Summary

HTB Academy's Purple modules are crafted to bridge the gap between Offensive and Defensive methodologies, offering a comprehensive view of both attacker and defender perspectives. Each section of this module serves as a reference guide, empowering users to effectively access, configure, and manage critical logging and forensic mechanisms within the Purple module targets. These sections also provide step-by-step guidance on locating logs, traffic captures, memory dumps, configuration files, and utilizing pre-installed DFIR tools to facilitate comprehensive post-exploitation forensic analyses.

Disclaimer: Please note that the "Intro to Academy's Purple Modules" module is designed for individuals with a good understanding of both offensive and defensive security practices. This module assumes that participants are proficient in operating Windows and Linux systems and are familiar with common attack vectors and detection methodologies. As such, the DFIR toolset included, as well as the attacking and detecting techniques discussed, will not be covered in exhaustive detail. This module is intended for experienced professionals in the field, aiming to showcase how upcoming Purple modules should be approached and to highlight the capabilities of Purple module targets.

This module is broken into sections with accompanying hands-on exercises to gauge your understanding of the various topic areas.

You can start and stop the module anytime and pick up where you left off. There is no time limit or "grading", but you must complete all of the exercises to receive the maximum number of cubes and have this module marked as complete.

The module is classified as "medium" and assumes participants have a foundational understanding of how Windows and Linux systems operate, along with familiarity with common attack techniques and detection principles.

A firm grasp of the following modules can be considered prerequisites for successful completion of this module:

Intro to Academy
Intro to Network Traffic Analysis
Intermediate Network Traffic Analysis
Working with IDS/IPS
Windows Event Logs & Finding Evil
Understanding Log Sources & Investigating with Splunk
YARA & Sigma for SOC Analysts
Introduction to Malware Analysis
Introduction to Digital Forensics

Introduction

In this module, "Intro to Academy's Purple Modules", we will introduce you to HTB Academy's Purple modules, which bridge the gap between Offensive and Defensive modules and provide a holistic view of both the attacking and defending perspectives on the covered topics. More specifically, the Purple modules will allow for in-depth forensic analysis through detailed logging, traffic, and memory capturing, and a pre-installed DFIR toolset within each target after completing the attack part of each section.

It is crucial to note that forensic analysis requires the attack part to occur first, as this generates the logs and traffic that will be captured and analyzed. The same applies to memory dumps, which can be obtained after the attack.

Moreover, the spawned target must remain active to facilitate forensic analysis activities. Extending the target's lifetime may be necessary to ensure there is sufficient time to complete the forensic analysis.

The module is divided into two parts:

Windows Purple Module Targets
Linux Purple Module Targets

Each section of this module serves as a reference guide, empowering users to effectively access, configure, and manage critical logging and forensic mechanisms within the Purple module targets. These sections also provide step-by-step guidance on locating logs, traffic captures, memory dumps, configuration files, and utilizing pre-installed DFIR tools to facilitate comprehensive post-exploitation forensic analysis.

Benefits of Academy's Purple Modules

Purple modules are highly beneficial for both Blue Team and Red Team members. For Blue Team professionals, these modules offer exposure to Red Team tactics and enable them to learn how to emulate these techniques. Meanwhile, Red Team operators gain invaluable insights into the artifacts their attacks leave behind, allowing them to refine their methods and minimize detectable footprints with each iteration.

Disclaimer: Please note that the "Intro to Academy's Purple Modules" module is designed for individuals with a good understanding of both offensive and defensive security practices. This module assumes that participants are proficient in operating Windows and Linux systems and are familiar with common attack vectors and detection methodologies. As such, the DFIR toolset included, as well as the attacking and detecting techniques discussed, will not be covered in exhaustive detail. This module is intended for experienced professionals in the field, aiming to showcase how upcoming Purple modules should be approached and to highlight the capabilities of Purple module targets.

Purple Module Targets as Reusable Infrastructure

Blue Team Use Cases of Purple Module Targets:
- Blue team professionals can transfer evidence from other compromised machines into Purple module targets for in-depth analysis, leveraging the built-in DFIR tools.
- Blue team professionals can install vulnerable software of their choosing, simulate attacks on the software, and analyze the attack artifacts left behind, gaining practical insight into threat behaviors and identifying IOCs.
- Blue team professionals can use the verbose logs and DFIR toolset of Purple module targets to develop and refine detection rules for identified IOCs.
- Blue team professionals can use these targets to develop and validate threat hunting hypotheses by emulating attack chains and investigating the associated logs and system changes.
- Blue team professionals can collect telemetry to reverse-engineer malware behavior in a controlled environment and design incident response playbooks.
Red Team Use Cases of Purple Module Targets:
- Red team professionals can test custom-built or modified malware payloads to observe logs, process behavior, and other telemetry data. They can then use this data to refine methods and reduce detection opportunities.
Purple Team Use Cases of Purple Module Targets:
- Both Blue and Red Teams can collaborate to simulate full attack-and-detect cycles, using the Purple module targets as the shared and controlled platform for learning and innovation.

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.

Sections

Introduction PREVIEW
Connecting to Windows Purple Module Targets
Available Windows DFIR Toolset
Windows Logs & Traffic Captured
Dumping & Analyzing Windows Memory
Usage Example: JetBrains TeamCity CVE-2023-42793
Connecting to Linux Purple Module Targets
Available Linux DFIR Toolset
Linux Logs & Traffic Captured
Dumping & Analyzing Linux Memory
Usage Example: Zabbix CVE-2024-22120
Transferring Files to and from Purple Module Targets