Purple team

Every attack, beside its detection

The role layers are two halves of one loop. dotfiles-Kali runs the attack; dotfiles-Defense ships the Sigma rule that catches it. The pairing itself is the source of truth: it lives in htpx as ATT&CK-tagged red↔blue entries, and this table is generated straight from them.

Each row is a technique you can execute on demand from Kali and confirm firing in Defense — the purple loop closed in a single line. Filter by platform, and follow a badge to its ATT&CK page. See the three-layer architecture → for how the layers fit together.

71 paired attack ↔ detection concepts
16 platforms & data sources
43 ATT&CK techniques
8 ATT&CK tactics

On-prem AD / Windows 24

Attack Detection ATT&CK
AD CS ESC1 (request a cert as admin via arbitrary SAN) Detect AD CS SAN abuse (4886 ESC1/relay) T1649
AS-REP roast (no-preauth accounts) Detect AS-REP / Kerbrute probing (4771 0x18) T1558.004
Coerce DC auth (PetitPotam / printerbug) Detect coercion (5145 named-pipe access) T1187
DCShadow (register a rogue DC, push directory changes) Detect DCShadow (rogue DC registration, 4742 GC SPN) T1207
DCSync — dump domain hashes via replication Detect DCSync / NTDS replication (4662) T1003.006
Device-code phishing (steal M365/Entra tokens) Detect device-code phishing (Entra sign-in, deviceCode flow) T1528
DPAPI domain backup key (decrypt any user's secrets) Detect DPAPI backup-key theft (protected_storage pipe, 5145) T1555
Golden Ticket (forge a TGT from the krbtgt hash) Detect Golden Ticket (4769 with no preceding 4768) T1558.001
GPP cpassword (decrypt the SYSVOL AES key) Detect GPP cpassword hunt (5145 SYSVOL Groups.xml read) T1552.006
Kerberoast SPNs (request + crack offline) Detect Kerberoasting (4769 RC4 TGS) T1558.003
NTDS.dit dump on the DC (ntdsutil / VSS, offline) Detect NTDS theft via ntdsutil/VSS (4688 + 8222) T1003.003
NTLM relay (ntlmrelayx → SMB, no signing) Detect NTLM relay (4624 workstation mismatch) T1557.001
Pass-the-hash lateral movement (SMB / WinRM / psexec) Detect lateral movement (4624 type-3 fan-out) T1550.002
Password spray (kerbrute, low & slow) Detect password spray (4625 one source, many accounts) T1110.003
RDP session hijack (tscon as SYSTEM) Detect RDP session hijack (4688 tscon) T1563.002
Remote LSASS dump (NetExec lsassy) Detect LSASS access (4656 dump-shaped handle) T1003.001
Resource-based constrained delegation (RBCD) Detect RBCD abuse (5136 msDS-AllowedToActOnBehalfOfOtherIdentity write) T1098
Scheduled-task persistence (schtasks /create) Detect scheduled-task persistence (4698 task created) T1053.005
SeImpersonate → SYSTEM (PrintSpoofer / GodPotato) Detect Potato privesc (service account → SYSTEM shell, 4688) T1134.001
Shadow Credentials (certipy shadow auto) Detect Shadow Credentials (5136 msDS-KeyCredentialLink write) T1556
Silver Ticket (forge a TGS from a service account hash) Detect Silver Ticket (Kerberos service logon with no 4769) T1558.002
Unconstrained delegation — capture a DC TGT Detect unconstrained-deleg abuse (DC machine-account auth to a non-DC, 4624) T1558
WMI event-subscription persistence (permanent consumer) Detect WMI subscription persistence (Sysmon 20 consumer) T1546.003
WMI remote exec (impacket-wmiexec, no service dropped) Detect WMI exec (4688 WmiPrvSE child process) T1047

