/attack_range

A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk

Primary LanguageJinjaApache License 2.0Apache-2.0

Splunk Attack Range ⚔️

Attack Range Log The Splunk Attack Range is an open-source project maintained by the Splunk Threat Research Team. It builds instrumented cloud (AWS, Azure) and local environments (Virtualbox), simulates attacks, and forwards the data into a Splunk instance. This environment can then be used to develop and test the effectiveness of detections.

Purpose 🛡

The Attack Range is a detection development platform, which solves three main challenges in detection engineering:

  • The user is able to quickly build a small lab infrastructure as close as possible to a production environment.
  • The Attack Range performs attack simulation using different engines such as Atomic Red Team or Caldera in order to generate real attack data.
  • It integrates seamlessly into any Continuous Integration / Continuous Delivery (CI/CD) pipeline to automate the detection rule testing process.

Docs

The Attack Range Documentation can be found here.

Installation 🏗

Attack Range in AWS:

docker pull splunk/attack_range
docker run -it splunk/attack_range
aws configure
python attack_range.py configure

To install directly on Linux, or MacOS follow these instructions.

Architecture 🏯

Logical Diagram

The deployment of Attack Range consists of:

  • Windows Domain Controller
  • Windows Server
  • Windows Workstation
  • A Kali Machine
  • Splunk Server
  • Splunk SOAR Server
  • Nginx Server
  • Linux Server
  • Zeek Server
  • Snort Server

Which can be added/removed/configured using attack_range.yml.

Logging

The following log sources are collected from the machines:

  • Windows Event Logs (index = win)
  • Sysmon Logs (index = win)
  • Powershell Logs (index = win)
  • Aurora EDR (index = win)
  • Sysmon for Linux Logs (index = unix)
  • Nginx logs (index = proxy)
  • Network Logs with Splunk Stream (index = main)
  • Attack Simulation Logs from Atomic Red Team and Caldera (index = attack)
  • Zeek Logs (index = zeek)
  • Snort Logs (index = snort)
  • Cisco Secure Endpoint Logs (index = cisco_secure_endpoint)
  • CrowdStrike Falcon Logs (index = crowdstrike_falcon)
  • Carbon Black Logs (index = carbon_black_cloud)

Running 🏃‍♀️

Attack Range supports different actions:

Configure Attack Range

python attack_range.py configure

Build Attack Range

python attack_range.py build

Show Attack Range Infrastructure

python attack_range.py show

Perform Attack Simulations with Atomic Red Team or PurpleSharp

python attack_range.py simulate -e ART -te T1003.001 -t ar-win-ar-ar-0

python attack_range.py simulate -e PurpleSharp -te T1003.001 -t ar-win-ar-ar-0

Destroy Attack Range

python attack_range.py destroy

Stop Attack Range

python attack_range.py stop

Resume Attack Range

python attack_range.py resume

Dump Log Data from Attack Range

python attack_range.py dump --file_name attack_data/dump.log --search 'index=win' --earliest 2h

Replay Dumps into Attack Range Splunk Server

python attack_range.py replay --file_name attack_data/dump.log --source test --sourcetype test

Features 💍

  • Splunk Server

    • Indexing of Microsoft Event Logs, PowerShell Logs, Sysmon Logs, DNS Logs, ...
    • Preconfigured with multiple TAs for field extractions
    • Out of the box Splunk detections with Enterprise Security Content Update (ESCU) App
    • Preinstalled Machine Learning Toolkit (MLTK)
    • pre-indexed BOTS datasets
    • Splunk UI available through port 8000 with user admin
    • ssh connection over configured ssh key
  • Splunk Enterprise Security

  • Splunk SOAR

  • Windows Domain Controller & Window Server & Windows 10 Client

    • Can be enabled, disabled and configured over attack_range.yml
    • Collecting of Microsoft Event Logs, PowerShell Logs, Sysmon Logs, DNS Logs, ...
    • Sysmon log collection with customizable Sysmon configuration
    • RDP connection over port 3389 with user Administrator
  • Atomic Red Team

    • Attack Simulation with Atomic Red Team
    • Will be automatically installed on target during first execution of simulate
    • Atomic Red Team already uses the new Mitre sub-techniques
  • PurpleSharp

    • Native adversary simulation support with PurpleSharp
    • Will be automatically downloaded on target during first execution of simulate
    • Supports two parameters -st for comma separated ATT&CK techniques and -sp for a simulation playbook
  • Kali Linux

    • Preconfigured Kali Linux machine for penetration testing
    • ssh connection over configured ssh key

Support 📞

Please use the GitHub issue tracker to submit bugs or request features.

If you have questions or need support, you can:

Contributing 🥰

We welcome feedback and contributions from the community! Please see our contribution guidelines for more information on how to get involved.

Author

Contributors