May 15, 2025

Purpling Your Ops

Written by Megan Nilsen

Purple Team Adversarial Detection & Countermeasures

Table of contents

Developing SKILLZ
Recommendation #1 – Build a Lab
Recommendation #2 – Review Industry Blog Posts
Recommendation #3 – Develop a Deep Understanding of MITRE
Recommendation #4 – Tools
Recommendation #5 – Experiment with Telemetry!
Conclusion

Purple Teaming is a field of cybersecurity that links together several different disciplines, including Detection Research and Engineering (DRE), Incident Response (IR), and Threat Hunting (TH), and has evolved to include fields like Threat Intelligence (TI) and Threat Emulation. Because of this, Purple Teaming is becoming more relevant to developing both individual skills and capabilities, and has become a key focal point for organizations to build a solid foundation for internal security programs.

This blog post will outline several different open-source tools, techniques for security practitioners interested in getting into Purple Teaming as well as recommendations on how individuals can power up offensive and defensive skillsets.

Developing SKILLZ

Our team is often asked how we started Purple Teaming and how to build the skills to enter our subsection of the cybersecurity industry. To keep things concise, here are our five recommendations for practitioners looking to start Purple Teaming.

Recommendation #1 – Build a Lab

It shouldn’t come as a surprise that building a lab comes as our top recommendation for building up your Purple Team knowledge.

However, the lab functionality required for Purple Teaming may require some additional set-up and infrastructure in order to support both red (offensive) and blue (defensive) capabilities.

Components

While many red team-focused labs are designed to focus on having a basic staging/attacking host and an associated victim host, our Purple Team lab needs to go a little further to do attack simulation and have defensive infrastructure in place to build a detection. The requirements for such a lab are as follows:

A basic AD structure
One (1) or two (2) domain-attached workstations
An attack host (e.g., Kali Linux or Ubuntu, whatever your preference is)
A built-out SIEM

Building out a full lab has been covered by many hugely talented security professionals who have done a great job at providing detailed guidance, such as this article. While we won’t go into detail on lab creation, we will talk about each of the bullet components above, some resources, and suggestions on things you can do to increase the value of your home lab and make it more purple.

Building AD Structure/Domain Workstations

There are many resources out there that enable you to automate building out an Active Directory environment to make the process faster and easier such as:

Marvel Lab
BadBlood
As well as a tool I haven’t had the chance to work with yet, PurpleLab.

However, if you’re familiar with lab building and you want to up your general skills, I highly recommend building your lab environment from scratch. While this has the disadvantage of being a slow process, you get valuable experience in administration and troubleshooting that you may miss using an automated lab building tool. A homebrew lab environment will also give you hands-on experience on audit configurations, building SACLs and DACLs, and troubleshooting issues with logging.

Attack Host

This is pretty self-explanatory, but having an attack host connected to your lab environment will allow you to use command line-based tools that don’t port over well to Windows operating systems. A separate attack host that is linux/unix based will also help identify attacks that originate from a remote network perspective in your logs. Using Kali Linux or an Ubuntu host preloaded with many critical attack tools (e.g., Impacket) are viable options.

Having a cloud-based server configured with C2 functionality is also an option for testing C2-related operations, but can also be done within the infrastructure of the lab from the perspective of the attack host.

SIEM Building

This is probably the most critical part of your Purple Team lab as it will enable you to build detections based on the attack scenarios executed within the environment.

As for the SIEM, there are several no-cost options that can be leveraged:

Splunk

The first is Splunk, which allows for a free six (6) month license that has an indexing capability of 10 GB a day. This tends to be more than enough for most typical lab environments. Splunk is easy to spin up and configure endpoint log collection agents on your victim, domain workstations, and domain controller hosts.

Elastic/Kibana

Next is Elastic, which offers a fully functional SIEM for free, including full search features and an EDR agent. The only downside of this SIEM is that configuration and set up for this particular security stack is a bit more complicated and does require more effort.

Wazuh

I personally haven’t played with this tool, but Wazuh offers an open source version of their SIEM/XDR services that can be installed and set up fairly quickly.

