Zion Boggan
repos/Security Portfolio/purple-team-lab/index.html
zionboggan.com ↗
Code Commits Tags
304 lines · html
History for this file →
1
<!doctype html>
2
<html lang="en">
3
<head>
4
<meta charset="utf-8">
5
<meta name="viewport" content="width=device-width, initial-scale=1.0">
6
<title>Purple-Team Lab | Zion Boggan</title>
7
<meta name="description" content="Adversary emulation that validates the detections instead of assuming they work.">
8
<link rel="icon" href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 32 32'%3E%3Crect width='32' height='32' rx='6' fill='%230c0e12'/%3E%3Ctext x='16' y='22' font-family='monospace' font-size='15' fill='%236cc7b8' text-anchor='middle'%3Ezb%3C/text%3E%3C/svg%3E">
9
<style>
10
  :root{
11
    --bg:#0c0e12; --bg2:#0f1217; --panel:#14181f; --panel2:#171c24;
12
    --line:#222936; --line2:#2c3543;
13
    --ink:#e8eaed; --soft:#c3cad4; --muted:#8a94a3; --faint:#5d6675;
14
    --accent:#6cc7b8; --accent-dim:#274b47;
15
    --maxw:1020px;
16
  }
17
  *{box-sizing:border-box;}
18
  html{scroll-behavior:smooth;}
19
  body{margin:0;background:var(--bg);color:var(--ink);
20
    font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Helvetica,Arial,sans-serif;
21
    font-size:16px;line-height:1.65;-webkit-font-smoothing:antialiased;}
22
  .mono{font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,monospace;}
23
  a{color:var(--accent);text-decoration:none;}
24
  a:hover{color:#8fe0d2;}
25
  .wrap{max-width:var(--maxw);margin:0 auto;padding:0 24px;}
26
27
  /* nav */
28
  nav{position:sticky;top:0;z-index:20;background:rgba(12,14,18,.82);
29
    backdrop-filter:blur(10px);border-bottom:1px solid var(--line);}
30
  nav .wrap{display:flex;align-items:center;justify-content:space-between;height:58px;}
31
  nav .brand{font-weight:600;letter-spacing:.2px;}
32
  nav .brand .dot{color:var(--accent);}
33
  nav .links{display:flex;gap:26px;font-size:13.5px;}
34
  nav .links a{color:var(--muted);}
35
  nav .links a:hover{color:var(--ink);}
36
  @media(max-width:680px){nav .links{display:none;}}
37
38
  /* hero */
39
  header.hero{padding:74px 0 54px;border-bottom:1px solid var(--line);
40
    background:radial-gradient(900px 380px at 78% -10%, #11201e 0%, transparent 60%);}
41
  .avail{font-size:12.5px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);
42
    display:flex;align-items:center;gap:9px;margin-bottom:20px;}
43
  .avail .pulse{width:7px;height:7px;border-radius:50%;background:var(--accent);
44
    box-shadow:0 0 0 0 rgba(108,199,184,.5);animation:p 2.4s infinite;}
45
  @keyframes p{0%{box-shadow:0 0 0 0 rgba(108,199,184,.45)}70%{box-shadow:0 0 0 8px rgba(108,199,184,0)}100%{box-shadow:0 0 0 0 rgba(108,199,184,0)}}
46
  h1{font-size:clamp(34px,6vw,52px);line-height:1.05;margin:0 0 8px;letter-spacing:-1px;font-weight:680;}
47
  .hero .sub{font-size:clamp(16px,2.4vw,20px);color:var(--soft);margin:0 0 24px;font-weight:500;}
48
  .hero .lede{max-width:660px;color:var(--soft);font-size:17px;margin:0 0 28px;}
49
  .hero .lede b{color:var(--ink);font-weight:600;}
50
  .cta{display:flex;flex-wrap:wrap;gap:12px;align-items:center;}
51
  .btn{display:inline-flex;align-items:center;gap:8px;padding:10px 18px;border-radius:8px;
52
    font-size:14.5px;font-weight:550;border:1px solid var(--line2);color:var(--ink);background:var(--panel);}
53
  .btn:hover{border-color:var(--accent-dim);background:var(--panel2);color:var(--ink);}
54
  .btn.primary{background:var(--accent);color:#06231f;border-color:var(--accent);font-weight:650;}
55
  .btn.primary:hover{background:#8fe0d2;color:#06231f;}
56
  .meta{margin-top:26px;display:flex;flex-wrap:wrap;gap:8px 22px;font-size:13px;color:var(--muted);}
57
  .meta .mono{color:var(--faint);}
58
59
  /* sections */
60
  section{padding:64px 0;border-bottom:1px solid var(--line);}
61
