What is a purple team lab?
This is a heavily audited and well-monitored detection environment. This allows the maintainer to test tools, catch executions, and hone their detection skills against an Elastic install.
Extensive instructions and optional lab prerequisites can be found here: https://github.com/DefensiveOrigins/APT06202001
Build your own Purple Team lab in 4 hours (or less!)
- Implement Sysmon with the modular configuration
- Configure and launch meaningful audit policies
- Deploy the WEF / WEC model of event collection
- Install WinLogBeat to push logs to….
- The Hunting ELK (HELK) Docker-based Elastic install
- Catch some basic command line stuff