purpleteam creation

[mthcht]

Initial issue for addition, notes and updates

[mthcht]

• [x] modification of Simulation/Windows/System/search_for credentials_in_registry.ps1
• [x] modification of https://github.com/mthcht/Purpleteam/blob/948f023cd7e0145dac8ad00f10967f8088516711/Logging/enable_windows_eventid_logging.ps1
• [ ] Add scripts for each techniques in windows and linux
• [ ] create procedures folder
• [ ] Add documentation for each scripts in https://github.com/mthcht/Purpleteam/tree/main/Simulation/Windows
• [ ] create a main (GUI) script (probably python) to execute all the simulation scripts
• [ ] add documentation for https://github.com/mthcht/Purpleteam/tree/main/Logging
• [ ] add links to detection rules in https://github.com/mthcht/Purpleteam/tree/main/Detection and map each of them to the scripts for simulation

[mthcht]

• [ ] recompile createdump.exe from https://github.com/dotnet/dotnet/blob/main/src/runtime/src/coreclr/debug/createdump/, change the part https://github.com/dotnet/dotnet/blob/main/src/runtime/src/coreclr/debug/createdump/main.cpp#L185 so we can still use pid option with dotnet 7, add the new executable to _bin directory and modify script https://github.com/mthcht/Purpleteam/blob/main/Simulation/Windows/System/dump_lsass_with_dotnet_createdump.ps1 to download the executable from _bin if v5 or v6 are not found

[mthcht]

• [x] add in each script:

Start-Transcript -OutputDirectory $env:tmp\Logfile -UseMinimalHeader
#...
Stop-Transcript

[mthcht]

quick work in progress, note to remember:

• [x] https://github.com/mthcht/Purpleteam/blob/main/Simulation/Windows/System/delete_mru_history.ps1
• [ ] https://github.com/mthcht/Purpleteam/blob/main/Simulation/Windows/System/clear_remote_access_softwares.ps1
• [ ] https://github.com/mthcht/Purpleteam/blob/main/Simulation/Windows/System/clear_userassist_traces.ps1
• [ ] https://github.com/mthcht/Purpleteam/blob/main/Simulation/Windows/System/install_powershell_v2.ps1
• [ ] https://github.com/mthcht/Purpleteam/blob/main/Simulation/Windows/System/lolbin.ps1
• [ ] https://github.com/mthcht/Purpleteam/blob/main/Simulation/Windows/System/kill_splunk_and%20_block_9997_flow.ps1

[mthcht]

normalization: Start-Transcript -Path "$env:tmp\simulation_traces.log" -Append -Force -Verbose Stop-Transcript -Verbose $ProgressPreference = 'SilentlyContinue' Invoke-WebRequest * -UseBasicParsing -Verbose -UserAgent purpleteam [Error] (Red) [Info] (Cyan) [Warning] (Yellow) [Sucess] (Green) in catch: Write-Host -ForegroundColor Red "`n[Erorr] Exception: $_"

[mthcht]

• [ ] compile, test https://github.com/mthcht/Detection-Validation and create powershell script to automate this in windows scripts

[mthcht]

• [ ] create a powershell script to download, execute use /_bin/dnsmorph.exe to automatically make a list of phishing domains for a given domain and request inactive ones just to trigger detection