Join us at the Blue Team Summit! Register Here

Purple Teaming: Attack Emulation, Reporting, and Detection Identification with Carrie Roberts

Course Authored by .

Purple Teaming Attack Emulation, Reporting, and Detection Identification with Carrie Roberts

This class will provide an overview of the MITRE ATT&CK framework and give you in-depth, hands-on knowledge of how to execute scripted attack emulations that exercise many of the techniques defined in the MITRE ATT&CK Framework.

Course Length: 16 Hours

Includes a Certificate of Completion



Enroll Now

Next scheduled date: WWHF Deadwood 2025 - Link at bottom.

Description

This class will provide an overview of the MITRE ATT&CK framework and give you in-depth, hands-on knowledge of how to execute scripted attack emulations that exercise many of the techniques defined in the MITRE ATT&CK Framework.

The primary source for the attack emulation scripts will be the free and open-source Atomic Red Team library. You will be provided with hands-on lab instructions for emulating a variety of attacks and creating visualizations using the MITRE ATT&CK Navigator. At the end of this class, you will have the knowledge and tools to begin executing simulated attacks within your own test environment, allowing you to create and validate detections in a script-able and consistent way. You will also be exposed to methods for tracking this work, including reporting on improvements over time. Lastly, you will learn about many open-source detection libraries and look at tools for correlating those detections to your emulated attacks.

Major course topics include:

  • MITRE ATT&CK and the ATT&CK Navigator
  • Atomic Red Team library of scripted cyber attacks
  • MITRE CALDERA Command-and-Control style attack emulation tool
  • VECTR Purple Team reporting and attack automation
  • SnapAttack detection library

Minor topics include MITRE AT&CK Evaluations, MITRE Adversary Emulation Library, and the MITRE ATT&CK Powered Browser Extension.

Whether you are a student of information security or a seasoned network defender there is something to learn from getting involved in the Attack Emulation space and this course will help you do that.

Note: We do not write detections in this class.

System Requirements
  • Student Requirements
    • General familiarity with the Windows and Linux operating systems.
  • What a Student Should Bring
    • A web browser and solid internet access.
    • Note: Hands-on labs with be completed from Virtual Machines hosted in the cloud which you will be able to access from your web browser. All operating systems including iOS and Android are acceptable.

Syllabus

Intro

    • Attack Emulation Tools Introduction

    • The Value of Attack Emulation

MITRE ATT&CK Framework and Tools

    • MITRE ATT&CK Framework and Tools Overview

    • MITRE ATT&CK Framework

    • MITRE ATT&CK Navigator

        • Lab: MITRE ATT&CK Navigator

        • Lab: Navigator and Combining Layers

        • Lab: MITRE ATT&CK Navigator and Atomic Red Team

    • MITRE ATT&CK Powered Suit Browser Extension

    • MITRE CALDERA

    • MITRE ATT&CK Evaluations

    • MITRE Adversary Emulation Library

    • MITRE ATT&CK Wrap-Up

Atomic Red Team

    • Atomic Red Team Intro

    • Install Atomic Red Team

        • Lab: Install Atomic Red Team

        • Lab: Import the Atomic Red Team Module

        • Lab: List Atomic Tests

    • Invoke-AtomicRedTeam Execution Framework

        • Lab: Check or Get Prerequisites for Atomic Test

        • Lab: Execute Atomic Tests

        • Lab: Specify Custom Input Arguments

        • Lab: Cleanup After Atomic Test Execution

    • Invoke-AtomicRedTeam Execution Logging

        • Lab: Execution Logging

    • Execute Atomic Tests Remotely

        • Lab: Execute Atomic Tests Remotely (Windows → Linux)

    • Execute Atomic Tests on Linux

        • Lab: Execute Atomic Tests on Linux

    • Chain Execution of Atomics

        • Lab: Chain Execution of Atomics

    • Define Your Own Atomic Test

        • Lab: Define Your Own Atomic Test

    • Adversary Emulation and Continuous Atomic Execution

        • Lab: Full Adversary Emulation with Invoke-AtomicRedTeam

    • Atomic Red Team Wrap-Up

VECTR

    • VECTR Intro

        • Lab: Getting Started with VECTR

        • Lab: Create Assessments and Campaigns in your own Database

    • VECTR and Atomic Red Team

        • Lab: Import Atomic Red Team Tests into VECTR

        • Lab: Import Atomic Red Team Logs into VECTR

    • VECTR Execution Automation

        • Lab: Execution Automation & Logging

    • VECTR Wrap-Up

SNAPATTACK

    • SnapAttack Intro

    • SnapAttack and Atomic Red Team

        • Lab: Detection Identification

Course Wrap-Up

    • Purple Teaming Course Wrap-Up

FAQ

Key Takeaways
General understanding of MITRE ATT&CK framework and tools
In-Depth knowledge of Atomic Red Team and tools for executing this library of attacks
Understanding of how Attack Emulation can help you build and validate your detections
Purple team reporting methodologies
Who Should Take This Course
Anyone interested in hands-on learning about cyber-attacks including tools to emulate and report on them should take this course.

Defenders and Blue Teamers
Students interested in Information Security
Penetration Testers and Red Teamers
General Security Practitioners
Audience Skill Level
Entry level through advanced information security skills.
Applicable Business Skills
Understanding of attacker tactics and techniques using MITRE ATT&CK
In-Depth knowledge of Atomic Red Team and tools for executing this library of attacks
Ability to portray attack readiness to management using the MITRE ATT&CK navigator and the VECTR reporting tool
Access to detection libraries through the SnapAttack threat intelligence platform.
Will I have access to the lab environment after class?
Yes. You will be given credits within the MetaCTF portal to run the lab VMs. You control when and how you use those credits. You can use them during class or any time thereafter. You can also purchase additional credits as needed.
Will we be writing detections in this class?
No, but we will be learning about open-source libraries of detections and correlating those to the emulated attacks in the Atomic Red Team library.
Is this course more offensive or defensive focused?
This case is presented from a defender’s perspective. However, we do learn a lot about attacker tactics and techniques through the MITRE ATT&CK framework and the Atomic Red Team library of scripted attacks.
Can we use Atomic Red Team to replace our red team or pentest team?
No, but it can ease the workload of such teams. Atomic Red Team does a really good job of making continuous validation of detections possible through automation, but only for those attacks that are automatable. These automations free up time for the red team to work on the more important and engaging aspects of cyber security that require a human in the loop.

About the Instructor

Pixel splash background
Carrie Roberts
Carrie Roberts
"Teacher and Mentor"
Bio

Carrie Roberts is a programmer, turned pentester, turned red teamer, turned blueish purple. She is currently on the Red Team at Walmart. She loves to learn and give back to the community. She is one of the primary Atomic Red Team project maintainers and developers and has developed many of her own open-source tools. She holds master’s Degrees in both Computer Science and Information Security Engineering.

This class is being taught at Wild West Hackin’ Fest – Deadwood 2025.

For more information about our conferences, visit Wild West Hackin’ Fest!

REGISTER HERE

Clicking on the button above will take you to our registration page

Related products

Shopping Cart

No products in the cart.