This repository contains a Purple Team simulation framework developed as part of a continuous cybersecurity learning practice. The core objective is to deeply understand Windows persistence mechanisms and the corresponding defensive strategies employed by modern Endpoint Detection and Response (EDR) solutions.
By engineering both the offensive component (Red Team) and the defensive scanner (Blue Team), this project demonstrates how attackers leverage Living-off-the-Land (LotL) techniques to evade static analysis, and how defenders must pivot to behavioral heuristics to secure enterprise environments.
| Technique ID | Name |
|---|---|
| T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| T1053.005 | Scheduled Task/Job |
| T1543.003 | Create or Modify System Process: Windows Service |
| T1546.003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
| T1546.012 | Event Triggered Execution: Image File Execution Options Injection |
| T1027 | Obfuscated Files or Information |
The defensive script operates as an automated, behavioral EDR scanner designed for enterprise environments.
-
Behavioral Heuristics Engine — Rather than relying on static string blacklists (which are trivially bypassed), the engine evaluates process command lines and persistence entries for obfuscation patterns such as ASCII array casting and stealth window flags, as well as abnormal API usage indicative of malicious intent.
-
Comprehensive Persistence Surface Scanning — Audits all core persistence locations (Registry, Scheduled Tasks, Services, Startup Folder) alongside advanced APT vectors including WMI Event Subscriptions, BITS Jobs, and IFEO Debugger hijacks.
-
SIEM Integration & Privacy Compliance — Generates structured, GDPR-compliant JSON telemetry for seamless ingestion into enterprise SIEM platforms, with automatic redaction of sensitive user data.
The Red Team script completely abandons traditional disk-based script drops and cleartext commands in order to defeat the Blue Team scanner.
-
Mathematical Obfuscation — The payload relies on decimal ASCII byte arrays (e.g.,
[char[]]) rather than string literals, rendering it invisible to regex-based static analysis engines. -
Fileless Execution — The persistence mechanism is contained entirely within memory-injected command-line arguments. No
.ps1or.vbshelper files are written to disk. -
Kernel-Level File Locking — To defeat dynamic remediation, the payload uses native .NET classes (
[System.IO.File]::Open) to apply aFileShare.Readlock at the operating system level after dropping the artifact. When an EDR attempts to delete the payload, the Windows OS blocks the action with an access-denied sharing violation, ensuring payload survival.
This project evolved through a simulated adversarial cycle between offense and defense:
Phase 1 — Basic Persistence
Red Team utilized standard Registry Run keys and plain .ps1 files. Blue Team detected these trivially by scanning for .ps1 extensions and known IOC strings.
Phase 2 — Obfuscation vs. Watchdog Red Team pivoted to string concatenation and encoding to obscure payloads. Blue Team adapted by deploying an active Watchdog loop that deleted the final payload artifact on drop, regardless of how it was generated.
Phase 3 — Behavioral Hunt vs. Kernel Lock Blue Team upgraded to behavioral heuristics to catch obfuscation patterns. In response, Red Team developed the v6 architecture: ASCII byte arrays to bypass heuristic scanning, combined with OS-level kernel file locking to permanently block EDR remediation.
This project was developed strictly for academic research and defensive engineering validation. All code is intended exclusively for authorized Purple Team simulations, EDR testing, and educational purposes within isolated lab environments. Unauthorized use against systems you do not own or have explicit permission to test is illegal and unethical.