Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/splunk/attack_range

A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk
https://github.com/splunk/attack_range

adversary attack-range attack-simulation detection lab simulation simulations

Last synced: 2 days ago
JSON representation

A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk

Awesome Lists containing this project

README 

          


    

        

    

        

    

        

    

        




> ⚠️ **Important:** After careful consideration, we have decided to deprecate the local deployment in Attack Range due to ongoing challenges with VirtualBox and Vagrant. We will concentrate our development efforts on the cloud providers AWS, Azure, and GCP. For local cyber range needs, we recommend using [Ludus](https://docs.ludus.cloud/) along with the [Attack Range environment](https://docs.ludus.cloud/docs/environment-guides/splunk-attack-range) it offers.



# Splunk Attack Range βš”οΈ

![Attack Range Log](docs/attack_range.png)

The Splunk Attack Range is an open-source project maintained by the Splunk Threat Research Team. It builds instrumented cloud (AWS, Azure, GCP), simulates attacks, and forwards the data into a Splunk instance. This environment can then be used to develop and test the effectiveness of detections. 



## Purpose πŸ›‘

The Attack Range is a detection development platform, which solves three main challenges in detection engineering:

* The user is able to quickly build a small lab infrastructure as close as possible to a production environment.

* The Attack Range performs attack simulation using different engines such as Atomic Red Team or Caldera in order to generate real attack data. 

* It integrates seamlessly into any Continuous Integration / Continuous Delivery (CI/CD) pipeline to automate the detection rule testing process.  



## Docs

The Attack Range Documentation can be found [here](https://attack-range.readthedocs.io/en/latest/).



## Installation πŸ—



### [Using Docker](https://github.com/splunk/attack_range/wiki/Using-Docker)



Attack Range in AWS:



```

docker pull splunk/attack_range

docker run -it splunk/attack_range

aws configure

python attack_range.py configure

```



To install directly on Linux, or MacOS follow [these](https://attack-range.readthedocs.io/en/latest/Attack_Range_AWS.html#) instructions.



If deploying in AWS, you may need to press [this button](https://console.aws.amazon.com/servicequotas/home/services/vpc/quotas/L-2AFB9258) and request a quota increase to 16 security groups per network interface.



## Architecture 🏯

![Logical Diagram](docs/attack_range_architecture.png)



The deployment of Attack Range consists of:



- Windows Domain Controller

- Windows Server

- Windows Workstation

- A Kali Machine

- Splunk Server

- Splunk SOAR Server

- Nginx Server

- Linux Server

- Zeek Server

- Snort Server



Which can be added/removed/configured using [attack_range.yml](https://github.com/splunk/attack_range/blob/develop/attack_range.yml). 



## Logging

The following log sources are collected from the machines:



- Windows Event Logs (```index = win```)

- Sysmon Logs (```index = win```)

- Powershell Logs (```index = win```)

- Aurora EDR (```index = win```)

- Sysmon for Linux Logs (```index = unix```)

- Nginx logs (```index = proxy```)

- Network Logs with Splunk Stream (```index = main```)

- Attack Simulation Logs from Atomic Red Team and Caldera (```index = attack```)

- Zeek Logs (```index = zeek```)

- Snort Logs (```index = snort```)

- Cisco Secure Endpoint Logs (```index = cisco_secure_endpoint```)

- CrowdStrike Falcon Logs (```index = crowdstrike_falcon```)

- Carbon Black Logs (```index = carbon_black_cloud```)



## Running πŸƒβ€β™€οΈ

Attack Range supports different actions:



### Configure Attack Range

```

python attack_range.py configure

```



### Build Attack Range

```

python attack_range.py build

```



### Show Attack Range Infrastructure

```

python attack_range.py show

```



### Perform Attack Simulations with Atomic Red Team or PurpleSharp

```

python attack_range.py simulate -e ART -te T1003.001 -t ar-win-ar-ar-0



python attack_range.py simulate -e PurpleSharp -te T1003.001 -t ar-win-ar-ar-0

```



### Destroy Attack Range

```

python attack_range.py destroy

```



### Stop Attack Range

```

python attack_range.py stop

```



### Resume Attack Range

```

python attack_range.py resume

```



### Dump Log Data from Attack Range

```

python attack_range.py dump --file_name attack_data/dump.log --search 'index=win' --earliest 2h

```



### Replay Dumps into Attack Range Splunk Server

```

python attack_range.py replay --file_name attack_data/dump.log --source test --sourcetype test

```



## Features πŸ’

- [Splunk Server](https://github.com/splunk/attack_range/wiki/Splunk-Server)

  * Indexing of Microsoft Event Logs, PowerShell Logs, Sysmon Logs, DNS Logs, ...