  .shead{display:flex;align-items:baseline;gap:14px;margin-bottom:30px;}
62
  .shead .idx{font-size:13px;color:var(--accent);letter-spacing:1px;}
63
  .shead h2{font-size:14px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:0;font-weight:600;}
64
  .shead .rule{flex:1;height:1px;background:var(--line);}
65
66
  /* flagship */
67
  .flag{background:linear-gradient(180deg,var(--panel) 0%,var(--bg2) 100%);
68
    border:1px solid var(--line2);border-radius:14px;overflow:hidden;}
69
  .flag .top{padding:30px 32px 8px;}
70
  .flag .tag{font-size:12px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);margin-bottom:12px;}
71
  .flag h3{font-size:27px;margin:0 0 6px;letter-spacing:-.4px;}
72
  .flag h3 .v{font-size:13px;color:var(--muted);font-weight:500;margin-left:8px;letter-spacing:0;}
73
  .flag .grid{display:grid;grid-template-columns:1.25fr 1fr;gap:30px;padding:14px 32px 30px;}
74
  .flag p{color:var(--soft);margin:0 0 16px;}
75
  .flag .stats{display:grid;grid-template-columns:1fr 1fr;gap:12px;margin-top:6px;}
76
  .stat{background:var(--bg);border:1px solid var(--line);border-radius:9px;padding:13px 15px;}
77
  .stat .n{font-size:21px;font-weight:680;color:var(--ink);}
78
  .stat .k{font-size:12px;color:var(--muted);margin-top:2px;}
79
  .spec{background:var(--bg);border:1px solid var(--line);border-radius:10px;padding:18px 18px;}
80
  .spec .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:10px;}
81
  .spec ul{margin:0;padding:0;list-style:none;font-size:13.5px;}
82
  .spec li{padding:6px 0;border-top:1px solid var(--line);color:var(--soft);display:flex;justify-content:space-between;gap:14px;}
83
  .spec li:first-child{border-top:none;}
84
  .spec li span{color:var(--muted);}
85
  .flag .foot{padding:0 32px 28px;display:flex;gap:18px;flex-wrap:wrap;font-size:14px;}
86
  @media(max-width:720px){.flag .grid{grid-template-columns:1fr;}}
87
88
  /* lab cards */
89
  .cards{display:grid;grid-template-columns:1fr 1fr;gap:20px;}
90
  @media(max-width:680px){.cards{grid-template-columns:1fr;}}
91
  .card{border:1px solid var(--line);border-radius:12px;overflow:hidden;background:var(--panel);
92
    display:flex;flex-direction:column;transition:border-color .15s,transform .15s;}
93
  .card:hover{border-color:var(--accent-dim);transform:translateY(-2px);}
94
  .card .thumb{height:172px;overflow:hidden;border-bottom:1px solid var(--line);background:#fff;}
95
  .card .thumb img{width:100%;height:100%;object-fit:cover;object-position:top left;display:block;}
96
  .card .body{padding:18px 20px 20px;display:flex;flex-direction:column;flex:1;}
97
  .card h3{margin:0 0 9px;font-size:17px;}
98
  .card p{margin:0 0 14px;font-size:14px;color:var(--soft);flex:1;}
99
  .tags{display:flex;flex-wrap:wrap;gap:6px;margin-bottom:14px;}
100
  .tags span{font-size:11.5px;color:var(--muted);background:var(--bg);border:1px solid var(--line);
101
    border-radius:5px;padding:3px 8px;}
102
  .card .lnk{font-size:13.5px;font-family:ui-monospace,Menlo,monospace;}
103
  .card .lnk::after{content:" โ†’";}
104
105
  /* research */
106
  .rlede{color:var(--soft);max-width:680px;margin:-6px 0 26px;}
107
  .research{display:flex;flex-direction:column;gap:0;border:1px solid var(--line);border-radius:12px;overflow:hidden;}
108
  .ritem{display:grid;grid-template-columns:120px 1fr auto;gap:18px;align-items:center;
109
    padding:18px 22px;border-top:1px solid var(--line);}
110
  .ritem:first-child{border-top:none;}
111
  .ritem:hover{background:var(--panel);}
112
  .ritem .cls{font-size:11px;letter-spacing:.5px;text-transform:uppercase;color:var(--accent);}
113
  .ritem h3{margin:0 0 3px;font-size:16px;}
114
  .ritem p{margin:0;font-size:13.5px;color:var(--muted);}
115
  .ritem .go{font-family:ui-monospace,Menlo,monospace;font-size:13px;white-space:nowrap;}
116
