Awesome
Attack Range Local Has been Deprecated and Archived in Favor of https://github.com/splunk/attack_range
Thank you to all of our users for their feedback, bug reports, and contributions to the project. As of May 8, 2023, Attack Range Local has been deprecated and archived.
But I Still Want to Run a Local Attack Range!
Great News! https://github.com/splunk/attack_range now supports deploying Attack Range Locally (just like this repo used to). It's a one-stop-shop for all of your simulation needs. That repo brings the functionality of Attack Range Local and Attack Range Cloud into the Attack Range Repo. It is actively maintained and in use by the Splunk Threat Research Team on a daily basis.
Splunk Attack Range Local (Do Not Use for New Projects)βοΈ
Purpose π‘
The Attack Range is a detection development platform, which solves three main challenges in detection engineering. First, the user is able to build quickly a small lab infrastructure as close as possible to a production environment. Second, the Attack Range performs attack simulation using different engines such as Atomic Red Team or Caldera in order to generate real attack data. Third, it integrates seamlessly into any Continuous Integration / Continuous Delivery (CI/CD) pipeline to automate the detection rule testing process.
Building π·ββοΈ
Attack Range can be built in three different ways:
- locally with vagrant and virtualbox
- cloud using terraform and AWS or Azure, see attack_range
- cloud-only see attack_range_cloud
Installation π
For Ubuntu 18.04
For MacOS
Architecture π―
The virtualized deployment of Attack Range consists of:
- Windows Domain Controller
- Windows Server
- Windows Workstation
- A Kali Machine
- Splunk Server
- Phantom Server
- Caldera Server
Which can be added/removed/configured using attack_range_local.conf. More machines such as Phantom, Linux server, Linux client, MacOS clients are currently under development.
Logging
The following log sources are collected from the machines:
- Windows Event Logs (
index = win) - Sysmon Logs (
index = win) - Powershell Logs (
index = win) - Network Logs with Splunk Stream (
index = main) - Attack Simulation Logs from Atomic Red Team and Caldera (
index = attack)
Running πββοΈ
Attack Range supports different actions:
- Build Attack Range
- Perform Attack Simulation
- Destroy Attack Range
- Stop Attack Range
- Resume Attack Range
- Dump Attack Data
Build Attack Range Local
- Build Attack Range Local
python attack_range_local.py -a build
Perform Attack Simulation
- Perform Attack Simulation
python attack_range_local.py -a simulate -st T1003.001 -t attack-range-windows-domain-controller
Show Attack Range Status
- Show Attack Range Status
python attack_range_local.py -lm
Destroy Attack Range Local
- Destroy Attack Range Local
python attack_range_local.py -a destroy
Stop Attack Range Local
- Stop Attack Range Local
python attack_range_local.py -a stop
Resume Attack Range Local
- Resume Attack Range Local
python attack_range_local.py -a resume
Dump Attack Data
- Dump Attack Range Data
python attack_range_local.py -a dump -dn dump_data_folder
Features π
-
- Indexing of Microsoft Event Logs, PowerShell Logs, Sysmon Logs, DNS Logs, ...
- Preconfigured with multiple TAs for field extractions
- Out of the box Splunk detections with Enterprise Security Content Update (ESCU) App
- Preinstalled Machine Learning Toolkit (MLTK)
- Splunk UI available through port 8000 with user admin
- ssh connection over configured ssh key
-
Bring Your Own Splunk Server
- Send events to your own Splunk Server instance
- Allows integration of automated attacks into your own detection engineering lifecycle
-
- Splunk Enterprise Security is a premium security solution requiring a paid license.
- Enable or disable Splunk Enterprise Security in attack_range_local.conf
- Purchase a license, download it and store it in the apps folder to use it.
-
- Splunk Phantom is a Security Orchestration and Automation platform
- For a free development license (100 actions per day) register here
- Enable or disable Splunk Phantom in attack_range_local.conf
-
Windows Domain Controller & Window Server & Windows 10 Client
- Can be enabled, disabled and configured over attack_range_local.conf
- Collecting of Microsoft Event Logs, PowerShell Logs, Sysmon Logs, DNS Logs, ...
- Sysmon log collection with customizable Sysmon configuration
- RDP connection over port 3389 with user Administrator
-
- Attack Simulation with Atomic Red Team
- Will be automatically installed on target during first execution of simulate
- Atomic Red Team already uses the new Mitre sub-techniques
-
- Adversary Emulation with Caldera
- Installed on the Splunk Server and available over port 8888 with user admin
- Preinstalled Caldera agents on windows machines
-
- Preconfigured Kali Linux machine for penetration testing
- ssh connection over configured ssh key
Support π
Please use the GitHub issue tracker to submit bugs or request features.
If you have questions or need support, you can:
- Post a question to Splunk Answers
- Join the #security-research room in the Splunk Slack channel
- If you are a Splunk Enterprise customer with a valid support entitlement contract and have a Splunk-related question, you can also open a support case on the https://www.splunk.com/ support portal
Contributing π₯°
We welcome feedback and contributions from the community! Please see our contribution guidelines for more information on how to get involved.
Author
Contributors
- Bhavin Patel
- Rod Soto
- Russ Nolen
- Phil Royer
- Joseph Zadeh
- Rico Valdez
- Dimitris Lambrou
- Dave Herrald
- Kai Seidenschnur
License
Copyright 2020 Splunk Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.