Performs purple team exercises by coordinating red team adversary emulation with blue team detection validation using MITRE ATT&CK-mapped attack scenarios, real-time detection testing, and collaborative gap remediation. Use when SOC teams need to validate detection capabilities, improve analyst skills, and close detection gaps through structured offensive-defensive collaboration.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionperforming-purple-team-exerciseExecute the skills CLI command in your project's root directory to begin installation:
Fetches performing-purple-team-exercise from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate performing-purple-team-exercise. Access via /performing-purple-team-exercise in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | performing-purple-team-exercise |
| description | 'Performs purple team exercises by coordinating red team adversary emulation with blue team detection validation using MITRE ATT&CK-mapped attack scenarios, real-time detection testing, and collaborative gap remediation. Use when SOC teams need to validate detection capabilities, improve analyst skills, and close detection gaps through structured offensive-defensive collaboration. ' |
| domain | cybersecurity |
| subdomain | soc-operations |
| tags | - soc - purple-team - red-team - blue-team - mitre-attack - adversary-emulation - detection-validation |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| d3fend_techniques | - File Metadata Consistency Validation - Application Protocol Command Analysis - Identifier Analysis - Content Format Conversion - Message Analysis |
| nist_csf | - DE.CM-01 - DE.AE-02 - RS.MA-01 - DE.AE-06 |
Use this skill when:
Do not use for unannounced red team engagements — purple team exercises require explicit coordination between offensive and defensive teams with real-time collaboration.
Document exercise parameters:
purple_team_exercise:
exercise_id: PT-2024-Q1
date: 2024-03-20
duration: 8 hours (09:00-17:00 UTC)
scope:
environment: Production (Finance VLAN, 10.0.5.0/24)
systems_in_scope:
- WORKSTATION-TEST01 (10.0.5.100) — Test endpoint
- DC-TEST (10.0.5.200) — Test domain controller
- FILESERVER-TEST (10.0.5.201) — Test file server
systems_excluded:
- All production domain controllers
- Customer-facing systems
objectives:
- Validate 15 detection rules mapped to FIN7 TTPs
- Test SOC analyst response to real attack indicators
- Identify detection gaps for credential access and lateral movement
- Measure detection latency for each technique
threat_scenario: FIN7 campaign targeting financial data via spearphishing
authorization: Approved by CISO, Change Request CR-2024-0567
communication: #purple-team-2024q1 Slack channel
Create technique-by-technique test matrix:
| # | ATT&CK ID | Technique | Test Tool | Expected Detection | Blue Team Metric |
|---|---|---|---|---|---|
| 1 | T1566.001 | Spearphishing Attachment | Manual email | Email gateway alert | Detection Y/N, latency |
| 2 | T1204.002 | User Execution | Macro document | Sysmon process creation | Detection Y/N, latency |
| 3 | T1059.001 | PowerShell | Atomic RT #1-3 | PowerShell execution alert | Detection Y/N, latency |
| 4 | T1053.005 | Scheduled Task | Atomic RT | Scheduled task creation alert | Detection Y/N, latency |
| 5 | T1547.001 | Registry Run Keys | Atomic RT | Registry modification alert | Detection Y/N, latency |
| 6 | T1003.001 | LSASS Memory | Mimikatz | Credential dumping alert | Detection Y/N, latency |
