Command line Cheat Sheet

Warning

Using command line parameters to execute simulations with PurpleSharp does not leverage all available features. If you are looking to customize the simulations with more flexibility, you should use JSON playbooks.

• Execute the T1059.001 technique on local host:

PurpleSharp.exe /t T1059.001

• Execute 3 techniques on local host:

PurpleSharp.exe /t T1055.002,T1055.003,T1055.004

PurpleSharp.exe /t "T1055.002, T1055.003, T1055.004"

Note

When using a space between techniques, make sure to add double quotes.

• Execute 3 techniques on local host adding a sleep time of 5 seconds between technique:

PurpleSharp.exe /t "T1055.002, T1055.003, T1055.004" /pbsleep 5

• Execute the T1059.001 technique on a remote host:

PurpleSharp.exe /rhost win10-1 /ruser psharp /d hacklabz /t T1059.001

PurpleSharp.exe /rhost 192.168.1.10 /ruser psharp /d hacklabz /t T1059.001

• Execute 3 chained techniques on a remote host and wait 30 seconds between each technique:

PurpleSharp.exe /rhost win10-1 /ruser psharp /d hacklabz /t T1059.001,T1059.002,T1059.003 /pbsleep 30

PurpleSharp.exe /rhost 192.168.1.10 /ruser psharp /d hacklabz /t T1059.001,T1059.002,T1059.003 /pbsleep 30

• Execute a techniques on a remote host using custom Scout and Simulator paths:

PurpleSharp.exe /rhost win10-1 /ruser psharp /d hacklabz /t T1059.001 /scoutpath C:\PSEXSVC.exe /simpath \AppData\Local\Temp\invoice.exe

• Obtain the Windows Event Subscription settings from a remote host:

PurpleSharp.exe /rhost win10-1 /ruser psharp /d hacklabz /scout wef