Open RahulIngenious opened 4 months ago
iknowjason
commented
4 months ago Hi @RahulIngenious
Yes, I will look into this and help get it resolved for you. It might be that the PurpleSharp download link has changed. I will verify.
What do you mean by, as per the lab (Microsoft Sentinel lab with AD, deployed with terraform? You mean the generator python script that creates this lab scenario? Or something outside of PurpleCloud tool?
Jason
RahulIngenious
commented
4 months ago @iknowjason - Yes, the generator python script that creates this lab scenario
iknowjason
commented
4 months ago @RahulIngenious
I just tested on a new lab and PurpleSharp downloads. In your case it could have been any kind of issue like a temporary networking issue. I"m attaching three images of what you can check on your end.
Why don't you just download PurpleSharp onto your system since it apparently didn't download? The bootstrap script shows the command. I will copy and paste it here. Open up a powershell admin session and type this:
Invoke-WebRequest -Uri "https://github.com/mvelazc0/PurpleSharp/releases/download/v1.3/PurpleSharp_x64.exe" -OutFile "C:\tools\PurpleSharp.exe"Take a look at the user_data logfile and see what you see here. It should show something like this. It might give a clue as to why it didn't work for you.
This is what it looks like on my end, PurpleSharp automatically downloaded.
If it didn't download, just run that powershell in comment above and it will download.
iknowjason
commented
4 months ago @RahulIngenious
After you run PurpleSharp it should be able to generate alerts. As for Windows Defender endpoint, I can't troubleshoot your system on that.
Hi @iknowjason ,
as per the lab (Microsoft Sentinel lab with AD, deployed with terraform. Adds logging best practices with Sysmon.) demonstration PurpleSharp tool is supposed to be available in the tools directory of the host. However, when i ran the query or checked it manually i couldn't find any. Could you please look into this?
Also, i would like to know once this issue is resolved. After running this PrupleSharp adversary emulation tool. Would i be able to see the alerts in Defender for endpoint for the same? PS: I have installed Defender for Endpoint on both hosts.