| 7 | T1550.002 | Pass-the-Hash | Mimikatz | NTLM anomaly detection | Detection Y/N, latency |
| 8 | T1021.002 | SMB/PsExec | PsExec | PsExec service creation alert | Detection Y/N, latency |
| 9 | T1047 | WMI | wmic /node | WMI remote execution alert | Detection Y/N, latency |
| 10 | T1021.001 | RDP | xfreerdp | RDP lateral movement alert | Detection Y/N, latency |
| 11 | T1071.001 | Web C2 | Cobalt Strike | C2 beacon detection | Detection Y/N, latency |
| 12 | T1041 | Exfiltration C2 | Rclone | Data exfiltration alert | Detection Y/N, latency |
| 13 | T1490 | Inhibit Recovery | vssadmin | Shadow copy deletion alert | Detection Y/N, latency |
| 14 | T1486 | Data Encrypted | Test encryption | Mass encryption detection | Detection Y/N, latency |
| 15 | T1070.001 | Clear Logs | wevtutil | Log clearing detection | Detection Y/N, latency |
Run each technique with Atomic Red Team (or manual execution):
# Install Atomic Red Team
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing)
Install-AtomicRedTeam -getAtomics
# Test 1: T1059.001 — PowerShell Execution
Write-Host "[$(Get-Date -Format 'HH:mm:ss')] Executing T1059.001 - PowerShell"
Invoke-AtomicTest T1059.001 -TestNumbers 1
# Notify blue team: "T1059.001 executed at $(Get-Date)"
# Test 2: T1053.005 — Scheduled Task Creation
Write-Host "[$(Get-Date -Format 'HH:mm:ss')] Executing T1053.005 - Scheduled Task"
Invoke-AtomicTest T1053.005 -TestNumbers 1
# Test 3: T1547.001 — Registry Run Key
Write-Host "[$(Get-Date -Format 'HH:mm:ss')] Executing T1547.001 - Registry Persistence"
Invoke-AtomicTest T1547.001 -TestNumbers 1,2
# Test 4: T1003.001 — Credential Dumping
Write-Host "[$(Get-Date -Format 'HH:mm:ss')] Executing T1003.001 - LSASS Access"
Invoke-AtomicTest T1003.001 -TestNumbers 1,2
# Test 5: T1490 — Shadow Copy Deletion
Write-Host "[$(Get-Date -Format 'HH:mm:ss')] Executing T1490 - Inhibit Recovery"
Invoke-AtomicTest T1490 -TestNumbers 1
# Cleanup after each test
Invoke-AtomicTest T1059.001 -TestNumbers 1 -Cleanup
Invoke-AtomicTest T1053.005 -TestNumbers 1 -Cleanup
Invoke-AtomicTest T1547.001 -TestNumbers 1,2 -Cleanup
Blue team monitors SIEM during execution:
--- Real-time purple team monitoring dashboard
index=notable earliest=-1h
| where Computer IN ("WORKSTATION-TEST01", "DC-TEST", "FILESERVER-TEST")
OR src IN ("10.0.5.100", "10.0.5.200", "10.0.5.201")
| eval detection_latency = _time - orig_time
| eval latency_seconds = round(detection_latency, 0)
| sort _time
| table _time, rule_name, urgency, src, dest, user, latency_seconds
--- Check specific technique detection
index=sysmon Computer="WORKSTATION-TEST01" earliest=-15m
(EventCode=1 OR EventCode=3 OR EventCode=10 OR EventCode=11 OR EventCode=13)
| sort _time
| table _time, EventCode, Image, CommandLine, TargetFilename, TargetObject
Record results in real-time:
exercise_results = {
"exercise_id": "PT-2024-Q1",
"results": [
{
"technique": "T1059.001",
"name": "PowerShell Execution",
"execution_time": "09:15:00",
"detected": True,
"alert_name": "Suspicious PowerShell Encoded Command",
"detection_time": "09:15:47",
"latency_seconds": 47,
"notes": "Detected via Sysmon EventCode 1 with encoded command pattern"
},
{
"technique": "T1003.001",
"name": "LSASS Memory Access",
"execution_time": "10:30:00",
"detected": False,
"alert_name": None,
"detection_time": None,
"latency_seconds": None,
"notes": "GAP: No detection rule for LSASS access. Sysmon EventCode 10 present but no correlation rule."