  @media(max-width:680px){.ritem{grid-template-columns:1fr;gap:6px;}.ritem .go{margin-top:4px;}}
117
  .progs{margin-top:22px;}
118
  .progs .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:11px;}
119
  .progs .row{display:flex;flex-wrap:wrap;gap:7px;}
120
  .progs .row span{font-size:12.5px;color:var(--soft);background:var(--panel);border:1px solid var(--line);
121
    border-radius:6px;padding:4px 10px;}
122
123
  /* credentials */
124
  .cred{display:grid;grid-template-columns:1.1fr 1fr;gap:28px;}
125
  @media(max-width:680px){.cred{grid-template-columns:1fr;}}
126
  .cred p{color:var(--soft);margin:0 0 14px;}
127
  .cred .role{font-size:14px;color:var(--muted);}
128
  .cred .role b{color:var(--ink);font-weight:600;}
129
  .certs{list-style:none;margin:0;padding:0;}
130
  .certs li{padding:9px 0;border-top:1px solid var(--line);font-size:14px;color:var(--soft);
131
    display:flex;gap:10px;align-items:baseline;}
132
  .certs li:first-child{border-top:none;}
133
  .certs li .c{color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:12px;}
134
135
  footer{padding:46px 0 64px;}
136
  footer .row{display:flex;flex-wrap:wrap;justify-content:space-between;gap:18px;align-items:center;}
137
  footer .links a{color:var(--soft);margin-right:20px;font-size:14px;}
138
  footer .note{color:var(--faint);font-size:12.5px;max-width:520px;}
139
140
  /* detail pages */
141
  .detail-hero{padding:40px 0 28px;}
142
  .back{display:inline-block;font-size:13px;color:var(--muted);margin-bottom:22px;font-family:ui-monospace,Menlo,monospace;}
143
  .back:hover{color:var(--ink);}
144
  .kicker{font-size:12px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin-bottom:13px;font-family:ui-monospace,Menlo,monospace;}
145
  .detail-hero h1{font-size:clamp(28px,5vw,42px);margin:0 0 12px;letter-spacing:-.6px;}
146
  .detail-hero .tagline{font-size:clamp(16px,2.2vw,19px);color:var(--soft);max-width:780px;margin:0 0 18px;}
147
  .facts{display:grid;grid-template-columns:repeat(auto-fit,minmax(148px,1fr));gap:12px;margin-top:24px;}
148
  figure{margin:0;}
149
  .shot{border:1px solid var(--line2);border-radius:12px;overflow:hidden;background:#fff;margin:30px 0 6px;}
150
  .shot img,.shot video{display:block;width:100%;height:auto;}
151
  figcaption{font-size:13px;color:var(--muted);margin:11px 2px 0;}
152
  .content{padding:6px 0 0;}
153
  .content h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:44px 0 16px;font-weight:600;border-top:1px solid var(--line);padding-top:30px;}
154
  .content h2.first{border-top:none;padding-top:6px;margin-top:18px;}
155
  .content p{color:var(--soft);margin:0 0 16px;}
156
  .content ul,.content ol{color:var(--soft);margin:0 0 16px;padding-left:22px;}
157
  .content li{margin:6px 0;}
158
  .content strong{color:var(--ink);font-weight:600;}
159
  .content code{font-family:ui-monospace,Menlo,monospace;font-size:13px;background:var(--panel2);border:1px solid var(--line);border-radius:4px;padding:1px 5px;color:var(--soft);}
160
  .content pre{background:var(--bg2);border:1px solid var(--line2);border-radius:10px;padding:15px 18px;overflow-x:auto;margin:0 0 18px;}
161
  .content pre code{background:none;border:none;padding:0;font-size:12.5px;color:var(--soft);line-height:1.62;}
162
  .content table{width:100%;border-collapse:collapse;margin:2px 0 20px;font-size:13.5px;}
163
  .content th{text-align:left;color:var(--muted);font-weight:600;border-bottom:1px solid var(--line2);padding:9px 12px;font-size:11px;letter-spacing:.6px;text-transform:uppercase;}
164
  .content td{color:var(--soft);border-bottom:1px solid var(--line);padding:9px 12px;vertical-align:top;}
165
  .content td code{font-size:12px;}
166
  .gallery{margin-top:8px;}
167
  .repo-line{margin:42px 0 0;color:var(--faint);font-size:12.5px;font-family:ui-monospace,Menlo,monospace;}
168
</style>
169
