trains analysts, closes gaps.
Performs purple team exercises coordinating red team adversary emulation with blue team detection validation using MITRE ATT&CK scenarios for SOC detection testing and gap remediation.
Executes red team exercises simulating stealthy adversary attacks across full lifecycle from reconnaissance to exfiltration, testing detection and response. For red teaming, adversary emulation requests.
Share bugs, ideas, or general feedback.
以下情况使用本技能:
不适用于未公告的红队演练——紫队演练要求攻防双方实时协作,需明确协调。
记录演练参数:
purple_team_exercise:
exercise_id: PT-2024-Q1
date: 2024-03-20
duration: 8 hours (09:00-17:00 UTC)
scope:
environment: Production (Finance VLAN, 10.0.5.0/24)
systems_in_scope:
- WORKSTATION-TEST01 (10.0.5.100) — 测试终端
- DC-TEST (10.0.5.200) — 测试域控制器
- FILESERVER-TEST (10.0.5.201) — 测试文件服务器
systems_excluded:
- 所有生产域控制器
- 面向客户的系统
objectives:
- 验证 15 条映射到 FIN7 TTP 的检测规则
- 测试 SOC 分析师对真实攻击指标的响应
- 识别凭据访问和横向移动的检测缺口
- 测量每种技术的检测延迟
threat_scenario: FIN7 活动,以鱼叉式网络钓鱼为目标攻击财务数据
authorization: 已获 CISO 批准,变更申请 CR-2024-0567
communication: #purple-team-2024q1 Slack 频道
创建逐技术测试矩阵:
| # | ATT&CK ID | 技术 | 测试工具 | 预期检测 | 蓝队指标 |
|---|---|---|---|---|---|
| 1 | T1566.001 | 鱼叉式网络钓鱼附件 | 手动邮件 | 邮件网关告警 | 检测 Y/N、延迟 |
| 2 | T1204.002 | 用户执行 | 宏文档 | Sysmon 进程创建 | 检测 Y/N、延迟 |
| 3 | T1059.001 | PowerShell | Atomic RT #1-3 | PowerShell 执行告警 | 检测 Y/N、延迟 |
| 4 | T1053.005 | 计划任务 | Atomic RT | 计划任务创建告警 | 检测 Y/N、延迟 |
| 5 | T1547.001 | 注册表运行键 | Atomic RT | 注册表修改告警 | 检测 Y/N、延迟 |
| 6 | T1003.001 | LSASS 内存 | Mimikatz | 凭据转储告警 | 检测 Y/N、延迟 |
| 7 | T1550.002 | 哈希传递 | Mimikatz | NTLM 异常检测 | 检测 Y/N、延迟 |
| 8 | T1021.002 | SMB/PsExec | PsExec | PsExec 服务创建告警 | 检测 Y/N、延迟 |
| 9 | T1047 | WMI | wmic /node | WMI 远程执行告警 | 检测 Y/N、延迟 |
| 10 | T1021.001 | RDP | xfreerdp | RDP 横向移动告警 | 检测 Y/N、延迟 |
| 11 | T1071.001 | Web C2 | Cobalt Strike | C2 信标检测 | 检测 Y/N、延迟 |
| 12 | T1041 | C2 渗漏 | Rclone | 数据渗漏告警 | 检测 Y/N、延迟 |
| 13 | T1490 | 阻止恢复 | vssadmin | 卷影副本删除告警 | 检测 Y/N、延迟 |
| 14 | T1486 | 数据加密 | 测试加密工具 | 批量加密检测 | 检测 Y/N、延迟 |
| 15 | T1070.001 | 清除日志 | wevtutil | 日志清除检测 | 检测 Y/N、延迟 |
使用 Atomic Red Team(或手动执行)逐一运行每种技术:
# 安装 Atomic Red Team
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing)
Install-AtomicRedTeam -getAtomics
# 测试 1:T1059.001 — PowerShell 执行
Write-Host "[$(Get-Date -Format 'HH:mm:ss')] Executing T1059.001 - PowerShell"
Invoke-AtomicTest T1059.001 -TestNumbers 1
# 通知蓝队:"T1059.001 于 $(Get-Date) 已执行"
# 测试 2:T1053.005 — 计划任务创建
Write-Host "[$(Get-Date -Format 'HH:mm:ss')] Executing T1053.005 - Scheduled Task"
Invoke-AtomicTest T1053.005 -TestNumbers 1
# 测试 3:T1547.001 — 注册表运行键
Write-Host "[$(Get-Date -Format 'HH:mm:ss')] Executing T1547.001 - Registry Persistence"
Invoke-AtomicTest T1547.001 -TestNumbers 1,2
# 测试 4:T1003.001 — 凭据转储
Write-Host "[$(Get-Date -Format 'HH:mm:ss')] Executing T1003.001 - LSASS Access"
Invoke-AtomicTest T1003.001 -TestNumbers 1,2
# 测试 5:T1490 — 卷影副本删除
Write-Host "[$(Get-Date -Format 'HH:mm:ss')] Executing T1490 - Inhibit Recovery"
Invoke-AtomicTest T1490 -TestNumbers 1
# 每次测试后清理
Invoke-AtomicTest T1059.001 -TestNumbers 1 -Cleanup
Invoke-AtomicTest T1053.005 -TestNumbers 1 -Cleanup
Invoke-AtomicTest T1547.001 -TestNumbers 1,2 -Cleanup
蓝队在执行期间实时监控 SIEM:
--- 紫队实时监控仪表板
index=notable earliest=-1h
| where Computer IN ("WORKSTATION-TEST01", "DC-TEST", "FILESERVER-TEST")
OR src IN ("10.0.5.100", "10.0.5.200", "10.0.5.201")
