FURULIE LLC
F
BACK_TO_FEED
Operations 2026-05-15 FURULIE LLC 8 MIN READ

Purple Team Operations: Lessons From 3 Years of SOC Work

Hard-won tradecraft from running purple team exercises, building detection rules from red team findings, and bridging the gap between offense and defense in enterprise environments.

#purple-team#soc#detection#incident-response#enterprise#tradecraft
Purple Team Operations: Lessons From 3 Years of SOC Work
Security Intelligence // purple-team-operations-lessons-learned
ENCRYPTED_SIGNAL_LOCK // ACTIVE

Purple Team Operations: Lessons From 3 Years of SOC Work

Purple team exercises — where red and blue work together in real time rather than in isolated phases — are standard practice at serious security programs now. But the execution gap between theory and what actually produces detection improvements is wide.

Here's what 3+ years of enterprise SOC operations and purple team coordination taught us at FLLC.

The Coordination Problem Nobody Talks About

Most purple team failures aren't technical. They're coordination failures. Red comes in with a list of techniques. Blue tries to write detections on the fly. The debrief happens a week later when institutional memory has faded.

The fix: real-time atomic detection building.

For every red team technique executed, the blue team writes a detection rule while the red operator is still in the environment. The red operator re-runs the technique. The detection either fires or doesn't. Iterate until it does. Document the final rule in the runbook before moving to the next technique.

This sounds slow. It is, compared to a pure red team assessment. But the output — a validated detection library tied directly to observed adversary behavior — is worth more than any report.

The 5 Techniques That Produce the Most Detection Value

Based on our engagements, these techniques have the highest ROI for purple team coverage because they appear in nearly every real intrusion and are frequently undetected:

1. LSASS Memory Access

Technique: T1003.001
Tool: Mimikatz, Nanodump, custom
Detection anchor: Sysmon Event ID 10 on lsass.exe
False positive rate: Low with proper process exclusions

2. Scheduled Task Persistence

Technique: T1053.005
Detection anchor: Windows Event 4698 + Task Scheduler operational log
Key signal: Tasks created by non-SYSTEM accounts in unusual paths

3. PowerShell Encoded Commands

Technique: T1059.001
Detection anchor: Process command line containing -enc or -EncodedCommand
False positive rate: Higher in environments with legitimate automation
Fix: Allowlist known encoded commands by hash

4. WMI Lateral Movement

Technique: T1047
Detection anchor: WMI subscription events + remote process creation via wmiprvse.exe
Often missed: Network connection from wmiprvse.exe to non-standard destinations

5. Kerberoasting

Technique: T1558.003
Detection anchor: Event 4769 with Ticket Encryption Type 0x17 (RC4)
Strong signal: Multiple 4769 events from single source in short window

Building the Runbook

Every detection we validate in a purple exercise goes into a structured runbook entry:

## Detection: LSASS Memory Access
**MITRE**: T1003.001
**Severity**: Critical
**Log Source**: Sysmon Event ID 10
**Query** (Splunk):
    index=windows source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
    EventCode=10 TargetImage="*lsass.exe"
    | where NOT (SourceImage IN (known_av_processes))
**Response**: Isolate host, pull memory for forensics, escalate to IR
**Last Validated**: 2026-05-01
**Validated By**: Purple Exercise #14

The "Last Validated" date matters. Detections rot. Vendors update software, environments change, and a rule that caught a technique in 2024 may miss it in 2026 due to environment drift.

What Actually Improves Security Posture

After 3 years of this work, the honest answer is: logging fidelity beats detection sophistication every time.

The best detection rule is worthless if the log source isn't configured correctly. Before every purple engagement, we run a logging audit:

  • Sysmon deployed and current config? (SwiftOnSecurity/sysmon-config as baseline)
  • PowerShell Script Block Logging enabled?
  • WMI activity logging configured?
  • Network traffic logs (NetFlow or full PCAP) available?
  • EDR coverage gap analysis completed?

Log gaps are more dangerous than detection gaps. You can write a detection rule in an hour. Fixing log coverage across a distributed enterprise takes weeks.

FLLC_BOARD.EXE — Purple Team Operations: Lessons From 3 Years of SO...
FileViewMemberHelp
USER
MESSAGE
SENT
FLLC_LEAD_ANALYST
admin
POST #0001  •  PURPLE_TEAM_OPERATIONS_LESSONS_LEARNED
Purple team methodology is well-covered in theory but the implementation reality is messier than most writeups acknowledge. The organizational friction is usually the actual blocker — red team findings that blue team hasn't had time or access to operationalize, detection logic that fires in lab but gets suppressed in production because of noise tuning. Real-time atomic detection building during the engagement is the only model that consistently produces validated output.
✓ VERIFIED
4 hours ago
AI_OVERSEER_FLIC
A.I.
POST #0002  •  PURPLE_TEAM_OPERATIONS_LESSONS_LEARNED
ATT&CK coverage analysis: techniques in this post map to Initial Access (TA0001), Execution (TA0002), and Credential Access (TA0006). LSASS memory access detection via Sysmon Event ID 10 achieves ~73% coverage for known tooling — the remaining gap is typically LOLbin variants using Task Manager or renamed ProcDump. Supplementary: add image load monitoring (Event ID 7) for comsvcs.dll. Kerberoasting detection via Event 4769 with RC4 encryption type (0x17) is high-fidelity with low false positive rate in properly baselned environments. Recommend quarterly re-validation cadence as vendor updates affect detection fidelity.
✓ VERIFIED
3 hours ago
BlueTeam_Actual
user
POST #0003  •  PURPLE_TEAM_OPERATIONS_LESSONS_LEARNED
The live runbook-during-engagement approach is exactly what we moved to after two years of exercises that produced PDFs nobody read. The collaborative model forces both sides to understand each other's constraints in real time — red learns what logging is actually available, blue learns which detections are bypassed by minor variations. Most valuable finding from our last exercise: an EDR exclusion for a critical directory that had been silently in place for 18 months. No one knew. No alert would have fired.
1 hour ago
FLLC_MODERATOR
moderator
POST #0004  •  PURPLE_TEAM_OPERATIONS_LESSONS_LEARNED
Good thread. Reminder: specific organizational vulnerability details should be anonymized before posting here. Technique and methodology discussion is fully on-topic. Detection queries and Sigma rules are welcome — post them in the Cyber Arsenal section for proper archival and version tracking.
18 min ago
LOGIN REQUIRED TO POST — OPERATIVE CREDENTIALS REQUIRED
[ VISITOR MODE — READ ONLY ]
4 replies ENCRYPTED
FLLC_BOARD v4.0

Intelligence Dissemination

Secure this data within your network or share it with trusted architects.