Purple Team - Attack mapping

Detecte
Index Attack name Attack Description Response Expectation
d

We will listening on local

network for NTLM hashes and NTLM relay could get picked up by
Responder +
1. relay them to create socks proxy IDS/IPS appliances in the networks (if
ntlmrelay
connections to hosts on the any)
networks

We will run nmap scans on the Nmap signatures should get picked
2. Nmap scans
networks up by firewall or IDS/IPS appliances

We will use crackmapexec tool to Cradle web downloads, powershell

get target hosts to download execution or shellcode should get
3. Powershell cradles
powershell cradle and execute detected by endpoint protection
Metasploit shellcode systems

Unless needed by sysadmins, psexec

We will try to get command
execution should get
4. PsExec execution on hosts using psexec
detected/blocked by network security
with valid credentials
appliances
 We will use crackmapexec and CME signature and/or dumping of
5. Dump LSASS other tools to dump LSASS from LSASS should get detected/blocked
hosts by endpoint protection

We will run tools on hosts to Tools will be slightly obfuscated but

Host Privilege
6. enumerate privilege escalation could get picked up by endpoint
escalation checks
possibilities on host protection systems

We will try to exfiltrate data to Exfiltration activity should get

7. Data exfiltration outside PH network perimeter detected/blocked by firewall/network
via web/smb/other perimeter appliances

We will create a local user on one User creation and promotion to local
8. New local admin host and add him to admin should get flagged by
administrator's group endpoint logs at the SIEM

We will create a domain user and User creation might go unnoticed but
9. New domain admin add him to Domain Admins adding to DA group should get
group flagged