| eval detection_latency = _time - orig_time
| eval latency_seconds = round(detection_latency, 0)
| sort _time
| table _time, rule_name, urgency, src, dest, user, latency_seconds
--- 检查特定技术检测
index=sysmon Computer="WORKSTATION-TEST01" earliest=-15m
(EventCode=1 OR EventCode=3 OR EventCode=10 OR EventCode=11 OR EventCode=13)
| sort _time
| table _time, EventCode, Image, CommandLine, TargetFilename, TargetObject
实时记录结果:
exercise_results = {
"exercise_id": "PT-2024-Q1",
"results": [
{
"technique": "T1059.001",
"name": "PowerShell Execution",
"execution_time": "09:15:00",
"detected": True,
"alert_name": "Suspicious PowerShell Encoded Command",
"detection_time": "09:15:47",
"latency_seconds": 47,
"notes": "通过 Sysmon EventCode 1 的编码命令模式检测到"
},
{
"technique": "T1003.001",
"name": "LSASS Memory Access",
"execution_time": "10:30:00",
"detected": False,
"alert_name": None,
"detection_time": None,
"latency_seconds": None,
"notes": "缺口:无 LSASS 访问检测规则。Sysmon EventCode 10 存在但无关联规则。"
}
]
}
针对每个检测缺口,蓝队立即构建检测规则:
--- 缺口:T1003.001 — 无 LSASS 访问检测
--- 演练期间构建规则
index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
GrantedAccess IN ("0x1010", "0x1038", "0x1fffff", "0x40")
NOT SourceImage IN ("*\\svchost.exe", "*\\csrss.exe", "*\\MsMpEng.exe")
| stats count by Computer, SourceImage, SourceUser, GrantedAccess
| where count > 0
构建完成后重新测试:
红队:"在 11:45 重新执行 T1003.001"
蓝队:"已确认——告警 'LSASS Memory Access Detected' 于 11:45:32 触发(延迟 32 秒)"
结果:缺口已修复
def generate_purple_team_report(results):
total = len(results["results"])
detected = sum(1 for r in results["results"] if r["detected"])
gaps = sum(1 for r in results["results"] if not r["detected"])
avg_latency = sum(r["latency_seconds"] for r in results["results"]
if r["latency_seconds"]) / max(detected, 1)
report = f"""
紫队演练报告 — {results['exercise_id']}
{'=' * 60}
摘要:
已测试技术数: {total}
已检测: {detected} ({detected/total*100:.0f}%)
发现缺口: {gaps} ({gaps/total*100:.0f}%)
平均检测延迟: {avg_latency:.0f} 秒
详细结果:
"""
for r in results["results"]:
status = "已检测" if r["detected"] else "缺口"
latency = f"{r['latency_seconds']}s" if r["latency_seconds"] else "N/A"
report += f" [{status}] {r['technique']} — {r['name']} (延迟:{latency})\n"
if not r["detected"]:
report += f" 处置措施:{r['notes']}\n"
return report
| 术语 | 定义 |
|---|---|
| 紫队(Purple Team) | 红队(攻击)与蓝队(防御)协作配合,共同验证和改进检测能力的演练模式 |
| 对抗模拟(Adversary Emulation) | 结构化模拟特定威胁行为者的 TTP,用于测试防御能力 |
| 检测验证(Detection Validation) | 确认检测规则在目标技术执行时能正确触发的过程 |
| 检测延迟(Detection Latency) | 技术执行与 SIEM 告警生成之间的时间差,在紫队演练中进行测量 |
| 缺口修复(Gap Remediation) | 针对测试中未被检测到的技术立即创建或调整检测规则 |
| Atomic Red Team | Red Canary 发布的开源攻击测试库,用于对单个 ATT&CK 技术进行逐一验证 |
紫队演练报告 — PT-2024-Q1
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
日期: 2024-03-20(09:00-17:00 UTC)
场景: FIN7 金融行业活动
范围: Finance VLAN(10.0.5.0/24)
结果:
已测试技术数: 15
已检测: 11(73%)
发现缺口: 4(27%)
当日修复缺口数: 3
平均检测延迟: 38 秒
详细结果:
[通过] T1566.001 鱼叉式网络钓鱼附件 — 12 秒延迟
[通过] T1204.002 用户执行(宏) — 8 秒延迟
[通过] T1059.001 PowerShell 执行 — 47 秒延迟
[通过] T1053.005 计划任务 — 23 秒延迟
[通过] T1547.001 注册表运行键 — 31 秒延迟
[失败] T1003.001 LSASS 内存访问 — 演练中已修复
[失败] T1550.002 哈希传递 — 演练中已修复
[通过] T1021.002 PsExec — 15 秒延迟
[通过] T1047 WMI 远程执行 — 42 秒延迟
[通过] T1021.001 RDP 横向移动 — 28 秒延迟
[失败] T1071.001 Web C2 信标 — 演练中已修复
[通过] T1041 C2 渗漏 — 67 秒延迟
[通过] T1490 卷影副本删除 — 5 秒延迟
[失败] T1486 影响性数据加密 — 未修复——需增强终端遥测
[通过] T1070.001 事件日志清除 — 11 秒延迟
演练后覆盖率:93%(14/15)——较初始 73% 提升
待修复缺口:T1486 需要增强 EDR 文件监控能力