{"id":31816850,"url":"https://github.com/splunk/attack_range_cloud","last_synced_at":"2025-10-11T09:59:01.186Z","repository":{"id":47689679,"uuid":"283379777","full_name":"splunk/attack_range_cloud","owner":"splunk","description":"Attack Range to test detection against nativel serverless cloud services and environments","archived":false,"fork":false,"pushed_at":"2021-09-08T00:39:06.000Z","size":753,"stargazers_count":33,"open_issues_count":8,"forks_count":10,"subscribers_count":22,"default_branch":"master","last_synced_at":"2024-04-15T02:58:36.996Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/splunk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-07-29T02:38:39.000Z","updated_at":"2023-10-27T14:17:08.000Z","dependencies_parsed_at":"2022-08-30T07:41:28.497Z","dependency_job_id":null,"html_url":"https://github.com/splunk/attack_range_cloud","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/splunk/attack_range_cloud","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fattack_range_cloud","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fattack_range_cloud/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fattack_range_cloud/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fattack_range_cloud/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/splunk","download_url":"https://codeload.github.com/splunk/attack_range_cloud/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fattack_range_cloud/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279006751,"owners_count":26084185,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-11T02:00:06.511Z","response_time":55,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-10-11T09:58:36.964Z","updated_at":"2025-10-11T09:59:01.179Z","avatar_url":"https://github.com/splunk.png","language":"Python","readme":"# Splunk Cloud Attack Range βš”οΈ\n\n## Purpose πŸ›‘\nThe Cloud Attack Range is a detection development platform, which solves three main challenges in detection engineering. First, the user is able to build quickly a small lab infrastructure as close as possible to a cloud environment. Second, the Attack Range performs attack simulation using different engines such as [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) in order to generate real attack data.\n## Building πŸ‘·β€β™‚οΈ\n\nCloud Attack Range can be built is currently:\n\n- **cloud-only**, Specifically simulate attacks against AWS\n\n\n## Architecture 🏯\nThe Cloud Attack Range consists of:\n- pre-configured Splunk server with AWS Cloudtrail logs and Kubernetes logs\n- pre-configured Phantom server\n- AWS Elastic Kubernetes Service with a Wordpress app and [Splunk Connect for Kubernetes](https://github.com/splunk/splunk-connect-for-kubernetes)\n\n- integrated [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) cloud attacks\n\n![Architecture](docs/cloud_attack_range_architecture.png)\n\n### Logging\nThe following log sources are collected from the machines:\n- Cloudtrail logs (```index=aws```)\n- Kubernetes logs (```index=kubernetes```)\n- Kubernetes metrics (```index=kubernetes-metrics```)\n- AWS Elastic Kubernetes Service logs (```index=aws sourcetype=aws:cloudwatchlogs```)\n\n## Running πŸƒβ€β™€οΈ\nFollow [Getting Started](https://github.com/splunk/attack_range_cloud/wiki/Configure-Cloud-Attack-Range) to configure Cloud Attack Range. \nCloud Attack Range supports different actions:\n- Build Cloud Attack Range\n- Perform Cloud Attack Simulation\n- Destroy Cloud Attack Range\n- Stop Cloud Attack Range\n- Resume Cloud Attack Range\n\n### Cloud Attack Range Commands\n- Configure your Cloud Attack Range .conf\n```\n- [x] python cloud_attack_range.py configure\n```\n\n### Cloud Attack Range Commands\n- Build Cloud Attack Range\n```\n- [x] python cloud_attack_range.py build\n\n```\n\n### Perform Cloud Attack Simulation\n[Work in Progress]\n- Perform Cloud Attack Simulation by Mitre technique\n```\npython cloud_attack_range.py simulate -st T1136.003\n```\n\n### Destroy Cloud Attack Range\n- Destroy Cloud Attack Range\n```\npython cloud_attack_range.py destroy\n```\n\n### Stop Cloud Attack Range\n- Stop Cloud Attack Range\n```\npython cloud_attack_range.py stop\n```\n\n### Resume Cloud Attack Range\n- Resume Cloud Attack Range\n```\npython cloud_attack_range.py resume\n```\n\n## Features πŸ’\n- [Splunk Server](https://github.com/splunk/attack_range/wiki/Splunk-Server)\n * Preconfigured with multiple TAs for field extractions\n * Out of the box Splunk detections with Enterprise Security Content Update ([ESCU](https://splunkbase.splunk.com/app/3449/)) App\n * Preinstalled Machine Learning Toolkit ([MLTK](https://splunkbase.splunk.com/app/2890/))\n * Splunk UI available through port 8000 with user admin\n * ssh connection over configured ssh key\n\n- [Splunk Enterprise Security](https://splunkbase.splunk.com/app/263/)\n * [Splunk Enterprise Security](https://splunkbase.splunk.com/app/263/) is a premium security solution requiring a paid license.\n * Enable or disable [Splunk Enterprise Security](https://splunkbase.splunk.com/app/263/) in [cloud_attack_range.conf](cloud_attack_range.conf)\n * Purchase a license, download it and store it in the apps folder to use it.\n\n- [Splunk Phantom](https://www.splunk.com/en_us/software/splunk-security-orchestration-and-automation.html)\n * [Splunk Phantom](https://www.splunk.com/en_us/software/splunk-security-orchestration-and-automation.html) is a Security Orchestration and Automation platform\n * For a free development license (100 actions per day) register [here](https://my.phantom.us/login/?next=/)\n * Enable or disable [Splunk Phantom](https://www.splunk.com/en_us/software/splunk-security-orchestration-and-automation.html) in [cloud_attack_range.conf](cloud_attack_range.conf)\n\n- [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)\n * Attack Simulation with [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)\n * Uses Attack TTPs from [Cloud ATT\u0026CK Mitre IDs](https://attack.mitre.org/matrices/enterprise/cloud/)\n\n\n## Support πŸ“ž\nPlease use the [GitHub issue tracker](https://github.com/splunk/attack_range_cloud/issues) to submit bugs or request features.\n\nIf you have questions or need support, you can:\n\n* Post a question to [Splunk Answers](http://answers.splunk.com)\n* Join the [#security-research](https://splunk-usergroups.slack.com/archives/C1S5BEF38) room in the [Splunk Slack channel](http://splunk-usergroups.slack.com)\n* If you are a Splunk Enterprise customer with a valid support entitlement contract and have a Splunk-related question, you can also open a support case on the https://www.splunk.com/ support portal\n\n\n## Author\n* [Patrick Bareiß](https://twitter.com/bareiss_patrick)\n* [Bhavin Patel](https://twitter.com/hackpsy)\n* [Jose Hernandez](https://twitter.com/d1vious)\n\n\n\n## License\n\nCopyright 2020 Splunk Inc.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\nhttp://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsplunk%2Fattack_range_cloud","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsplunk%2Fattack_range_cloud","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsplunk%2Fattack_range_cloud/lists"}