  * Preconfigured with multiple TAs for field extractions

  * Out of the box Splunk detections with Enterprise Security Content Update ([ESCU](https://splunkbase.splunk.com/app/3449/)) App

  * Preinstalled Machine Learning Toolkit ([MLTK](https://splunkbase.splunk.com/app/2890/))

  * pre-indexed BOTS datasets

  * Splunk UI available through port 8000 with user admin

  * ssh connection over configured ssh key



- [Splunk Enterprise Security](https://splunkbase.splunk.com/app/263/)

  * [Splunk Enterprise Security](https://splunkbase.splunk.com/app/263/) is a premium security solution requiring a paid license.

  * Enable or disable [Splunk Enterprise Security](https://splunkbase.splunk.com/app/263/) in [attack_range.yml](https://github.com/splunk/attack_range/blob/develop/attack_range.yml)

  * Purchase a license, download it and store it in the apps folder to use it.



- [Splunk SOAR](https://www.splunk.com/en_us/software/splunk-security-orchestration-and-automation.html)

  * [Splunk SOAR](https://www.splunk.com/en_us/software/splunk-security-orchestration-and-automation.html) is a Security Orchestration and Automation platform

  * For a free development license (100 actions per day) register [here](https://my.phantom.us/login/?next=/)

  * Enable or disable [Splunk SOAR](https://www.splunk.com/en_us/software/splunk-security-orchestration-and-automation.html) in [attack_range.yml](https://github.com/splunk/attack_range/blob/develop/attack_range.yml)



- [Windows Domain Controller & Window Server & Windows 10 Client](https://github.com/splunk/attack_range/wiki/Windows-Infrastructure)

  * Can be enabled, disabled and configured over [attack_range.yml](https://github.com/splunk/attack_range/blob/develop/attack_range.yml)

  * Collecting of Microsoft Event Logs, PowerShell Logs, Sysmon Logs, DNS Logs, ...

  * Sysmon log collection with customizable Sysmon configuration

  * RDP connection over port 3389 with user Administrator



- [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)

  * Attack Simulation with [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)

  * Will be automatically installed on target during first execution of simulate

  * Atomic Red Team already uses the new Mitre sub-techniques



- [PurpleSharp](https://github.com/mvelazc0/PurpleSharp)

  * Native adversary simulation support with [PurpleSharp](https://github.com/mvelazc0/PurpleSharp)

  * Will be automatically downloaded on target during first execution of simulate

  * Supports two parameters **-st** for comma separated ATT&CK techniques and **-sp** for a simulation playbook



- [Kali Linux](https://www.kali.org/)

  * Preconfigured Kali Linux machine for penetration testing

  * ssh connection over configured ssh key



- [Caldera](https://github.com/mitre/caldera)

  * Attack Simulation with [Caldera](https://github.com/mitre/caldera)

  * Can be enabled, disabled and configured over [attack_range.yml](https://github.com/splunk/attack_range/blob/develop/attack_range.yml)



## Support πŸ“ž

Please use the [GitHub issue tracker](https://github.com/splunk/attack_range/issues) to submit bugs or request features.



If you have questions or need support, you can:



* Join the [#security-research](https://splunk-usergroups.slack.com/archives/C1S5BEF38) room in the [Splunk Slack channel](http://splunk-usergroups.slack.com)

* Post a question to [Splunk Answers](http://answers.splunk.com)

* If you are a Splunk Enterprise customer with a valid support entitlement contract and have a Splunk-related question, you can also open a support case on the https://www.splunk.com/ support portal



## Contributing πŸ₯°

We welcome feedback and contributions from the community! Please see our [contribution guidelines](docs/CONTRIBUTING.md) for more information on how to get involved.



## Author

* [Jose Hernandez](https://twitter.com/_josehelps)

* [Patrick Bareiß](https://twitter.com/bareiss_patrick)



## Contributors

* [Bhavin Patel](https://twitter.com/hackpsy)

* [Rod Soto](https://twitter.com/rodsoto)

* Russ Nolen

* Phil Royer

* [Joseph Zadeh](https://twitter.com/JosephZadeh)

* Rico Valdez

* [Dimitris Lambrou](https://twitter.com/etz69)

* [Dave Herrald](https://twitter.com/daveherrald)

* Ignacio Bermudez Corrales

* Peter Gael

* Josef Kuepker

* Shannon Davis

* [Mauricio Velazco](https://twitter.com/mvelazco)

* [Teoderick Contreras](https://twitter.com/tccontre18)

* [Lou Stella](https://twitter.com/ljstella)

* [Christian Cloutier](https://github.com/ccl0utier)

* Eric McGinnis

* [Micheal Haag](https://twitter.com/M_haggis)

* Gowthamaraj Rajendran

* [Christopher Caldwell](https://github.com/cudgel)

* [Zachary Christensen](https://github.com/ZachTheSplunker)

* [JerinSaji0](https://github.com/JerinSaji0)