Purple Knight Frequently Asked Questions
-
Why should we use Purple Knight?To lock down your hybrid Active Directory environment, you must think like an attacker. Purple Knight maps pre- and post-attack security indicators to the MITRE ATT&CK and ANSSI frameworks, offering an overall risk score along with the likelihood of compromise and specific remediation steps. Purple Knight also provides new security framework tags for the MITRE D3FEND model, a beta framework for network defense. You can use Purple Knight to proactively harden AD and Entra ID against new adversary tactics and techniques with built-in threat modeling that is constantly updated by a team of security experts.
-
How do I use Purple Knight to evaluate my Entra ID Active Directory environment?To run Purple Knight in your Entra ID environment, you need to create and update the app registration in Entra ID with a defined and consented set of application permissions for the Microsoft Graph. Jorge de Almeida Pinto, Semperis Senior Solutions Architect and Product Manager, created a PowerShell script that automates this step.
To use the script, you’ll need two PowerShell modules—AzureAD and Az.Accounts—and the account creating the application registration must be a Global Admin. The script supports the following tasks:
- Creates and updates the app registration in Entra ID for Purple Knight 1.5 to be able to scan for vulnerabilities in Azure AD
- Deletes the app registration in Entra ID
- Assigns the required Microsoft Graph application permissions and provides consent when creating or updating the app
- Creates a client secret that by default is valid for one hour when creating or updating the app (if needed, you can provide a customer lifetime in days for the client secret)
- Deletes all client secrets from the app registration in Azure AD
- Displays the tenant ID, the application ID, the assigned and consented permissions, and the client secret to be used in the Purple Knight executable file
See the full list of functions and examples and download the Purple Knight 1.5 PowerShell script at the Semperis GitHub account.
-
Can Purple Knight feed information into security solutions such as our SIEM?No, Purple Knight provides a point-in-time scorecard of Active Directory vulnerabilities and overall security health. However, Semperis Directory Services Protector (DSP) can easily integrate with a SIEM to provide a single view of Active Directory security data (including the indicators tracked by Purple Knight).
-
What is the difference between Purple Knight and Semperis DSP?Purple Knight provides a point-in-time view and assessment of Active Directory and Entra ID risks. DSP provides a continual view of AD and Azure AD, including alerting, change tracking, automatic remediation, and support for hybrid AD environments.
-
How many security indicators does Purple Knight track?The Semperis Research Team continuously studies the ways cyber criminals are plotting to compromise organizations’ information systems—particularly by exploiting vulnerabilities in AD and Entra ID. Semperis uses this threat intelligence to constantly update the list of security indicators that Purple Knight tracks.
For a complete list of indicators, review the Purple Knight Security Indicators.
-
What are the most common deficiencies Purple Knight finds?The average overall Purple Knight score is 61%, with Kerberos security averaging 43% and Group Policy security averaging 58%. Review the Purple Knight Security Indicators document for a complete view of indicators associated with each category.
-
How long does a Purple Knight scan take?The time needed to run a Purple Knight scan varies depending on the size and complexity of your Active Directory environment and the scans being run. Typically, a scan of one forest takes minutes, with additional time required for a Zerologon scan, which runs RPC to scan against all domain controllers.
-
How does Purple Knight adjust to emerging threats, new weaknesses, and new attack tactics?The Semperis Research Team continuously studies the ways cyber criminals are plotting to compromise organizations’ information systems—particularly by exploiting vulnerabilities in Active Directory. Semperis uses this threat intelligence to constantly update the list of security indicators that Purple Knight tracks.
For a complete list of indicators, review the Purple Knight Security Indicators.
-
How does Purple Knight compare to a Microsoft Risk Assessment Program?A Microsoft Risk Assessment Program (RAP) is an intense and long-term engagement, whereas Purple Knight provides immediate value. A RAP includes multiple tools, assessments, and personnel involvements and is available only with premier Microsoft pricing. Purple Knight is a free tool that provides quick snapshots of your current Active Directory state, along with actionable remediation guidance.
-
How does Purple Knight compare with other tools, such as BloodHound and PingCastle?Purple Knight provides more user-friendly, actionable reports and is easier to run than PingCastle. BloodHound does not search for exposures as Purple Knight does, but rather maps potential attack paths that users need to explore, prioritize, and address on their own. For information about using these tools together, see “BloodHound and Purple Knight: Better Together for Hardening Active Directory Security.”
-
What is a typical Purple Knight assessment score?The average initial Purple Knight overall score is 61%, with Kerberos Security averaging 43% and Group Policy Security averaging 58%. Review the Purple Knight Security Indicators document for a complete view of indicators associated with each category.
-
How do I use the results of my assessment?Purple Knight generates a detailed report that includes all scanned indicators, the pass/fail status of each indicator, its mapping to the MITRE ATT&CK Framework, and remediation recommendations. You can use this valuable information to gain insight and prioritize security improvements.