}
]
}
For each gap, the blue team builds detection rules immediately:
--- Gap: T1003.001 — No LSASS access detection
--- Build rule during exercise
index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
GrantedAccess IN ("0x1010", "0x1038", "0x1fffff", "0x40")
NOT SourceImage IN ("*\\svchost.exe", "*\\csrss.exe", "*\\MsMpEng.exe")
| stats count by Computer, SourceImage, SourceUser, GrantedAccess
| where count > 0
After building, re-test:
Red Team: "Re-executing T1003.001 at 11:45"
Blue Team: "Confirmed — alert 'LSASS Memory Access Detected' fired at 11:45:32 (32s latency)"
Result: GAP CLOSED
def generate_purple_team_report(results):
total = len(results["results"])
detected = sum(1 for r in results["results"] if r["detected"])
gaps = sum(1 for r in results["results"] if not r["detected"])
avg_latency = sum(r["latency_seconds"] for r in results["results"]
if r["latency_seconds"]) / max(detected, 1)
report = f"""
PURPLE TEAM EXERCISE REPORT — {results['exercise_id']}
{'=' * 60}
SUMMARY:
Techniques Tested: {total}
Detected: {detected} ({detected/total*100:.0f}%)
Gaps Identified: {gaps} ({gaps/total*100:.0f}%)
Avg Detection Latency: {avg_latency:.0f} seconds
DETAILED RESULTS:
"""
for r in results["results"]:
status = "DETECTED" if r["detected"] else "GAP"
latency = f"{r['latency_seconds']}s" if r["latency_seconds"] else "N/A"
report += f" [{status}] {r['technique']} — {r['name']} (Latency: {latency})\n"
if not r["detected"]:
report += f" Action: {r['notes']}\n"
return report
| Term | Definition |
|---|---|
| Purple Team | Collaborative exercise where red (offensive) and blue (defensive) teams work together to validate and improve detection |
| Adversary Emulation | Structured simulation of specific threat actor TTPs for testing defensive capabilities |
| Detection Validation | Process of confirming that detection rules fire correctly when the targeted technique is executed |
| Detection Latency | Time between technique execution and SIEM alert generation — measured during purple team exercises |
| Gap Remediation | Immediate creation or tuning of detection rules for techniques that were not detected during testing |
| Atomic Red Team | Open-source library of small, focused tests for individual ATT&CK techniques |
PURPLE TEAM EXERCISE REPORT — PT-2024-Q1
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Date: 2024-03-20 (09:00-17:00 UTC)
Scenario: FIN7 Financial Sector Campaign
Scope: Finance VLAN (10.0.5.0/24)
RESULTS:
Techniques Tested: 15
Detected: 11 (73%)
Gaps Identified: 4 (27%)
Gaps Remediated Same Day: 3
Avg Detection Latency: 38 seconds
DETAILED RESULTS:
[PASS] T1566.001 Spearphishing Attachment — 12s latency
[PASS] T1204.002 User Execution (Macro) — 8s latency
[PASS] T1059.001 PowerShell Execution — 47s latency
[PASS] T1053.005 Scheduled Task — 23s latency
[PASS] T1547.001 Registry Run Keys — 31s latency
[FAIL] T1003.001 LSASS Memory Access — REMEDIATED during exercise
[FAIL] T1550.002 Pass-the-Hash — REMEDIATED during exercise
[PASS] T1021.002 PsExec — 15s latency
[PASS] T1047 WMI Remote Execution — 42s latency
[PASS] T1021.001 RDP Lateral Movement — 28s latency
[FAIL] T1071.001 Web C2 Beaconing — REMEDIATED during exercise
[PASS] T1041 Exfiltration over C2 — 67s latency
[PASS] T1490 Shadow Copy Deletion — 5s latency
[FAIL] T1486 Data Encryption for Impact — OPEN — requires endpoint telemetry
[PASS] T1070.001 Event Log Clearing — 11s latency
POST-EXERCISE COVERAGE: 93% (14/15) — up from 73% at start
REMAINING GAP: T1486 requires EDR file monitoring enhancement
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Useful defaults in performing-purple-team-exercise — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
I recommend performing-purple-team-exercise for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
performing-purple-team-exercise reduced setup friction for our internal harness; good balance of opinion and flexibility.
Registry listing for performing-purple-team-exercise matched our evaluation — installs cleanly and behaves as described in the markdown.
performing-purple-team-exercise reduced setup friction for our internal harness; good balance of opinion and flexibility.
Solid pick for teams standardizing on skills: performing-purple-team-exercise is focused, and the summary matches what you get after install.
Keeps context tight: performing-purple-team-exercise is the kind of skill you can hand to a new teammate without a long onboarding doc.
I recommend performing-purple-team-exercise for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
We added performing-purple-team-exercise from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Registry listing for performing-purple-team-exercise matched our evaluation — installs cleanly and behaves as described in the markdown.
showing 1-10 of 26