The Active Directory Purple Team Playbook

After obtaining an initial foothold, adversaries will most likely target or abuse Active Directory across the attack lifecycle to achieve operational success. It is essential for Blue Teams to design and deploy proper visibility & detection strategies for AD-based attacks and executing Adversary Simulation/Purple Team exercises can help. This talk will introduce the Active Directory Purple Team Playbook, a library of documented playbooks that describe how to simulate different adversary techniques targeting Active Directory. The playbooks can help blue teams measure detection coverage and identify enhancement opportunities. After this talk, attendees will be able to run purple team exercises against development or production Active Directory environments using open source tools. Presenter: Mauricio Velazco, Threat Research, Splunk Follow:   / mvelazco   View upcoming Summits: http://www.sans.org/u/DuS Download the presentation slides (SANS account required) at http://www.sans.org/u/195g

Join Today
Purple Team War Stories
▶︎

Purple Team War Stories

Threat Focused Purple Team Exercises (non Active Directory Edition)
▶︎

Threat Focused Purple Team Exercises (non Active Directory Edition)

AirSnitch – How Worried Should You Be?
▶︎

AirSnitch – How Worried Should You Be?

Learn Microsoft Active Directory (ADDS) in 30mins
▶︎

Learn Microsoft Active Directory (ADDS) in 30mins

From Playbooks to Robocop: The Evolution of SOC Automation
▶︎

From Playbooks to Robocop: The Evolution of SOC Automation

Cybersecurity Architecture: Who Are You? Identity and Access Management
▶︎

Cybersecurity Architecture: Who Are You? Identity and Access Management

When the Nearest Neighbor becomes the Nearest Adversary
▶︎

When the Nearest Neighbor becomes the Nearest Adversary

Operationalized Purple Teaming
▶︎

Operationalized Purple Teaming

Salesforce Metadata | Technical Debt, Code Analyzer, Packaging | Defragging the Franken Org - E2
▶︎

Salesforce Metadata | Technical Debt, Code Analyzer, Packaging | Defragging the Franken Org - E2

Major Course Update | SEC598 Automate Security with Generative AI
▶︎

Major Course Update | SEC598 Automate Security with Generative AI

Purple Team Feedback Loop
▶︎

Purple Team Feedback Loop

Intro to WinDbg Part 1: The Beginning
▶︎

Intro to WinDbg Part 1: The Beginning

Keynote | Attacking Intelligence: Attacking and Defending AI on The Edge
▶︎

Keynote | Attacking Intelligence: Attacking and Defending AI on The Edge

Hunting for Active Directory Persistence
▶︎

Hunting for Active Directory Persistence

Managing & Showing Value during Red Team Engagements & Purple Team Exercises - VECTR SANS Webcast
▶︎

Managing & Showing Value during Red Team Engagements & Purple Team Exercises - VECTR SANS Webcast

RL for Agents Workshop - Deep Dive on Training Agents with RL and Open Source
▶︎

RL for Agents Workshop - Deep Dive on Training Agents with RL and Open Source

Help Me, Red Team Operators. You're My Only Hope.
▶︎

Help Me, Red Team Operators. You're My Only Hope.

Attacking AI - Jason Haddix - NDC Security 2026
▶︎

Attacking AI - Jason Haddix - NDC Security 2026

How to Actually Build Mobile Apps with AI in 2026 | A Complete Beginner's Tutorial
▶︎

How to Actually Build Mobile Apps with AI in 2026 | A Complete Beginner's Tutorial

APIs for Beginners - How to use an API (Full Course / Tutorial)
▶︎

APIs for Beginners - How to use an API (Full Course / Tutorial)