Sherlocked Security – Purple Team Workshops

Bridge the Gap Between Offense and Defense with Collaborative Threat Simulations

1. Statement of Work (SOW)

Service Name: Purple Team Workshops
Client Type: Security Operations Centers (SOC), Enterprises, MSSPs, Government
Service Model: Hands-On, Collaborative Adversary-Defense Simulation
Compliance Coverage: MITRE ATT&CK, NIST CSF, ISO 27001, SOC 2

Testing Types:

Attack Simulation & Live Detection Tuning
Defender Playbook Validation
EDR / SIEM Rule Effectiveness Testing

2. Our Approach

[Threat Emulation Planning] → [Attack Simulation Execution] → [SOC Collaboration & Detection] → [Detection Gap Analysis] → [Playbook & Rule Enhancement] → [Report & Tuning Recommendations] → [Retesting]

3. Methodology

[Kickoff & Threat Scenario Selection] → [Initial SOC Maturity Review] → [Attack Chain Simulation] → [Alert & Log Validation] → [Playbook Testing] → [Detection Gap Fixes] → [Final Report]

4. Deliverables to the Client

Purple Team Exercise Report
Statement of Work (SOW)
Threat Scenarios & Mapping
MITRE ATT&CK Heatmap (Pre & Post)
Detection Engineering Recommendations
Logging & Visibility Audit
Detection Rule Validation Summary
Final Remediation Plan & Retest Outcomes

5. What We Need from You (Client Requirements)

Access to EDR/SIEM or SOC dashboards
Sample detection rules/playbooks
Point of contact from Security & Infra teams
Whitelisted IPs or agent approvals
Internal threat scenarios, if any (optional)
Log sources and architecture overview

6. Tools & Technology Stack

Atomic Red Team
Caldera / Prelude / Infection Monkey
MITRE ATT&CK Navigator
Splunk / ELK / Sentinel / QRadar
Sigma Rules + Custom Sigma Converters
EDR Platforms (CrowdStrike, Defender, SentinelOne, etc.)
Custom Tools / Scripts

7. Engagement Lifecycle

1. Intro Call → 2. Workshop Scope Finalization → 3. NDA + SOW → 4. Kickoff & Scenario Design → 5. Simulation & SOC Collaboration (2–3 Days) → 6. Draft Report → 7. Feedback Loop → 8. Final Delivery + Follow-up

8. Why Sherlocked Security?

Feature	Sherlocked Advantage
Collaborative Approach	Offense + Defense teams work in sync
MITRE ATT&CK Coverage	Real tactics used and mapped to detection gaps
EDR & SIEM Agnostic	Compatible with most enterprise tools
Heatmap-Based Reporting	Visualize detection coverage before/after
Custom Threat Scenarios	Industry-specific emulation and tuning
Defender Enablement	Playbook & alert enhancement focus

9. Real-World Case Studies

Visibility Gaps in a Global FinTech SOC

Issue: EDR failed to alert on lateral movement due to missing rules.
Outcome: Created Sigma rules to detect PsExec, RDP tunneling; improved mean-time-to-detect by 42%.

National Security Project – Insider Threat Simulation

Client: Defense-aligned Government Agency
Findings: Log gaps in PowerShell and WMI-based command tracking.
Result: Sysmon deployed enterprise-wide, custom detection logic implemented.

10. SOP – Standard Operating Procedure

Kickoff Call & NDA
Selection of Threat Scenarios
Tooling & Environment Access
Attack Chain Simulation
Logging & Detection Mapping
SIEM/EDR Rule Tuning
Validation of Alerts & Coverage
Report Delivery & Gap Summary
Follow-up Workshop (optional)
Final Improvements & Certificate

11. Purple Team Checklist

1. Threat Emulation Planning

Stakeholder kickoff and scenario scoping
Define crown jewels and critical assets
Map scenarios to MITRE ATT&CK techniques
Establish success/failure conditions
Confirm acceptable risk boundaries
Define rules of engagement (RoE)
Coordinate blue team observation (blind or collaborative)
Baseline current detection capabilities
Confirm log and alert retention windows

2. Initial Access Simulation

Phishing email with embedded link (T1566.002)
Phishing attachment with macro payload (T1566.001)
Drive-by compromise with JS dropper (T1189)
Rogue USB media drop (T1200)
Exploit public-facing application (T1190)
External remote services (VPN/RDP) brute-force (T1133)

