Purple Knight Frequently Asked Questions

  • What is Purple Knight?

    Purple Knight is an Active Directory and Azure AD security assessment tool used by thousands of organizations to quickly identify vulnerabilities in hybrid AD environments and receive prioritized, expert remediation guidance.

  • How much does Purple Knight cost?

    Purple Knight is free.

  • Why should we use Purple Knight?

    To lock down your hybrid Active Directory environment, you must think like an attacker. Purple Knight maps pre- and post-attack security indicators to the MITRE ATT&CK and ANSSI frameworks, offering an overall risk score along with the likelihood of compromise and specific remediation steps. Purple Knight also provides new security framework tags for the MITRE D3FEND model, a beta framework for network defense. You can use Purple Knight to proactively harden AD and Azure AD against new adversary tactics and techniques with built-in threat modeling that is constantly updated by a team of security experts.

  • Does running Purple Knight make changes to on-premises Active Directory?

    No, Purple Knight does not make changes to Active Directory. The tool requires the ability to run PowerShell scripts and uses LDAP queries over RPC for specific vulnerability scans.

  • How do I use Purple Knight to evaluate my Azure Active Directory environment?

    To run Purple Knight in your Azure AD environment, you need to create and update the app registration in Azure AD with a defined and consented set of application permissions for the Microsoft Graph. Jorge de Almeida Pinto, Semperis Senior Solutions Architect and Product Manager, created a PowerShell script that automates this step.

    To use the script, you’ll need two PowerShell modules—AzureAD and Az.Accounts—and the account creating the application registration must be a Global Admin. The script supports the following tasks:

    • Creates and updates the app registration in Azure AD for Purple Knight 1.5 to be able to scan for vulnerabilities in Azure AD
    • Deletes the app registration in Azure AD
    • Assigns the required Microsoft Graph application permissions and provides consent when creating or updating the app
    • Creates a client secret that by default is valid for one hour when creating or updating the app (if needed, you can provide a customer lifetime in days for the client secret)
    • Deletes all client secrets from the app registration in Azure AD
    • Displays the tenant ID, the application ID, the assigned and consented permissions, and the client secret to be used in the Purple Knight executable file

    See the full list of functions and examples and download the Purple Knight 1.5 PowerShell script at the Semperis GitHub account.

  • Is Purple Knight a SaaS solution?

    Purple Knight is installed software.

  • Which Active Directory permissions are required to run Purple Knight?

    Purple Knight is designed to give a quick snapshot of your AD and Azure AD environment as an attacker would see it. Therefore, Purple Knight does not require any elevated or administrator permissions.

  • What does Semperis do with the information Purple Knight generates about our environment?

    Nothing! Purple Knight has no phone-home capabilities. The data and information that the tool generates are exclusively available to the organization running the tool and never available to Semperis.

  • Can Purple Knight feed information into security solutions such as our SIEM?

    No, Purple Knight provides a point-in-time scorecard of Active Directory vulnerabilities and overall security health. However, Semperis Directory Services Protector (DSP) can easily integrate with a SIEM to provide a single view of Active Directory security data (including the indicators tracked by Purple Knight).

  • What is the difference between Purple Knight and Semperis DSP?

    Purple Knight provides a point-in-time view and assessment of Active Directory and Azure AD risks. DSP provides a continual view of AD and Azure AD, including alerting, change tracking, automatic remediation, and support for hybrid AD environments.

  • How many security indicators does Purple Knight track?

    The Semperis Research Team continuously studies the ways cyber criminals are plotting to compromise organizations’ information systems—particularly by exploiting vulnerabilities in AD and Azure AD. Semperis uses this threat intelligence to constantly update the list of security indicators that Purple Knight tracks.

    For a complete list of indicators, review the Purple Knight Security Indicators document.

  • Does Purple Knight look at anything beyond AD?

    Purple Knight is purpose-built for hybrid AD environments: It covers both on-premises AD and Azure AD environments.

  • What are the most common deficiencies Purple Knight finds?

    The average overall Purple Knight score is 61%, with Kerberos security averaging 43% and Group Policy security averaging 58%. Review the Purple Knight Security Indicators document for a complete view of indicators associated with each category.

  • How long does a Purple Knight scan take?

    The time needed to run a Purple Knight scan varies depending on the size and complexity of your Active Directory environment and the scans being run. Typically, a scan of one forest takes minutes, with additional time required for a Zerologon scan, which runs RPC to scan against all domain controllers.

  • What performance impact does Purple Knight have on our environment?

    Purple Knight has no performance impact on the environment. However, for larger domains (100K+ objects, 10+ domain controllers), users might experience long runtimes and high memory usage on the local machine running Purple Knight.

  • How does Purple Knight adjust to emerging threats, new weaknesses, and new attack tactics?

    The Semperis Research Team continuously studies the ways cyber criminals are plotting to compromise organizations’ information systems—particularly by exploiting vulnerabilities in Active Directory. Semperis uses this threat intelligence to constantly update the list of security indicators that Purple Knight tracks.

    For a complete list of indicators, review the Purple Knight Security Indicators document.

  • How does Purple Knight compare to a Microsoft Risk Assessment Program?

    A Microsoft Risk Assessment Program (RAP) is an intense and long-term engagement, whereas Purple Knight provides immediate value. A RAP includes multiple tools, assessments, and personnel involvements and is available only with premier Microsoft pricing. Purple Knight is a free tool that provides quick snapshots of your current Active Directory state, along with actionable remediation guidance.

  • How does Purple Knight compare with other tools, such as BloodHound and PingCastle?

    Purple Knight provides more user-friendly, actionable reports and is easier to run than PingCastle. BloodHound does not search for exposures as Purple Knight does, but rather maps potential attack paths that users need to explore, prioritize, and address on their own. For information about using these tools together, see “BloodHound and Purple Knight: Better Together for Hardening Active Directory Security.”

  • What is a typical Purple Knight assessment score?

    The average initial Purple Knight overall score is 61%, with Kerberos Security averaging 43% and Group Policy Security averaging 58%. Review the Purple Knight Security Indicators document for a complete view of indicators associated with each category.

  • How often can I run a Purple Knight assessment?

    You can run Purple Knight as often as you like.

  • How do I use the results of my assessment?

    Purple Knight generates a detailed report that includes all scanned indicators, the pass/fail status of each indicator, its mapping to the MITRE ATT&CK Framework, and remediation recommendations. You can use this valuable information to gain insight and prioritize security improvements.