Splunk Attack Range

A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk.

The Attack Range solves two main challenges in development of detection. First, it allows the user to quickly build a small lab infrastructure as close as possible to your production environment. This lab infrastructure contains a Windows Domain Controller, Windows Server, Windows Workstation and a Kali Machine, which comes pre-configured with multiple security tools and logging configuration. The infrastructure comes with a Splunk server collecting multiple log sources from the different servers.

Second, this framework allows the user to perform attack simulation using different engines. Therefore, the user can repeatedly replicate and generate data as close to "ground truth" as possible, in a format that allows the creation of detection, investigations, knowledge objects, and playbooks in Splunk. 

Demo

tv A short demo (< 6 min) which shows the basic functions of the attack range. It builds a testing environment using terraform, walks through the data collected by Splunk. Then attacks it using MITRE ATT&CK Technique T1003 and finally showcases how ESCU searches are used to detect the attack.

Deployment

Attack Range can be built in three different ways:

  • local using vagrant and virtualbox
  • in the cloud using terraform and AWS
  • cloud optimized using terraform, packer and AWS

Architecture

Attack Range consists of:

  • Windows Domain Controller
  • Windows Server
  • Windows Workstation
  • A Kali Machine
  • Splunk Server
  • Phantom Server

Which can be added/removed/configured using attack_range.conf. More machines such as Phantom, Linux server, Linux client, MacOS clients are currently under development.

Configuration

Running

Attack Range supports different actions:

  • Build Attack Range
  • Perform Attack Simulation
  • Search with Attack Range
  • Destroy Attack Range
  • Stop Attack Range
  • Resume Attack Range

Build Attack Range

  • Build Attack Range
python attack_range.py -m terraform/vagrant/packer -a build

Perform Attack Simulation

  • Perform Attack Simulation
python attack_range.py -m terraform/vagrant/packer -a simulate -st T1117,T1003 -t attack-range-windows-domain-controller

Search with Attack Range

  • Run a savedsearch and return the results
python attack_range.py -m terraform/vagrant/packer -a search -sn search_name

Destroy Attack Range

  • Destroy Attack Range
python attack_range.py -m terraform/vagrant/packer -a destroy

Stop Attack Range

  • Stop Attack Range
python attack_range.py -m terraform/vagrant/packer -a stop

Resume Attack Range

  • Resume Attack Range
python attack_range.py -m terraform/vagrant/packer -a resume

Features

Planned features

  • Linux Server
  • Linux Client
  • macOS Client

Support

Please use the GitHub issue tracker to submit bugs or request features.

If you have questions or need support, you can:

Author

Contributors

Contributing

We welcome feedback and contributions from the community! Please see our contribution guidelines for more information on how to get involved.

March 13, 2020
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013
GET A FREE EDITION!
Join our newsletter and receive for FREE, our premium edition “Brute Force and Supply Chain Attacks”
x