3. Execution Techniques

PowerShell script execution (T1059.001)
Command and Scripting Interpreter (cmd.exe, bash) (T1059)
Windows Management Instrumentation (WMI) (T1047)
Office macro-based execution (T1137)
DLL side-loading (T1574.002)
HTA file execution (T1218.005)

4. Persistence Mechanisms

Registry Run key persistence (T1547.001)
Scheduled Task creation (T1053.005)
New Service installation (T1543.003)
Startup folder shortcut drop (T1547.001)
Login scripts injection (T1037)
Windows services hijack (T1031)

5. Privilege Escalation

Bypass UAC (T1548.002)
Exploit vulnerable service (T1068)
Token manipulation (T1134)
Abuse admin tools (e.g., PsExec with SYSTEM privileges)
DLL hijacking with elevated path (T1574.001)
Unquoted service path exploitation (T1574.009)

6. Defense Evasion

Obfuscated PowerShell script (T1027.005)
Living off the land binaries (LOLBins) usage (T1218)
Disable or uninstall security tools (T1089)
Masquerade process or file names (T1036)
Encoded command execution (e.g., base64 payloads)
Clearing event logs (T1070.001)
Repackaging tools with custom signatures

7. Credential Access

LSASS memory dump (T1003.001)
Mimikatz usage (T1003)
SAM registry hive extraction (T1003.002)
Browser credential scraping (T1555.003)
Keylogger deployment (T1056.001)
Credential harvesting from phishing portals

8. Discovery & Enumeration

Network share discovery (T1135)
Active Directory enumeration (T1069.002)
Local user/group enumeration (T1087)
Running process and service listing (T1057)
Identify installed applications (T1518)
Cloud infrastructure metadata discovery (T1526)

9. Lateral Movement

Pass-the-Hash (T1550.002)
Remote desktop protocol (RDP) lateral move (T1021.001)
SMB relay attacks (T1557.001)
PsExec/WMI/WinRM usage (T1021)
Admin share exploitation (C$, ADMIN$)
Lateral movement using harvested SSH keys

10. Command & Control (C2)

Custom C2 channel setup (HTTP/S) (T1071.001)
DNS tunneling (T1071.004)
Legitimate services abuse (Slack, Telegram bots, etc.)
Beaconing interval detection testing
Domain fronting techniques (T1090.004)
Reconnect-on-failure and fallback C2 behavior

11. Data Collection

Compress sensitive files (T1560)
Archive collection from endpoints (T1119)
Screenshot capture (T1113)
Clipboard capture (T1115)
Keylogging logs collection (T1056.001)
Cloud sync or mapped drive target collection

12. Exfiltration Techniques

Exfil over C2 channel (T1041)
Encrypted file transfer (T1048.003)
Use of external USBs (T1052.001)
Cloud storage (Google Drive, Dropbox) abuse
Email-based exfiltration (T1567.002)
DNS exfiltration testing (T1048.001)

13. Impact Simulation (Optional)

File encryption mimicry (ransomware simulation) (T1486)
System reboot/logoff (T1529)
Defacement scenarios (T1491)
Application termination or corruption (T1489)
Business logic sabotage (industry-specific)

14. Logging & Visibility Audit

PowerShell logging enabled (Module, ScriptBlock, Transcription)
Sysmon coverage (Events 1, 3, 6, 7, 8, 10, 11, 13, etc.)
Process creation (4688), Logon events (4624/4625)
Registry and file access logging
DNS resolution logs
Audit policy GPO review

15. SIEM & EDR Rule Validation

Correlation rule triggers for each tactic
Sigma/KQL/SPL rule hit validation
Alert enrichment and classification (High/Med/Low)
True/False positive rate during simulation
Rule tuning opportunities noted
Timeline of alert visibility and response

16. Detection Gap Analysis

Missing or delayed alerts
Noisy alerts / false positives
Blind spots in lateral movement or privilege escalation
Lack of visibility into script-based attacks
Poor coverage on endpoint behavior anomalies
Alerts not tied to business context

17. SOC Response Evaluation

Alert triage time tracking
Escalation procedures tested
Playbook adherence check
Incident timeline reconstruction ability
Coordination between SOC and IR teams
Communication gaps or tooling delays

Purple Team Workshops