<link rel="canonical" href="https://zionboggan.com/purple-team-lab/">
170
<meta name="author" content="Zion Boggan">
171
<meta name="robots" content="index, follow, max-image-preview:large">
172
<meta property="og:type" content="article">
173
<meta property="og:site_name" content="Zion Boggan">
174
<meta property="og:title" content="Purple-Team Lab | Zion Boggan">
175
<meta property="og:description" content="Adversary emulation that validates the detections instead of assuming they work.">
176
<meta property="og:url" content="https://zionboggan.com/purple-team-lab/">
177
<meta property="og:image" content="https://zionboggan.com/assets/purple-team-lab/01-detections-fired.png">
178
<meta name="twitter:card" content="summary_large_image">
179
<meta name="twitter:title" content="Purple-Team Lab | Zion Boggan">
180
<meta name="twitter:description" content="Adversary emulation that validates the detections instead of assuming they work.">
181
<meta name="twitter:image" content="https://zionboggan.com/assets/purple-team-lab/01-detections-fired.png">
182
<script type="application/ld+json">{"@context":"https://schema.org","@type":"TechArticle","headline":"Purple-Team Lab","description":"Adversary emulation that validates the detections instead of assuming they work.","url":"https://zionboggan.com/purple-team-lab/","image":"https://zionboggan.com/assets/purple-team-lab/01-detections-fired.png","author":{"@type":"Person","name":"Zion Boggan","url":"https://zionboggan.com"},"publisher":{"@type":"Person","name":"Zion Boggan"}}</script>
183
</head>
184
<body>
185
<nav><div class="wrap">
186
  <a class="brand mono" href="/" style="color:var(--ink)">zion_boggan<span class="dot">.</span></a>
187
  <span class="links">
188
    <a href="/#oversight">Oversight</a>
189
    <a href="/#labs">Labs</a>
190
    <a href="/#research">Research</a>
191
    <a href="/#background">Background</a>
192
    <a href="/">Home</a>
193
  </span>
194
</div></nav>
195
<header class="hero detail-hero"><div class="wrap">
196
  <a class="back" href="/#labs">&larr; All work</a>
197
  <div class="kicker">ADVERSARY EMULATION</div>
198
  <h1>Purple-Team Lab</h1>
199
  <p class="tagline">Adversary emulation that validates the detections instead of assuming they work.</p>
200
  <div class="tags"><span>Atomic Red Team</span><span>Caldera</span><span>Wazuh FIM</span><span>MITRE ATT&amp;CK</span><span>Auditd</span><span>Detection-as-Code</span></div>
201
  <div class="facts"><div class="stat"><div class="n">4</div><div class="k">Custom Wazuh rules (100410-100413)</div></div><div class="stat"><div class="n">6</div><div class="k">ATT&amp;CK techniques validated</div></div><div class="stat"><div class="n">5</div><div class="k">Detections firing at alert severity</div></div><div class="stat"><div class="n">12</div><div class="k">Highest rule level (authorized_keys)</div></div><div class="stat"><div class="n">18</div><div class="k">Invalid SSH logins driving brute-force rule 5712</div></div><div class="stat"><div class="n">6</div><div class="k">FIM paths watched in real time</div></div></div>
202
  <div class="cta" style="margin-top:24px"></div>
203
</div></header>
204
<section><div class="wrap">
205
  <figure class="shot"><img loading="lazy" src="/assets/purple-team-lab/01-detections-fired.png" alt="Emulated techniques detected in Wazuh: custom rules 100410-100413 plus the brute-force rule firing on the purple-target agent, each ATT&amp;CK-tagged."></figure><figcaption>Emulated techniques detected in Wazuh: custom rules 100410-100413 plus the brute-force rule firing on the purple-target agent, each ATT&amp;CK-tagged.</figcaption>
206
  <div class="content">
207
  <h2>Custom Wazuh rules</h2>
208
