{"id":13598522,"url":"https://github.com/splunk/attack_range","last_synced_at":"2026-02-09T14:11:24.010Z","repository":{"id":37431025,"uuid":"184844805","full_name":"splunk/attack_range","owner":"splunk","description":"A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk ","archived":false,"fork":false,"pushed_at":"2025-04-01T10:38:00.000Z","size":58239,"stargazers_count":2257,"open_issues_count":4,"forks_count":374,"subscribers_count":74,"default_branch":"develop","last_synced_at":"2025-04-01T11:32:00.414Z","etag":null,"topics":["adversary","attack-range","attack-simulation","detection","lab","simulation","simulations"],"latest_commit_sha":null,"homepage":"","language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/splunk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"docs/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-05-04T02:46:46.000Z","updated_at":"2025-04-01T10:38:05.000Z","dependencies_parsed_at":"2023-02-13T23:00:37.626Z","dependency_job_id":"b94d1687-5fe1-40bd-897d-dd5766822f41","html_url":"https://github.com/splunk/attack_range","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fattack_range","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fattack_range/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fattack_range/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fattack_range/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/splunk","download_url":"https://codeload.github.com/splunk/attack_range/tar.gz/refs/heads/develop","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247364210,"owners_count":20927090,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["adversary","attack-range","attack-simulation","detection","lab","simulation","simulations"],"created_at":"2024-08-01T17:00:53.323Z","updated_at":"2026-02-09T14:11:24.004Z","avatar_url":"https://github.com/splunk.png","language":"Jinja","readme":"# Splunk Attack Range v5\n![Attack Range Logo](docs/attack_range.png)\n\nThe Splunk Attack Range builds instrumented cloud environments (AWS, Azure, GCP), simulates attacks, and forwards data into Splunk for detection development and testing.\n\n![Attack Range Architecture](docs/attack_range_architecture.png)\n\n**What it does:**\n\n- **Build labs** — Deploy a small, production-like lab (Splunk, Windows/Linux servers, optional Kali, Zeek, etc.) via Terraform and Ansible.\n- **Simulate attacks** — Run Atomic Red Team (and other) techniques to generate real telemetry.\n- **Share access** — Use WireGuard VPN; generate additional client configs to share the range with others.\n\n---\n\n## Getting started\n\n**Preferred: Docker Compose**\n\n1. **Prerequisites:** [Docker](https://docs.docker.com/get-docker/) and [Docker Compose](https://docs.docker.com/compose/install/). Configure your cloud provider (AWS, Azure, or GCP) and mount credentials as below.\n\n2. **Clone and start:**\n\n   ```bash\n   git clone \u003crepo-url\u003e\n   cd attack_range_2\n   docker compose -f docker/docker-compose.yml up\n   ```\n\n3. **Use the app or API:**\n\n   - **Web app:** open [http://localhost:4321](http://localhost:4321) — build/destroy ranges, view status, run simulations, share access.\n   - **API:** [http://localhost:4000](http://localhost:4000) — REST API; interactive docs at [http://localhost:4000/openapi/swagger](http://localhost:4000/openapi/swagger).\n\n4. **Build a range (two steps):**\n\n   - In the app: pick a template (e.g. `aws/splunk_minimal_aws`) and start the build. When status is *Waiting for VPN*, download the WireGuard config, connect with WireGuard, then continue the build.\n   - Or via API: `POST /attack-range/build` with `{\"template\": \"aws/splunk_minimal_aws\"}`, poll `GET /attack-range/status/\u003cid\u003e`, use the returned WireGuard config, connect, then `POST /attack-range/build` with `{\"attack_range_id\": \"\u003cid\u003e\"}`.