QRadar

Like Splunk, QRadar (Cloud SaaS product recently acquired by Palo Alto) offers a fully featured community edition. However, QRadar, like the Elastic stack is a little more challenging to set up and typically does require more resources than Splunk to function correctly. It is still a great option for those who are looking to expand their SIEM knowledge and learn additional SIEM query languages.

A Quick Aside on SIEM Query Languages

Each SIEM has its own Query Language (QL) that you can use to build more complicated queries than what can typically be offered through a GUI log search function. Picking a specific QL (e.g., SPL, Splunk query language) can help you build skills and an understanding of the underlying logic that can often easily translate into new query languages. While it’s important to build deep knowledge in one language, it’s equally important to continue to expand your knowledge and have competency in more than one SIEM QL.

Recommendation #2 – Review Industry Blog Posts

The second recommendation is to read industry blog posts as frequently as possible.

Learning techniques from blog posts, replicating them in your home lab, and subsequently trying to build detections on the techniques is one of the best ways to gain a deeper understanding of the material.

Recommendation #3 – Develop a Deep Understanding of MITRE

The MITRE Attack Framework is a key tool for attackers and defenders alike, but it is especially important when studying and developing Purple Team skills due to the focus on attack vectors, analysis of attack flow, and the potential for gap analysis for mapping detections.

Recommendation #4 – Tools

In addition to building a lab, reading industry blog posts, and understanding the MITRE framework, there are also several tools that I’ve come across throughout my work and research that can be used to develop and improve your skills.

Caldera

MITRE Caldera is a platform specifically designed for automated adversary emulation, which makes it an awesome platform to leverage for Purple Teaming.

Atomic Red team

Red Canary’s Atomic Red Team is a library of tests that can be used to test your environment – and, spoiler alert, potentially test and build higher fidelity detections as well.

Vectr

Vectr is a little bit different than the first two tools in that its primary purpose is for reporting and testing blue and red team activities across attack scenarios.

Attack Navigator

Attack Navigator is another tool that is excellent for creating MITRE frameworks for detections that you may build throughout your labbing.

Recommendation #5 – Experiment with Telemetry!

We won’t go into detail on logging in this blog post, but exploring different types of telemetry in detail is critically important as you go through your Purple Teaming journey.

Windows Events

Windows event logging is one of the most common methods of telemetry accessible to security practitioners, and it contains valuable data that can be used to detect a large variety of attacks on Windows endpoints.

For more information on Windows event logging, take a look at our resources here and here!

Sysmon

Sysmon is another amazing point of telemetry that is often underutilized in organizations and in lab environments to build detections.

There are many configuration guides available for use, and Carlos Perez has also provided a wealth information available on YouTube.

Configuration Guides:

https://github.com/trustedsec/SysmonCommunityGuide
https://www.youtube.com/watch?v=kESndPO5Fig
https://github.com/SwiftOnSecurity/sysmon-config
https://github.com/olafhartong/sysmon-modular
https://github.com/ion-storm/sysmon-config
https://github.com/Neo23x0/sysmon-config

Syslog/Linux

Looking at different elements of Linux logging is also useful and often underdeveloped in DRE endeavors.

ETW Logging

ETW logging is a deeper level of logging that can be unlocked on Windows systems and provides the ability to log events by user-mode and kernel-model drivers. I recommend checking out some of the blog posts done by Jonathan Johnson and a few other security researchers who are digging deep into ETW logging and its value in detection building.

EDR Telemetry

EDR telemetry gets an honorable mention here, but it is important to note that most home labs do not include enterprise-level EDR tooling and the logs that come with it. It’s also important to note that while EDR logs are important, they are not a replacement for other forms of telemetry, nor is an EDR tool a replacement for a SIEM.

Conclusion

I hope this post was helpful, and as always, if your company is looking for Purple Team services, feel free to reach out to our Sales team to see how we can help you improve your security posture and bolster your defensive capabilities.

Solutions

Services

About Us