<p>Four custom rules sit in the Wazuh <code>syscheck</code> group and key off real-time FIM events rather than syscall auditing. Each is ATT&amp;CK-tagged and assigned a level that reflects how it should be triaged: the <code>authorized_keys</code> rule is level 12 because an attacker who can append a key owns persistent access; the others are level 10. The full ruleset, verbatim, deployed to the manager as <code>rules/local_purple_rules.xml</code>:</p><pre><code>&lt;group name="linux,syscheck,purple-team-fim,"&gt;
209
210
  &lt;rule id="100410" level="10"&gt;
211
    &lt;if_group&gt;syscheck&lt;/if_group&gt;
212
    &lt;field name="file" type="pcre2"&gt;^/etc/cron&lt;/field&gt;
213
    &lt;description&gt;Cron file created or modified: $(file) - possible scheduled-task persistence&lt;/description&gt;
214
    &lt;mitre&gt;
215
      &lt;id&gt;T1053.003&lt;/id&gt;
216
    &lt;/mitre&gt;
217
  &lt;/rule&gt;
218
219
  &lt;rule id="100411" level="10"&gt;
220
    &lt;if_group&gt;syscheck&lt;/if_group&gt;
221
    &lt;field name="file" type="pcre2"&gt;^/etc/systemd/system/.+\.service&lt;/field&gt;
222
    &lt;description&gt;Systemd unit created or modified: $(file) - possible service persistence&lt;/description&gt;
223
    &lt;mitre&gt;
224
      &lt;id&gt;T1543.002&lt;/id&gt;
225
    &lt;/mitre&gt;
226
  &lt;/rule&gt;
227
228
  &lt;rule id="100412" level="12"&gt;
229
    &lt;if_group&gt;syscheck&lt;/if_group&gt;
230
    &lt;field name="file" type="pcre2"&gt;\.ssh/authorized_keys$&lt;/field&gt;
231
    &lt;description&gt;SSH authorized_keys modified: $(file) - possible persistence via account manipulation&lt;/description&gt;
232
    &lt;mitre&gt;
233
      &lt;id&gt;T1098.004&lt;/id&gt;
234
    &lt;/mitre&gt;
235
  &lt;/rule&gt;
236
237
  &lt;rule id="100413" level="10"&gt;
238
    &lt;if_group&gt;syscheck&lt;/if_group&gt;
239
    &lt;field name="file" type="pcre2"&gt;^/usr/local/bin/&lt;/field&gt;
240
    &lt;description&gt;Binary placed in /usr/local/bin: $(file) - possible persistence or tooling drop&lt;/description&gt;
241
    &lt;mitre&gt;
242
      &lt;id&gt;T1543&lt;/id&gt;
243
    &lt;/mitre&gt;
244
  &lt;/rule&gt;
245
246
&lt;/group&gt;</code></pre><p>The rules depend on the agent's <code>syscheck</code> block watching those paths in real time. That FIM configuration is a one-liner deployed to the agent:</p><pre><code>&lt;directories realtime="yes" check_all="yes" report_changes="yes"&gt;/etc/cron.d,/etc/cron.daily,/etc/systemd/system,/root/.ssh,/home/zion/.ssh,/usr/local/bin&lt;/directories&gt;</code></pre>
247
<h2>Adversary emulation</h2>
248
<p>A single Atomic Red Team script runs the technique set against the <code>purple-target</code> VM &mdash; a dedicated Ubuntu 22.04 host rather than a container, because kernel-level telemetry needs a real kernel. It drops a cron job in <code>/etc/cron.d</code> (T1053.003), creates a systemd unit in <code>/etc/systemd/system</code> (T1543.002), appends an SSH key to <code>~/.ssh/authorized_keys</code> (T1098.004), plants an executable in <code>/usr/local/bin</code> (T1543), and fires 18 invalid SSH logins to trip the brute-force rule (T1110). The persistence actions, verbatim from the runner:</p><pre><code>echo '* * * * * root /usr/bin/id' | sudo tee /etc/cron.d/atomic-persist &gt;/dev/null
249
250
printf '[Unit]\nDescription=atomic test\n[Service]\nExecStart=/usr/bin/id\n[Install]\nWantedBy=multi-user.target\n' \
251
  | sudo tee /etc/systemd/system/atomic-evil.service &gt;/dev/null
252
253
mkdir -p "$HOME/.ssh"
254
echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAtomicRedTeamTestKeyDoNotUse attacker@evil' &gt;&gt; "$HOME/.ssh/authorized_keys"
255
256
printf '#!/bin/bash\nid\n' | sudo tee /usr/local/bin/definitely-not-malware &gt;/dev/null
257
sudo chmod +x /usr/local/bin/definitely-not-malware</code></pre><p>MITRE Caldera is provisioned via Docker Compose for graph-based emulation when an attack chain &mdash; rather than discrete atomics &mdash; is needed. It is built from upstream master and exposed on <code>:8888</code>:</p><pre><code>services:
