Repository for the DEATHCon 2025 Workshop "Operationzaling Purple Teaming in the Enterprise".
Exercise goal: Turn TI into a threat emulation plan for a Purple Team Campaign, create and run test cases that you log in VECTR, using your own lab or the provided PurpleCloud fork.
- Don’t run in production. Use a lab tenant/range/local VMs only.
- Make sure to take and keep notes as you are research threat actors and creating the campaign plan.
- Clean up cloud resources (
terraform destroy,stratus cleanup --all) when you are done to avoid surprise costs.
- PurpleCloud + Sentinel.py fork — deploy Sentinel, VECTR (Docker), test endpoints/AVDs, and wire logs.
- Alternative labs: BadZure, Splunk Attack Range, ConDef Ludus (IaC), or your own Ludus/VMs.
- ConDef Ludus: https://github.com/Antonlovesdnb/ConstructingDefenseLab
- If you prefer Splunk and would like to try the full ConDef course and lab, code
ConDefDEATH25will give 25% off both versions of ConDef over at: https://www.justhacking.com/course/constructing-defense/
- Verify that logs are being shipped to your SIEM before executing tests.
- Browse MITRE ATT&CK Groups and Malpedia; find and choose 2–3 threat actors that is relevant to your organization, fictitious or real.
- ATT&CK Groups: https://attack.mitre.org/groups/
- Malpedia actors: https://malpedia.caad.fkie.fraunhofer.de/actors
- Choose one (real or realistic fictitious) and justify relevance in 3-5 bullet points.
- Find public reports/blogs on the actor/campaigns/tools.
- Save links + key excerpts (remember to focus on behaviors, not just IOCs).
- Note: What got them caught? What recurs? What’s hard for them to change?
- Convert your notes into TTPs (technique + sub-technique). Call out any unmapped behaviors too.
- Optional: build a small Navigator layer that you can add to your plan.
- Identify threat actor technique dependencies for a realistic chain.
Create a basic threat emulation using this or your own template.
Preferably you should use whatever documentation platform/Wiki/note taking app you use in your day to day operations. Include screenshots, links and tables where you find it relevant in each section. This adds a lot to your plans, and will make them look a lot better.
# Threat Emulation Plan — <Actor>
## Why now
- Relevance to org / peers
- Hypothesis to prove
## Scope & assets
- Tenant/segments, datasets, endpoints/AVDs
- Users/identities (test users vs realistic Workday -> Entra ID accounts)
## People & approvals
- Lead, Operator(s)
- Stakeholders (SOC, platform owners, TI, SecOps mgmt)
- Change ticket ID(s), window(s), guardrails
## Schedule
- Plan window, execution window, tuning window
## TTPs to emulate
- ATT&CK and Insider Threat Matrix IDs + brief description of each
- Tooling: Atomic/Stratus/Manual/Mythic/Sliver (and why)
## Telemetry targets
- Data components & log sources (host/cloud/identity/email/network)
## Success criteria
- What counts as **alerted** / **prevented**
- Evidence to capture (IDs, artifacts, screenshots, ATTiRe formatted logs)
This is just a (very) basic template to show how you can start documenting campaigns and threat emulation plans. Start out basic and expand and iterate if neccessarry, as you do more purple team assessments.
- Install Invoke-Atomic and the atomics folder (see the official repo).
- Basic CSV execution logging:
Invoke-AtomicTest T1016 -ExecutionLogPath 'C:\Temp\T1016.csv'
- ATTiRe JSON execution logs for importing into VECTR:
Invoke-AtomicTest T1053.005 -LoggingModule "Attire-ExecutionLogger" -ExecutionLogPath ".\T1053.005.json"
- Cleanup (when supported):
Invoke-AtomicTest <TechniqueID> -Cleanup
- Execute your selected TTPs, atomics and/or Stratus techniques (and optional C2).
- Save artifacts, SIEM/EDR alert IDs, incident IDs and execution logs (CSV/ATTiRe JSON).
- Keep a short operator log with timestamps for each step.
Preferably document directly in VECTR as you run each test case/emulation.
See the official documentation at https://docs.vectr.io/user/important-concepts/. These docs covers important VECTR concepts, terminology and the data structure. Docs: https://docs.vectr.io/, Data Import: https://docs.vectr.io/user/data-import/, including ATTiRE.
- Configure your Environment.
- Create a new Assessment.
- Create a new Campaign.
- Add or create new test cases for your chosen TPPs/atomics.
- When you have populated VECTR with completed test cases, added blue team observations and proof, play around with the reporting and tracking.
Make sure to add your defense tools, sources, offensive tools and targets to your Environment. Keep in mind that these are specific to each Environment.