Free Active Directory security assessment

Uncover your AD security vulnerabilities

Version: Purple Knight 1.4 Community

Download Purple Knight

 

By signing up for an account, you are agreeing to the Terms & Conditions and Privacy Statement and also agree to receive news & tips via email.

Frequently Asked Questions

What is Purple Knight?

Purple Knight is an Active Directory security assessment tool used by thousands of organizations to quickly identify vulnerabilities in hybrid AD environments and receive prioritized, expert remediation guidance.

How much does Purple Knight cost?

Purple Knight is free.

Why should we use Purple Knight?

To lock down Active Directory, you must think like an attacker. Purple Knight maps pre- and post-attack security indicators to the MITRE ATT&CK framework, offering an overall risk score along with the likelihood of compromise and specific remediation steps. You can proactively harden your Active Directory against new adversary tactics and techniques with built-in threat modeling, which is constantly updated by a team of security experts.

Does running Purple Knight make changes to Active Directory?

No, Purple Knight does not make changes to Active Directory. The tool requires the ability to run PowerShell scripts and uses LDAP queries over RPC for specific vulnerability scans.

Is Purple Knight a SaaS solution?

Purple Knight is installed software.

Which Active Directory permissions are required to run Purple Knight?

Purple Knight is designed to give a quick snapshot of your Active Directory environment as an attacker would see it. Therefore, Purple Knight does not require any elevated or administrator permissions.

What does Semperis do with the information Purple Knight generates about our environment?

Nothing! Purple Knight has no phone-home capabilities. The data and information that the tool generates are exclusively available to the organization running the tool and never available to Semperis.

Can Purple Knight feed information into security solutions such as our SIEM?

No, Purple Knight provides a point-in-time scorecard of Active Directory vulnerabilities and overall security health. However, Semperis Directory Services Protector (DSP) can easily integrate with a SIEM to provide a single view of Active Directory security data (including the indicators tracked by Purple Knight).

What is the difference between Purple Knight and Semperis DSP?

Purple Knight provides a point-in-time view and assessment of Active Directory risks. DSP provides a continual view of Active Directory, including alerting, change tracking, automatic remediation, and support for hybrid AD environments.

How many security indicators does Purple Knight track?

The Semperis Research Team continuously studies the ways cyber criminals are plotting to compromise organizations’ information systems—particularly by exploiting vulnerabilities in Active Directory. Semperis uses this threat intelligence to constantly update the list of security indicators that Purple Knight tracks.

For a complete list of indicators, review the Purple Knight Security Indicators document.

Does Purple Knight look at anything beyond AD?

No. Purple Knight is purpose-built for hybrid AD environments.

What are the most common deficiencies Purple Knight finds?

The average overall Purple Knight score is 61%, with Kerberos security averaging 43% and Group Policy security averaging 58%. Review the Purple Knight Security Indicators document for a complete view of indicators associated with each category.

How long does a Purple Knight scan take?

The time needed to run a Purple Knight scan varies depending on the size and complexity of your Active Directory environment and the scans being run. Typically, a scan of one forest takes minutes, with additional time required for a Zerologon scan, which runs RPC to scan against all domain controllers.

What performance impact does Purple Knight have on our environment?

Purple Knight has no performance impact on the environment. However, for larger domains (100K+ objects, 10+ domain controllers), users might experience long runtimes and high memory usage on the local machine running Purple Knight.

How does Purple Knight adjust to emerging threats, new weaknesses, and new attack tactics?

The Semperis Research Team continuously studies the ways cyber criminals are plotting to compromise organizations’ information systems—particularly by exploiting vulnerabilities in Active Directory. Semperis uses this threat intelligence to constantly update the list of security indicators that Purple Knight tracks.

For a complete list of indicators, review the Purple Knight Security Indicators document.

How does Purple Knight compare to a Microsoft Risk Assessment Program?

A Microsoft Risk Assessment Program (RAP) is an intense and long-term engagement, whereas Purple Knight provides immediate value. A RAP includes multiple tools, assessments, and personnel involvements and is available only with premier Microsoft pricing. Purple Knight is a free tool that provides quick snapshots of your current Active Directory state, along with actionable remediation guidance.

How does Purple Knight compare with other tools, such as BloodHound and PingCastle?

Purple Knight provides more user-friendly, actionable reports and is easier to run than PingCastle. BloodHound does not search for exposures as Purple Knight does, but rather maps potential attack paths that users need to explore, prioritize, and address on their own. For information about using these tools together, see “BloodHound and Purple Knight: Better Together for Hardening Active Directory Security.”

What is a typical Purple Knight assessment score?

The average initial Purple Knight overall score is 61%, with Kerberos Security averaging 43% and Group Policy Security averaging 58%. Review the Purple Knight Security Indicators document for a complete view of indicators associated with each category.

How often can I run a Purple Knight assessment?

You can run Purple Knight as often as you like.

How do I use the results of my assessment?

Purple Knight generates a detailed report that includes all scanned indicators, the pass/fail status of each indicator, its mapping to the MITRE ATT&CK Framework, and remediation recommendations. You can use this valuable information to gain insight and prioritize security improvements.