258
  caldera:
259
    image: caldera:local
260
    build:
261
      context: https://github.com/mitre/caldera.git#master
262
    ports:
263
      - "8888:8888"
264
      - "8443:8443"
265
    environment:
266
      - CALDERA_CONF=local
267
    command: ["--insecure", "--build"]</code></pre>
268
<h2>Coverage matrix</h2>
269
<p>Every technique was executed on the endpoint and confirmed in the SIEM, mapped to ATT&amp;CK and assigned a level that reflects how it should be triaged. Five of six fire on detections written for this lab; the sixth is a baseline check that login telemetry is reaching the manager.</p><table><thead><tr><th>Technique</th><th>ATT&amp;CK</th><th>Atomic action</th><th>Telemetry</th><th>Rule</th><th>Level</th><th>Detected</th></tr></thead><tbody><tr><td>Brute Force</td><td>T1110</td><td>18 invalid SSH logins from one source</td><td>sshd auth log</td><td>5712 (built-in)</td><td>10</td><td>yes</td></tr><tr><td>Scheduled Task / Cron</td><td>T1053.003</td><td>write job to <code>/etc/cron.d/</code></td><td>FIM (real-time)</td><td>100410 (custom)</td><td>10</td><td>yes</td></tr><tr><td>Systemd Service</td><td>T1543.002</td><td>create unit in <code>/etc/systemd/system/</code></td><td>FIM (real-time)</td><td>100411 (custom)</td><td>10</td><td>yes</td></tr><tr><td>SSH Authorized Keys</td><td>T1098.004</td><td>append key to <code>~/.ssh/authorized_keys</code></td><td>FIM (real-time)</td><td>100412 (custom)</td><td>12</td><td>yes</td></tr><tr><td>Create / Modify System Process</td><td>T1543</td><td>drop binary in <code>/usr/local/bin/</code></td><td>FIM (real-time)</td><td>100413 (custom)</td><td>10</td><td>yes</td></tr><tr><td>Valid Accounts / Sudo</td><td>T1078 / T1548.003</td><td>login + sudo to root</td><td>sshd/PAM auth log</td><td>5501 / 5402 (built-in)</td><td>3</td><td>yes (baseline)</td></tr></tbody></table>
270
<h2>Why FIM, not auditd</h2>
271
<p>The persistence detections key off file integrity monitoring, not syscall auditing &mdash; and that is a deliberate choice, not a shortcut. FIM is Wazuh-native and works everywhere, including containers and hardened hosts where the kernel audit framework is not available to you. Auditd execve rules, by contrast, silently do nothing on a host that boots with audit disabled &mdash; which is the common case inside an LXC container, where the audit subsystem is namespaced away and rules load without error but never fire.</p><p>The auditd ruleset that would be layered on a host with working kernel auditing is included for completeness in <code>agent/auditd-purple.rules</code> &mdash; it watches execve, credential files, and the persistence directories &mdash; but the validated detections above do not depend on it:</p><pre><code>-a always,exit -F arch=b64 -S execve -S execveat -k exec
272
-a always,exit -F arch=b32 -S execve -S execveat -k exec
273
-w /etc/shadow -p r -k cred_access
274
-w /etc/passwd -p wa -k passwd_change
275
-w /etc/sudoers -p wa -k sudoers_change
276
-w /etc/cron.d -p wa -k cron_persist
277
-w /etc/systemd/system -p wa -k systemd_persist</code></pre><p>The honest consequence is a noted coverage gap: execve-based detections such as reverse-shell command lines (T1059.004) need that host syscall auditing the target kernel did not provide. The FIM-based persistence detections are independent of it, which is exactly why they survive the environments where auditd does not.</p>
278
<h2>Running it</h2>
279
<p>On the endpoint &mdash; an enrolled Wazuh agent with the FIM config from <code>agent/</code> applied &mdash; the entire technique set runs from one script. It logs each step with a timestamp and supports a <code>--cleanup</code> flag that removes the cron job, systemd unit, dropped binary, and the planted SSH key:</p><pre><code>sudo bash atomics/run_atomics.sh            # execute the technique set
