Stats
Actions
Tags
Executes Purple Team exercises coordinating red team attack simulations and blue team detection validation with MITRE ATT&CK mapped scenarios and real-time testing. For SOC teams verifying detections and fixing gaps.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:performing-purple-team-exerciseThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
以下情况使用本技能:
以下情况使用本技能:
不适用于未公告的红队演练——紫队演练要求攻防双方实时协作,需明确协调。
记录演练参数:
purple_team_exercise:
exercise_id: PT-2024-Q1
date: 2024-03-20
duration: 8 hours (09:00-17:00 UTC)
scope:
environment: Production (Finance VLAN, 10.0.5.0/24)
systems_in_scope:
- WORKSTATION-TEST01 (10.0.5.100) — 测试终端
- DC-TEST (10.0.5.200) — 测试域控制器
- FILESERVER-TEST (10.0.5.201) — 测试文件服务器
systems_excluded:
- 所有生产域控制器
- 面向客户的系统
objectives:
- 验证 15 条映射到 FIN7 TTP 的检测规则
- 测试 SOC 分析师对真实攻击指标的响应
- 识别凭据访问和横向移动的检测缺口
- 测量每种技术的检测延迟
threat_scenario: FIN7 活动,以鱼叉式网络钓鱼为目标攻击财务数据
authorization: 已获 CISO 批准,变更申请 CR-2024-0567
communication: #purple-team-2024q1 Slack 频道
创建逐技术测试矩阵:
| # | ATT&CK ID | 技术 | 测试工具 | 预期检测 | 蓝队指标 |
|---|---|---|---|---|---|
| 1 | T1566.001 | 鱼叉式网络钓鱼附件 | 手动邮件 | 邮件网关告警 | 检测 Y/N、延迟 |
| 2 | T1204.002 | 用户执行 | 宏文档 | Sysmon 进程创建 | 检测 Y/N、延迟 |
| 3 | T1059.001 | PowerShell | Atomic RT #1-3 | PowerShell 执行告警 | 检测 Y/N、延迟 |
| 4 | T1053.005 | 计划任务 | Atomic RT | 计划任务创建告警 | 检测 Y/N、延迟 |
| 5 | T1547.001 | 注册表运行键 | Atomic RT | 注册表修改告警 | 检测 Y/N、延迟 |
| 6 | T1003.001 | LSASS 内存 | Mimikatz | 凭据转储告警 | 检测 Y/N、延迟 |
| 7 | T1550.002 | 哈希传递 | Mimikatz | NTLM 异常检测 | 检测 Y/N、延迟 |
| 8 | T1021.002 | SMB/PsExec | PsExec | PsExec 服务创建告警 | 检测 Y/N、延迟 |
| 9 | T1047 | WMI | wmic /node | WMI 远程执行告警 | 检测 Y/N、延迟 |
| 10 | T1021.001 | RDP | xfreerdp | RDP 横向移动告警 | 检测 Y/N、延迟 |
| 11 | T1071.001 | Web C2 | Cobalt Strike | C2 信标检测 | 检测 Y/N、延迟 |
| 12 | T1041 | C2 渗漏 | Rclone | 数据渗漏告警 | 检测 Y/N、延迟 |
| 13 | T1490 | 阻止恢复 | vssadmin | 卷影副本删除告警 | 检测 Y/N、延迟 |
| 14 | T1486 | 数据加密 | 测试加密工具 | 批量加密检测 | 检测 Y/N、延迟 |
| 15 | T1070.001 | 清除日志 | wevtutil | 日志清除检测 | 检测 Y/N、延迟 |
使用 Atomic Red Team(或手动执行)逐一运行每种技术:
# 安装 Atomic Red Team
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing)
Install-AtomicRedTeam -getAtomics
# 测试 1:T1059.001 — PowerShell 执行
Write-Host "[$(Get-Date -Format 'HH:mm:ss')] Executing T1059.001 - PowerShell"
Invoke-AtomicTest T1059.001 -TestNumbers 1
# 通知蓝队:"T1059.001 于 $(Get-Date) 已执行"
# 测试 2:T1053.005 — 计划任务创建
Write-Host "[$(Get-Date -Format 'HH:mm:ss')] Executing T1053.005 - Scheduled Task"
Invoke-AtomicTest T1053.005 -TestNumbers 1
# 测试 3:T1547.001 — 注册表运行键
Write-Host "[$(Get-Date -Format 'HH:mm:ss')] Executing T1547.001 - Registry Persistence"
Invoke-AtomicTest T1547.001 -TestNumbers 1,2
# 测试 4:T1003.001 — 凭据转储
Write-Host "[$(Get-Date -Format 'HH:mm:ss')] Executing T1003.001 - LSASS Access"
Invoke-AtomicTest T1003.001 -TestNumbers 1,2
# 测试 5:T1490 — 卷影副本删除
Write-Host "[$(Get-Date -Format 'HH:mm:ss')] Executing T1490 - Inhibit Recovery"
Invoke-AtomicTest T1490 -TestNumbers 1
# 每次测试后清理
Invoke-AtomicTest T1059.001 -TestNumbers 1 -Cleanup
Invoke-AtomicTest T1053.005 -TestNumbers 1 -Cleanup
Invoke-AtomicTest T1547.001 -TestNumbers 1,2 -Cleanup
蓝队在执行期间实时监控 SIEM:
--- 紫队实时监控仪表板
index=notable earliest=-1h
| where Computer IN ("WORKSTATION-TEST01", "DC-TEST", "FILESERVER-TEST")
OR src IN ("10.0.5.100", "10.0.5.200", "10.0.5.201")
| eval detection_latency = _time - orig_time
| eval latency_seconds = round(detection_latency, 0)
| sort _time
| table _time, rule_name, urgency, src, dest, user, latency_seconds
--- 检查特定技术检测
index=sysmon Computer="WORKSTATION-TEST01" earliest=-15m
(EventCode=1 OR EventCode=3 OR EventCode=10 OR EventCode=11 OR EventCode=13)
