Attack playbooks¶

Purple team exercises need realistic attack scenarios. Playbooks provide structured techniques mapped to MITRE ATT&CK so that the same ground can be tested consistently across exercises.

Using playbooks well¶

The playbooks below are starting points, not finished products. Adapting them to a specific technology stack, user behaviour, and threat model is part of using them. Generic playbooks tested against a generic environment produce generic findings, which are usually less useful than the specific findings the practice is meant to produce.

Complexity is something to add gradually. Starting with the simplest techniques the existing detections are most likely to catch produces calibration; adding sophistication once those pass turns each exercise into a meaningful test rather than a brochure for advanced capability.

The point of testing is the techniques relevant to threats an organisation faces, not full ATT&CK coverage for its own sake. A coverage map is a useful artefact, but a coverage percentage is a metric that decouples easily from defensive value.

Initial access¶

Phishing scenarios cover credential harvesting (a fake login page, tracking submissions), malware delivery (macro-enabled documents, testing EDR and email filtering), and link-based delivery (shortened URLs, testing web proxy and user awareness).

External vulnerability exploitation covers unpatched internet-facing services, weak authentication amenable to password spraying, and misconfigured services such as exposed admin panels.

Supply chain vectors cover compromised vendor accounts and malicious update paths.

Credential access and privilege escalation¶

Credential theft includes Mimikatz execution against LSASS, registry credential extraction from the SAM database, and browser password harvesting.

Privilege escalation includes kernel exploitation, service-misconfiguration abuse, token manipulation, and scheduled-task hijacking.

Lateral movement and persistence¶

Lateral movement covers pass-the-hash, RDP and PSRemoting, WMI and DCOM, and file share enumeration.

Persistence covers registry run keys, scheduled tasks, WMI event subscriptions, and service creation.

Data exfiltration simulation¶

Staging and collection covers large file transfers, compression of sensitive data, and access to sensitive shares.

Exfiltration covers HTTPS uploads, DNS tunnelling, and cloud storage abuse.

Playbooks¶

• From access to staged data

• Cloud initial access playbooks

• API attack playbooks

• Web application attack playbooks

• Attack chain playbooks for network operations

• Attack chain playbooks for endpoint operations

• Evasion playbooks

• Social engineering playbooks

Runbooks¶

• Step-by-step attack runbooks

• Reverse engineering runbooks

• Steganography runbooks

• Crypto-attack runbooks

• Buffer overflow runbooks

• Evasion runbooks

• Persistence runbooks

• Finding and pulling the data

• Moving the data

• Execution and concealment

• Cloud recon runbooks

• API recon and attack runbooks

• Web application attack runbooks

• Operational procedures for network attacks

• Operational procedures for endpoint attacks

• Operational procedures for OT attacks