\n\n5. **CLI in Docker (optional):**\n\n   ```bash\n   docker compose --profile cli -f docker/docker-compose.yml run --rm attack_range build -t aws/splunk_minimal_aws\n   ```\n\n   Other actions: `destroy`, `simulate`, `share`. See [Detailed documentation](https://attack-range.readthedocs.io/en/latest/) for CLI usage and flags.\n\n---\n\n## Ways to run\n\n| Method | Use case |\n|-------|----------|\n| **Docker Compose** (recommended) | Run API + web app + optional CLI with one `docker compose`; no local Python/Ansible/Terraform. |\n| **Web app** | Build, destroy, simulate, and share via the UI at port 4321. |\n| **REST API** | Automate from scripts or CI; full OpenAPI docs at `/openapi/swagger`. |\n| **CLI** | `attack_range.py build | destroy | simulate | share` for terminal-based workflows. |\n\n---\n\n## Documentation\n\n- **Full docs (Read the Docs):** [https://attack-range.readthedocs.io/](https://attack-range.readthedocs.io/en/latest/)\n- Chapters: **Getting Started**, **Configuration**, **Networking**, **Sharing**, **Templates**, **Ansible Roles**\n\n---\n\n## Quick reference\n\n- **Configs:** Each range has a config in `config/\u003cattack_range_id\u003e.yml`. Templates live in `templates/{aws,azure,gcp}/`.\n- **Credentials:** Set up `~/.aws`, `~/.azure`, or `~/.config/gcloud` and mount them into the containers (see `docker/docker-compose.yml`).\n- **Support:** [GitHub issues](https://github.com/splunk/attack_range/issues) and [CONTRIBUTING](docs/CONTRIBUTING.md).\n\n---\n\n## Support \nPlease use the [GitHub issue tracker](https://github.com/splunk/attack_range/issues) to submit bugs or request features.\n\nIf you have questions or need support, you can:\n\n* Join the [#security-research](https://splunk-usergroups.slack.com/archives/C1S5BEF38) room in the [Splunk Slack channel](http://splunk-usergroups.slack.com)\n* Post a question to [Splunk Answers](http://answers.splunk.com)\n* If you are a Splunk Enterprise customer with a valid support entitlement contract and have a Splunk-related question, you can also open a support case on the https://www.splunk.com/ support portal\n\n---\n\n## Contributing \nWe welcome feedback and contributions from the community! Please see our [contribution guidelines](docs/CONTRIBUTING.md) for more information on how to get involved.\n\n---\n\n## Author\n* [Jose Hernandez](https://twitter.com/_josehelps)\n* [Patrick Bareiß](https://twitter.com/bareiss_patrick)\n\n## Contributors\n* [Bhavin Patel](https://twitter.com/hackpsy)\n* [Rod Soto](https://twitter.com/rodsoto)\n* Russ Nolen\n* Phil Royer\n* [Joseph Zadeh](https://twitter.com/JosephZadeh)\n* Rico Valdez\n* [Dimitris Lambrou](https://twitter.com/etz69)\n* [Dave Herrald](https://twitter.com/daveherrald)\n* Ignacio Bermudez Corrales\n* Peter Gael\n* Josef Kuepker\n* Shannon Davis\n* [Mauricio Velazco](https://twitter.com/mvelazco)\n* [Teoderick Contreras](https://twitter.com/tccontre18)\n* [Lou Stella](https://twitter.com/ljstella)\n* [Christian Cloutier](https://github.com/ccl0utier)\n* Eric McGinnis\n* [Micheal Haag](https://twitter.com/M_haggis)\n* Gowthamaraj Rajendran\n* [Christopher Caldwell](https://github.com/cudgel)\n* [Zachary Christensen](https://github.com/ZachTheSplunker)\n* [JerinSaji0](https://github.com/JerinSaji0)","funding_links":[],"categories":["Jinja","Hands-on Exercises","HTML","HTML (177)","Other Lists","Uncategorized","Pre-built Cyber Range Environments and Content","Blue Team"],"sub_categories":["Infra","🧪 LAB","Uncategorized","Volatility"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsplunk%2Fattack_range","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsplunk%2Fattack_range","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsplunk%2Fattack_range/lists"}