PurpleCloud icon indicating copy to clipboard operation
PurpleCloud copied to clipboard

Published 20 hours ago verified publisher icon iknowjason

PurpleSharp is not available inside the tools directory

Open RahulIngenious opened this issue 1 year ago • 5 comments

Hi @iknowjason ,

as per the lab (Microsoft Sentinel lab with AD, deployed with terraform. Adds logging best practices with Sysmon.) demonstration PurpleSharp tool is supposed to be available in the tools directory of the host. However, when i ran the query or checked it manually i couldn't find any. Could you please look into this?

Also, i would like to know once this issue is resolved. After running this PrupleSharp adversary emulation tool. Would i be able to see the alerts in Defender for endpoint for the same? PS: I have installed Defender for Endpoint on both hosts.

PurpleSharp

RahulIngenious avatar Feb 15 '24 14:02 RahulIngenious

Hi @RahulIngenious

Yes, I will look into this and help get it resolved for you. It might be that the PurpleSharp download link has changed. I will verify.

What do you mean by, as per the lab (Microsoft Sentinel lab with AD, deployed with terraform? You mean the generator python script that creates this lab scenario? Or something outside of PurpleCloud tool?

Jason

iknowjason avatar Feb 15 '24 14:02 iknowjason

@iknowjason - Yes, the generator python script that creates this lab scenario

RahulIngenious avatar Feb 15 '24 15:02 RahulIngenious

@RahulIngenious

I just tested on a new lab and PurpleSharp downloads. In your case it could have been any kind of issue like a temporary networking issue. I"m attaching three images of what you can check on your end.

Why don't you just download PurpleSharp onto your system since it apparently didn't download? The bootstrap script shows the command. I will copy and paste it here. Open up a powershell admin session and type this:

Invoke-WebRequest -Uri "https://github.com/mvelazc0/PurpleSharp/releases/download/v1.3/PurpleSharp_x64.exe" -OutFile "C:\tools\PurpleSharp.exe"

iknowjason avatar Feb 15 '24 16:02 iknowjason

Take a look at the user_data logfile and see what you see here. It should show something like this. It might give a clue as to why it didn't work for you. pc1

This is what it looks like on my end, PurpleSharp automatically downloaded.

pc2

If it didn't download, just run that powershell in comment above and it will download.

pc3

iknowjason avatar Feb 15 '24 16:02 iknowjason

@RahulIngenious

After you run PurpleSharp it should be able to generate alerts. As for Windows Defender endpoint, I can't troubleshoot your system on that.

iknowjason avatar Feb 15 '24 16:02 iknowjason