PlexTrac is a platform which can be used by internal security teams or consultancies to conduct purple team assessments but it can be used also as a pentest reporting tool since it contains a findings database and a unique report template. Pentest Laboratories Ltd have conducted a purple team assessment in order to assess the capabilities of PlexTrac platform.
Prior to the assessment a new client can be created with the associated contact details, client logo and information related to the assessment such as the scope and other details. Pentest Laboratories Ltd details have been used for the purpose of the engagement.
By default PlexTrac contains the MITRE ATT&CK methodology which their TTP’s (Tactics, Techniques and Procedures) can be incorporated into the assessment.
However for this specific engagement a custom methodology has been created since one of the techniques for that particular scenario is not included in the MITRE framework. Two tactics are going to be implemented (Defense Evasion & Credential Access) and have been selected from the available list.
The scope of the engagement was to assess the capability of the blue team to detect two techniques.
- Process Herpaderping
- OS Credential Dumping – LSASS Memory
Process Herpadeping is a defense evasion technique which bypasses EDR’s via modification of the contents of the file when the process object has been already created on the operating system. This technique is not mapped to MITRE framework therefore it has been added manually on the platform.
Threat actors often attempt to retrieve credentials from the LSASS process. This technique is mapped to MITRE framework as T1003.001 and the associated procedure within scope is: “Dump LSASS.exe Memory using Windows Task Manager“.
The tactics, techniques and procedures for the purple team exercise have been added into the Runbook – Purple Teaming which follows the custom methodology of Pentest Laboratories.
In summary the Purple Teaming RunBook will contain two tactics, two techniques and one procedure.
Engagements can be created from the Runbooks section by pressing the check purple button. The Runbook will be associated to the engagement.
The engagement required some further information such as the Client name in this case Pentest Laboratories, tags which could be custom or associated with MITRE TTP’s and description for any other relevant project information.
The engagement has been customized to fit the scope of the purple teaming which was to assess these two procedures as it can be seen from the engagement overview.
The execution of Process Herpaderping technique was trivial as there is a proof of concept publicly available. This technique has been analysed in detail in the Pentest Laboratories article.
From the perspective of blue teaming the technique has generated two Sysmon events.
- Event ID 1
- Event ID 25
The technique details including the outcome, relevant attachments, asset which the technique was executed and the procedure log details have been captured in PlexTrac in the Red Team tab.
Even though the technique was successful it has been logged in Sysmon therefore the detection outcome for the blue team was: Forensically Logged. Relevant attachments have been uploaded and the Sysmon logs have been imported into the Procedure Log component with a timestamp about the date and time. However this area it could have been used for activities of the blue team for evaluation of existing procedures and policies once a threat has been discovered.
The same procedure has been followed in PlexTrac and for the other technique of dumping the lsass via the task manager. The results of the engagement have been added into the online report as PlexTrac contains various fields similarly to other pentest reporting tools. Code samples, screenshots and videos of the assessment could be added as well.
The executed techniques can be viewed directly in the PlexTrac platform, including all the details that have been logged during the engagement, severity and date which provide the ability of managers and members to view the results of the assessment with all the technical details, screenshots and logs.
The results of the report could be exported into various formats as it can be seen below.
For this assessment the results have been exported into a word document. The template was very clean with a similar structure of pentest report templates with an Executive Summary, Findings Overview and Detailed Findings where the information was exported from the platform directly into the word document without breaking the template formatting.
Conclusion
Purple Team assessments require a collaboration platform which will have the necessary components and provide flexibility in terms of reporting and customization. PlexTrac have been developed with the mindset of organizing, storing and exporting the results of the engagement in a clean format. Managers can get visibility of the reports and the status of findings, consultancies can get a reporting tool for their engagements as the writeups database contains a high volume of issues and finally red and blue teams can get a platform which they could store results from purple team assessments. Conducting engagements with PlexTrac was definitely a unique experience and a product to be considered for red and blue teams.
For more information about PlexTrac capabilities visit their website and follow them on their social media:
- Website: https://plextrac.com/
- Twitter: https://twitter.com/PlexTracFTW
- LinkedIn: https://www.linkedin.com/company/plextrac/
- Facebook: https://www.facebook.com/plextrac