Cloud IAM (Entra · AWS · GCP) 5

Attack Detection ATT&CK
AWS console takeover (Create/UpdateLoginProfile) Detect console takeover (CloudTrail Create/UpdateLoginProfile) T1098
AWS IAM access-key backdoor (CreateAccessKey on another user) Detect IAM access-key backdoor (CloudTrail CreateAccessKey) T1098.001
GCP service-account key creation (long-lived backdoor) Detect SA key creation (GCP audit, CreateServiceAccountKey) T1098.001
Illicit consent grant (malicious OAuth app) Detect illicit consent grant (Entra audit, Consent to application) T1528
Service-principal credential backdoor (add app secret) Detect SP credential backdoor (Entra audit, Add credentials) T1098.001

Okta 3

Attack Detection ATT&CK
Okta API token (long-lived tenant persistence) Detect API token creation (Okta System Log) T1098
Okta MFA reset → enroll attacker factor (account takeover) Detect MFA factor reset / deactivate (Okta System Log) T1556.006
Rogue IdP → federation backdoor (sign in as anyone) Detect IdP create / activate (Okta System Log) T1556

Google Workspace 3

Attack Detection ATT&CK
Google Workspace external mail forwarding (BEC exfil) Detect external mail forwarding (Google Workspace audit) T1114.003
Google Workspace malicious OAuth grant (consent phish) Detect illicit OAuth grant (Google Workspace token audit) T1528
Google Workspace super-admin grant (tenant persistence) Detect admin-role grant (Google Workspace admin audit) T1098.003

Kubernetes 3

Attack Detection ATT&CK
Bind to cluster-admin (RBAC privesc / persistence) Detect cluster-admin binding (K8s audit) T1098
kubectl exec into a running pod Detect pod exec / attach (K8s audit) T1609
Privileged pod → node escape (nsenter into PID 1) Detect privileged / host-namespace pod (K8s audit) T1610 T1611

GitHub Actions 3

Attack Detection ATT&CK
Deploy key / fine-grained PAT backdoor (durable repo access) Detect deploy-key / PAT credential backdoor (GitHub audit log) T1098
Disable/override branch protection (merge unreviewed code) Detect branch-protection tamper (GitHub audit log) T1562.001
Rogue self-hosted runner (capture jobs + secrets) Detect self-hosted runner registration (GitHub audit log) T1543

GitLab CI/CD 3

Attack Detection ATT&CK
Attach a rogue GitLab Runner (capture CI jobs + secrets) Detect rogue runner association (GitLab audit events) T1543
Project/deploy token backdoor (durable GitLab access) Detect access/deploy token backdoor (GitLab audit events) T1098
Remove protected-branch rules (merge unreviewed code) Detect protected-branch tamper (GitLab audit events) T1562.001

Jenkins 3

Attack Detection ATT&CK
Jenkins job/pipeline backdoor (run code on controller + agents) Detect job create/reconfigure (Jenkins audit log) T1072
Jenkins Script Console RCE (controller code exec + cred dump) Detect Script Console use (Jenkins audit log) T1059
Jenkins user API token (durable non-interactive access) Detect API token creation (Jenkins audit log) T1098

Harbor registry 3

Attack Detection ATT&CK
Backdoored image over a trusted tag (poison the registry) Detect image push over a trusted tag (Harbor audit log) T1525
Delete the trusted artifact (force re-pull + anti-forensics) Detect artifact deletion (Harbor audit log) T1070
Harbor robot account (durable registry credential) Detect robot-account creation (Harbor audit log) T1098

HashiCorp Vault 3

Attack Detection ATT&CK
Bulk KV secret read (exfil the vault) Detect bulk secret read (Vault audit log) T1555
Disable the Vault audit device (blind the SIEM) Detect audit-device disable (Vault audit log) T1562.001
Rogue AppRole (durable machine auth to Vault) Detect rogue AppRole / auth backdoor (Vault audit log) T1098

