Splunk Attack Range ⚔️

The Splunk Attack Range is an open-source project maintained by the Splunk Threat Research Team. It builds instrumented cloud (AWS, Azure) and local environments (Virtualbox), simulates attacks, and forwards the data into a Splunk instance. This environment can then be used to develop and test the effectiveness of detections.

Purpose 🛡

The Attack Range is a detection development platform, which solves three main challenges in detection engineering:

• The user is able to quickly build a small lab infrastructure as close as possible to a production environment.
• The Attack Range performs attack simulation using different engines such as Atomic Red Team or Caldera in order to generate real attack data.
• It integrates seamlessly into any Continuous Integration / Continuous Delivery (CI/CD) pipeline to automate the detection rule testing process.

Docs

The Attack Range Documentation can be found here.

Installation 🏗

Using Docker

Attack Range in AWS:

docker pull splunk/attack_range
docker run -it splunk/attack_range
aws configure
python attack_range.py configure

To install directly on Linux, or MacOS follow these instructions.

Architecture 🏯

The deployment of Attack Range consists of:

• Windows Domain Controller
• Windows Server
• Windows Workstation
• A Kali Machine
• Splunk Server
• Splunk SOAR Server
• Nginx Server
• Linux Server
• Zeek Server
• Snort Server

Which can be added/removed/configured using attack_range.yml.

Logging

The following log sources are collected from the machines:

• Windows Event Logs (index = win)
• Sysmon Logs (index = win)
• Powershell Logs (index = win)
• Aurora EDR (index = win)
• Sysmon for Linux Logs (index = unix)
• Nginx logs (index = proxy)
• Network Logs with Splunk Stream (index = main)
• Attack Simulation Logs from Atomic Red Team and Caldera (index = attack)
• Zeek Logs (index = zeek)
• Snort Logs (index = snort)
• Cisco Secure Endpoint Logs (index = cisco_secure_endpoint)
• CrowdStrike Falcon Logs (index = crowdstrike_falcon)
• Carbon Black Logs (index = carbon_black_cloud)

Running 🏃‍♀️

Attack Range supports different actions:

Configure Attack Range

python attack_range.py configure

Build Attack Range

python attack_range.py build

Show Attack Range Infrastructure

python attack_range.py show

Perform Attack Simulations with Atomic Red Team or PurpleSharp

python attack_range.py simulate -e ART -te T1003.001 -t ar-win-ar-ar-0

python attack_range.py simulate -e PurpleSharp -te T1003.001 -t ar-win-ar-ar-0

Destroy Attack Range

python attack_range.py destroy

Stop Attack Range

python attack_range.py stop

Resume Attack Range

python attack_range.py resume

Dump Log Data from Attack Range

python attack_range.py dump --file_name attack_data/dump.log --search 'index=win' --earliest 2h

Replay Dumps into Attack Range Splunk Server

python attack_range.py replay --file_name attack_data/dump.log --source test --sourcetype test

Features 💍

• Splunk Server

  • Indexing of Microsoft Event Logs, PowerShell Logs, Sysmon Logs, DNS Logs, ...
  • Preconfigured with multiple TAs for field extractions
  • Out of the box Splunk detections with Enterprise Security Content Update (ESCU) App
  • Preinstalled Machine Learning Toolkit (MLTK)
  • pre-indexed BOTS datasets
  • Splunk UI available through port 8000 with user admin
  • ssh connection over configured ssh key

• Splunk Enterprise Security

  • Splunk Enterprise Security is a premium security solution requiring a paid license.
  • Enable or disable Splunk Enterprise Security in attack_range.yml
  • Purchase a license, download it and store it in the apps folder to use it.

• Splunk SOAR

  • Splunk SOAR is a Security Orchestration and Automation platform
  • For a free development license (100 actions per day) register here
  • Enable or disable Splunk SOAR in attack_range.yml

• Windows Domain Controller & Window Server & Windows 10 Client

  • Can be enabled, disabled and configured over attack_range.yml
  • Collecting of Microsoft Event Logs, PowerShell Logs, Sysmon Logs, DNS Logs, ...
  • Sysmon log collection with customizable Sysmon configuration
  • RDP connection over port 3389 with user Administrator

• Atomic Red Team

  • Attack Simulation with Atomic Red Team
  • Will be automatically installed on target during first execution of simulate
  • Atomic Red Team already uses the new Mitre sub-techniques

• PurpleSharp

  • Native adversary simulation support with PurpleSharp
  • Will be automatically downloaded on target during first execution of simulate
  • Supports two parameters -st for comma separated ATT&CK techniques and -sp for a simulation playbook

• Kali Linux

  • Preconfigured Kali Linux machine for penetration testing
  • ssh connection over configured ssh key

Support 📞

Please use the GitHub issue tracker to submit bugs or request features.

If you have questions or need support, you can:

• Join the #security-research room in the Splunk Slack channel
• Post a question to Splunk Answers
• If you are a Splunk Enterprise customer with a valid support entitlement contract and have a Splunk-related question, you can also open a support case on the https://www.splunk.com/ support portal

Contributing 🥰

We welcome feedback and contributions from the community! Please see our contribution guidelines for more information on how to get involved.

Author

• Jose Hernandez
• Patrick Bareiß

Contributors

• Bhavin Patel
• Rod Soto
• Russ Nolen
• Phil Royer
• Joseph Zadeh
• Rico Valdez
• Dimitris Lambrou
• Dave Herrald
• Ignacio Bermudez Corrales
• Peter Gael
• Josef Kuepker
• Shannon Davis
• Mauricio Velazco
• Teoderick Contreras
• Lou Stella
• Christian Cloutier
• Eric McGinnis
• Micheal Haag
• Gowthamaraj Rajendran
• Christopher Caldwell