280
sudo bash atomics/run_atomics.sh --cleanup  # execute, then revert all artifacts</code></pre><p>The brute-force step loops 18 password-auth attempts against localhost with pubkey auth forced off, so each one lands in the sshd auth log as an invalid user:</p><pre><code>for i in $(seq 1 18); do
281
  ssh -o BatchMode=yes -o ConnectTimeout=2 -o StrictHostKeyChecking=no \
282
      -o PreferredAuthentications=password -o PubkeyAuthentication=no \
283
      "evil_user_${i}@127.0.0.1" true 2>/dev/null
284
done</code></pre><p>Then in the Wazuh dashboard, filter Threat Hunting &rarr; Events to confirm the hits:</p><pre><code>rule.id:(100410 or 100411 or 100412 or 100413 or 5712)</code></pre><p>Caldera, for graph-based emulation, is optional and comes up alongside:</p><pre><code>cd caldera &amp;&amp; docker compose up -d          # http://localhost:8888</code></pre>
285
<h2>Detection-as-code</h2>
286
<p>This lab is one half of a two-repo workflow. Detections are authored once as Sigma in a separate detection-as-code repository and compiled to each target SIEM; the Wazuh-native versions of the persistence rules proven here are the compiled output. The endpoint itself is the same instrumented host stood up in a companion SOC-automation lab, so the agent, indexer, and dashboard are not bespoke to this project &mdash; they are the standing detection stack this work validates against.</p><p>Keeping emulation and authoring in separate repos enforces the discipline: a rule does not get marked validated here until an atomic in <code>run_atomics.sh</code> has demonstrably triggered it on the live agent. The matrix is regenerated from real runs, and the screenshot in the repo is the evidence, not a mockup.</p>
287
<h2>What it proves</h2>
288
<p>Severity is the point as much as coverage is. The persistence detections fire at level 10&ndash;12 because they would page an analyst, while login and sudo events sit at level 3 as context, not alerts. A detection that fires at the wrong severity is as useless as one that does not fire at all.</p><ul><li><strong>Detections are tested, not assumed.</strong> Each custom rule has a corresponding atomic that demonstrably triggers it on the live agent &mdash; the matrix reflects an actual run, not an intended design.</li><li><strong>Gaps are noted honestly.</strong> Execve-based detections such as reverse-shell command lines (T1059.004) require host syscall auditing the target kernel did not provide; that limitation is documented rather than papered over, and the FIM persistence path is independent of it.</li><li><strong>Telemetry choice is justified.</strong> FIM was chosen over auditd specifically because it survives containers and hardened hosts where kernel auditing silently fails &mdash; a deliberate engineering decision with a stated tradeoff.</li><li><strong>It plugs into a real workflow.</strong> The rules proven here are the compiled output of a Sigma-first detection-as-code pipeline, validated against a standing Wazuh stack rather than a throwaway.</li></ul>
289
  </div>
290
291
  <p class="repo-line">Repository &middot; github.com/zionboggan/purple-team-lab</p>
292
</div></section>
293
<footer><div class="wrap row">
294
  <div class="links">
295
    <a href="/">Portfolio</a>
296
    <a href="https://www.linkedin.com/in/zion-boggan">LinkedIn</a>
297
    <a href="https://oversightprotocol.dev/">Oversight</a>
298
    <a href="mailto:zionboggan0@gmail.com">Email</a>
299
  </div>
300
  <div class="note">Built and deployed on a self-hosted Proxmox homelab. This page mirrors the
301
  project's documentation and results so the work is fully viewable here.</div>
302
</div></footer>
303
</body>
304
</html>