Terraform Cloud 3

Attack Detection ATT&CK
Rogue Terraform Cloud agent (capture runs + cloud creds) Detect rogue agent pool (Terraform Cloud audit trail) T1543
Terraform Cloud org/team token backdoor (durable API access) Detect org/team token creation (Terraform Cloud audit trail) T1098
Terraform Cloud variable injection (run code / exfil at apply) Detect workspace variable injection (Terraform Cloud audit trail) T1072

Snowflake 3

Attack Detection ATT&CK
Snowflake backdoor user + ACCOUNTADMIN grant Detect user creation / ACCOUNTADMIN grant (Snowflake QUERY_HISTORY) T1136.003
Snowflake data exfil via COPY INTO external stage Detect COPY INTO external unload (Snowflake QUERY_HISTORY) T1567.002
Snowflake network-policy tamper (open the IP allowlist) Detect network-policy change (Snowflake QUERY_HISTORY) T1562.007

Cloudflare edge 3

Attack Detection ATT&CK
Cloudflare API token backdoor (durable account access) Detect API token creation (Cloudflare audit log) T1098
Cloudflare WAF/firewall rule disable (open the edge) Detect WAF/firewall rule disable (Cloudflare audit log) T1562.001
Cloudflare Worker deploy (serverless edge code exec) Detect Worker deploy (Cloudflare audit log) T1648

npm registry 3

Attack Detection ATT&CK
npm malicious package publish (supply-chain implant) Detect package publish (npm audit log) T1195.002
npm publish-2FA disable (open the publish path) Detect publish-2FA disable (npm audit log) T1562.001
npm rogue maintainer add (durable publish rights) Detect maintainer add (npm audit log) T1098

PyPI registry 3

Attack Detection ATT&CK
PyPI malicious release upload (supply-chain implant) Detect token release upload (PyPI journal) T1195.002
PyPI rogue collaborator add (durable publish rights) Detect collaborator add (PyPI journal) T1098
PyPI rogue trusted publisher (credential-less publish backdoor) Detect trusted publisher add (PyPI journal) T1098

Slack 3

Attack Detection ATT&CK
Slack 2FA enforcement disable (weaken workspace auth) Detect 2FA enforcement disable (Slack audit log) T1562.001
Slack Connect external share (channel exfil) Detect external shared channel (Slack audit log) T1567
Slack malicious app install (durable data access) Detect app install (Slack audit log) T1098

What the blue side actually detects

The other half of the loop: the Sigma rules dotfiles-Defense ships, rolled up across the ATT&CK matrix. Every rule is drift-gated in CI and generates its own ATT&CK Navigator layer plus a COVERAGE.md report — this is that same roll-up, live.

65 Sigma detection rules
41 ATT&CK techniques
9 ATT&CK tactics
21 logsources

By ATT&CK tactic

Execution TA0002 10 /8t
Persistence TA0003 29 /11t
Privilege Escalation TA0004 6 /6t
Defense Evasion TA0005 10 /6t
Credential Access TA0006 12 /11t
Discovery TA0007 1 /2t
Lateral Movement TA0008 5 /4t
Collection TA0009 1 /1t
Exfiltration TA0010 2 /2t

Each bar is rules per tactic; the trailing /Nt is the distinct techniques covered. A rule spanning two tactics counts in both.

By logsource

cloud aws, azure, gcp 5
cloudflare cloudflare 3
credential_access windows 7
defense_evasion windows 1
discovery windows 1
github github 3
gitlab gitlab 3
google_workspace google_workspace 3
jenkins jenkins 3
kubernetes kubernetes 3
lateral_movement windows 3
npm npm 3
okta okta 3
persistence windows 2
privilege_escalation windows 4
pypi pypi 3
registry harbor 3
slack slack 3
snowflake snowflake 3
terraform terraform 3
vault vault 3

Techniques detected 41

The corpus is generated from the htpx entries/ by scripts/collect-corpus.mjs, and the coverage roll-up is generated from the dotfiles-Defense Sigma rules by scripts/collect-coverage.mjs (mirroring that repo's drift-gated gen-coverage.sh). Neither is hand-typed.