The Attack Range solves two main challenges in development of detections. First, it allows the user to quickly build a small lab infrastructure as close as possible to your production environment. This lab infrastructure contains a Windows Domain Controller, Windows Workstation and Linux server, which comes pre-configured with multiple security tools and logging configuration. The infrastructure comes with a Splunk server collecting multiple log sources from the different servers.
Second, this framework allows the user to perform attack simulation using different engines. Therefore, the user can repeatedly replicate and generate data as close to "ground truth" as possible, in a format that allows the creation of detections, investigations, knowledge objects, and playbooks in Splunk.
Architecture
Attack Range can be used in two different ways:
- local using vagrant and virtualbox
- in the cloud using terraform and AWS
Configuration
Running
Attack Range supports different actions:
- Build Attack Range
- Perform Attack Simulation
- Destroy Attack Range
- Stop Attack Range
- Resume Attack Range
Build Attack Range
- Build Attack Range using Terraform
python attack_range.py -m terraform -a build
- Build Attack Range using Vagrant
python attack_range.py -m vagrant -a build
Perform Attack Simulation
- Perform Attack Simulation using Terraform
python attack_range.py -m terraform -a simulate -st T1117,T1003 -t attack-range_windows_2016_dc
- Perform Attack Simulation using Vagrant
python attack_range.py -m vagrant -a simulate -st T1117,T1003 -t win10
Destroy Attack Range
- Destroy Attack Range using Terraform
python attack_range.py -m terraform -a destroy
- Destroy Attack Range using Vagrant
python attack_range.py -m vagrant -a destroy
Stop Attack Range
- Stop Attack Range using Terraform
python attack_range.py -m terraform -a stop
- Stop Attack Range using Vagrant
python attack_range.py -m vagrant -a stop
Resume Attack Range
- Resume Attack Range using Terraform
python attack_range.py -m terraform -a resume
- Resume Attack Range using Vagrant
python attack_range.py -m vagrant -a resume
Support
Please use the GitHub issue tracker to submit bugs or request features.
If you have questions or need support, you can:
- Post a question to Splunk Answers
- Join the #security-research room in the Splunk Slack channel
- If you are a Splunk Enterprise customer with a valid support entitlement contract and have a Splunk-related question, you can also open a support case on the https://www.splunk.com/ support portal
Author
Contributors
- Rod Soto
- Bhavin Patel
- Patrick Bareiß
- Russ Nolen
- Phil Royer
Acknowledgements
- DetectionLab
- Atomic Red team
- Sysmon configuration