| sort _time
| table _time, EventCode, Image, CommandLine, TargetFilename, TargetObject
实时记录结果:
exercise_results = {
"exercise_id": "PT-2024-Q1",
"results": [
{
"technique": "T1059.001",
"name": "PowerShell Execution",
"execution_time": "09:15:00",
"detected": True,
"alert_name": "Suspicious PowerShell Encoded Command",
"detection_time": "09:15:47",
"latency_seconds": 47,
"notes": "通过 Sysmon EventCode 1 的编码命令模式检测到"
},
{
"technique": "T1003.001",
"name": "LSASS Memory Access",
"execution_time": "10:30:00",
"detected": False,
"alert_name": None,
"detection_time": None,
"latency_seconds": None,
"notes": "缺口:无 LSASS 访问检测规则。Sysmon EventCode 10 存在但无关联规则。"
}
]
}
针对每个检测缺口,蓝队立即构建检测规则:
--- 缺口:T1003.001 — 无 LSASS 访问检测
--- 演练期间构建规则
index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
GrantedAccess IN ("0x1010", "0x1038", "0x1fffff", "0x40")
NOT SourceImage IN ("*\\svchost.exe", "*\\csrss.exe", "*\\MsMpEng.exe")
| stats count by Computer, SourceImage, SourceUser, GrantedAccess
| where count > 0
构建完成后重新测试:
红队:"在 11:45 重新执行 T1003.001"
蓝队:"已确认——告警 'LSASS Memory Access Detected' 于 11:45:32 触发(延迟 32 秒)"
结果:缺口已修复
def generate_purple_team_report(results):
total = len(results["results"])
detected = sum(1 for r in results["results"] if r["detected"])
gaps = sum(1 for r in results["results"] if not r["detected"])
avg_latency = sum(r["latency_seconds"] for r in results["results"]
if r["latency_seconds"]) / max(detected, 1)
report = f"""
紫队演练报告 — {results['exercise_id']}
{'=' * 60}
摘要:
已测试技术数: {total}
已检测: {detected} ({detected/total*100:.0f}%)
发现缺口: {gaps} ({gaps/total*100:.0f}%)
平均检测延迟: {avg_latency:.0f} 秒
详细结果:
"""
for r in results["results"]:
status = "已检测" if r["detected"] else "缺口"
latency = f"{r['latency_seconds']}s" if r["latency_seconds"] else "N/A"
report += f" [{status}] {r['technique']} — {r['name']} (延迟:{latency})\n"
if not r["detected"]:
report += f" 处置措施:{r['notes']}\n"
return report
| 术语 | 定义 |
|---|---|
| 紫队(Purple Team) | 红队(攻击)与蓝队(防御)协作配合,共同验证和改进检测能力的演练模式 |
| 对抗模拟(Adversary Emulation) | 结构化模拟特定威胁行为者的 TTP,用于测试防御能力 |
| 检测验证(Detection Validation) | 确认检测规则在目标技术执行时能正确触发的过程 |
| 检测延迟(Detection Latency) | 技术执行与 SIEM 告警生成之间的时间差,在紫队演练中进行测量 |
| 缺口修复(Gap Remediation) | 针对测试中未被检测到的技术立即创建或调整检测规则 |
| Atomic Red Team | Red Canary 发布的开源攻击测试库,用于对单个 ATT&CK 技术进行逐一验证 |
紫队演练报告 — PT-2024-Q1
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
日期: 2024-03-20(09:00-17:00 UTC)
场景: FIN7 金融行业活动
范围: Finance VLAN(10.0.5.0/24)
结果:
已测试技术数: 15
已检测: 11(73%)
发现缺口: 4(27%)
当日修复缺口数: 3
平均检测延迟: 38 秒
详细结果:
[通过] T1566.001 鱼叉式网络钓鱼附件 — 12 秒延迟
[通过] T1204.002 用户执行(宏) — 8 秒延迟
[通过] T1059.001 PowerShell 执行 — 47 秒延迟
[通过] T1053.005 计划任务 — 23 秒延迟
[通过] T1547.001 注册表运行键 — 31 秒延迟
[失败] T1003.001 LSASS 内存访问 — 演练中已修复
[失败] T1550.002 哈希传递 — 演练中已修复
[通过] T1021.002 PsExec — 15 秒延迟
[通过] T1047 WMI 远程执行 — 42 秒延迟
[通过] T1021.001 RDP 横向移动 — 28 秒延迟
[失败] T1071.001 Web C2 信标 — 演练中已修复
[通过] T1041 C2 渗漏 — 67 秒延迟
[通过] T1490 卷影副本删除 — 5 秒延迟
[失败] T1486 影响性数据加密 — 未修复——需增强终端遥测
[通过] T1070.001 事件日志清除 — 11 秒延迟
演练后覆盖率:93%(14/15)——较初始 73% 提升
待修复缺口:T1486 需要增强 EDR 文件监控能力
npx claudepluginhub killvxk/cybersecurity-skills-zhCoordinates purple team exercises with MITRE ATT&CK-mapped attack scenarios, real-time detection validation, and collaborative gap remediation for SOC teams.
Coordinates purple team exercises with MITRE ATT&CK-mapped attack scenarios, real-time detection validation, and collaborative gap remediation for SOC teams.
Performs purple team exercises coordinating red team adversary emulation with blue team detection validation using MITRE ATT&CK scenarios for SOC detection testing and gap remediation.