A comprehensive cybersecurity lab for creating and testing detection rules, simulating attacks, and training analysts
Get Started Β»
View Demo
Β·
Report Bug
Β·
Request Feature
π Table of Contents
PurpleLab is a cybersecurity laboratory that enables security professionals to easily deploy an entire testing environment for creating and validating detection rules, simulating realistic attack scenarios, and training security analysts.
The lab includes:
- π Web Interface - Complete frontend for controlling all features
- π» VirtualBox Environment - Ready-to-use Windows server 2019 with sysmon and opensearch collector
- βοΈ Flask Backend - Robust API and application logic
- ποΈ PostgreSQL Database - Secure data storage
- π Opensearch Server - Advanced log analysis and search capabilities
β οΈ Important: For a completely clean installation, follow ALL chapters of the installation procedure from requirements to accounts configuration.
β οΈ Security Notice: This lab has not been hardened and runs with basic credentials. Do not connect it to production networks or secure it with proper PKI and authentication systems.
Minimum Hardware Resources:
- Storage: 200GB available space
- CPU: 8 cores minimum
- RAM: 13GB minimum
Software Requirements:
- Clean installation of Ubuntu Server 22.04 - Download Here
β οΈ Note: Ubuntu Server 23.10 may cause issues with Python library installation.
VMware Workstation:
- Go to VM settings β Processors β Virtualization engine
- Enable "Virtualize Intel VT-x/EPT or AMD-V/RVI"
VirtualBox:
- Select VM β Right-click β Settings β System β Processor
- Check "Enable Nested VT-x/AMD-V"
Physical Machine (Host):
- Access BIOS/UEFI settings
- Enable hardware virtualization (VT-x/AMD-V)
- Save changes and restart
Download Repository:
git clone https://github.com/Krook9d/PurpleLab.git && mv PurpleLab/install.sh .Execute the installation script:
sudo bash install.shThe script will automatically:
- Install all components: OpenSearch, PostgreSQL, VirtualBox, and web interface
- Configure the Windows Server VM: Set up monitoring and security tools
- Generate credentials: Save all login information to
admin.txt
A default admin account is automatically created and stored in ~/admin.txt with the format:
admin@local.com:password
- Access the application using your server's IP address
- Click "Register" button
- Fill required fields:
- First Name: Your first name
- Last Name: Your last name
- Analyst Level: Your analyst level (N1/N2/N3)
- Avatar: Select an avatar (< 1MB)
- Password: Must contain at least 8 characters with uppercase, lowercase, number, and special character
Start the Flask server:
sudo python3 /home/$(logname)/app.pyThe automatically configured VM includes:
- Windows Server 2019 with admin user
oem/oem - Sysmon with SwiftOnSecurity configuration for advanced logging
- Winlogbeat OSS 7.12.1 automatically sending logs to OpenSearch
- Atomic Red Team with full test suite for attack simulation
- Python environment and Chocolatey package manager
- PowerShell-YAML module for YAML file processing
- Pre-configured directories: samples, malware_upload, and upload folders
- Windows Defender exclusions for testing scenarios
The dashboard displays key performance indicators from OpenSearch:
- Event Count from Windows Server VM
- Unique IP Addresses detected in logs
- MITRE ATT&CK techniques and sub-techniques count
- Log Distribution from VM collection
Direct access to OpenSearch Dashboards for log analysis. Navigate to Discover to examine:
- Automatically collected VM logs from Windows Server sandbox
- Simulated log data and security events
- Real-time monitoring of system activities
- Sysmon events with detailed process and network information
Interactive MITRE ATT&CK framework interface for:
π Technique Discovery:
- Search using technique IDs (e.g., "T1070")
- Browse sub-techniques and detailed information
- Access comprehensive technique documentation
β‘ Payload Execution:
- Execute Atomic Red Team payloads
- Simulate real attack scenarios
- Generate detection-worthy events
π Database Management:
- Update MITRE ATT&CK database with latest data
- Maintain current threat intelligence
Reference: Atomic Red Team Tests
Comprehensive malware management platform with dual functionality:
- Search & Download: Enter malware types (e.g., "Trojan")
- Auto-Integration: Automatically uploads to Windows VM
- Batch Processing: Downloads 10 latest samples from Malware Bazaar
- Execution Control: Run malware with single-click execution
- Custom Uploads: Upload your own executables and scripts
- Supported Formats:
.exe,.dll,.bin,.py,.ps1 - Inventory Management: List and manage uploaded malware
Storage Location:
/var/www/html/Downloaded/malware_upload/
Collaborative knowledge sharing platform:
- Query Sharing: Publish effective detection queries
- Rule Exchange: Share custom detection rules
- Community Benefit: Learn from other analysts' discoveries
Advanced Sigma rule management:
- Keyword Search: Find rules by technique IDs or keywords (e.g., "powershell")
- Rule Display: View complete Sigma rule details
- Format Conversion: Convert rules to Splunk or Lucene syntax
- Splunk Format: One-click conversion to Splunk queries
- Lucene Format: Transform to Elasticsearch-compatible syntax
Advanced rule lifecycle management system for connecting and managing security rules across multiple SIEM platforms:
- Splunk Integration: Configure connections to Splunk instances with SSL support
- OpenSearch Integration: Connect to OpenSearch clusters for rule synchronization
- Connection Testing: Validate configurations before deployment
- Status Monitoring: Real-time connector health and connectivity status
- Rule Synchronization: Automatically fetch detection rules from connected SIEM platforms
- Payload Association: Link PowerShell payloads to specific detection rules
- Custom Payload Creation: Build and edit PowerShell scripts for rule testing
- Rule Filtering: Filter rules by payload status and connector type
- Last Sync Tracking: Monitor synchronization timestamps and rule freshness
- Payload Execution: Run individual or batch payloads against associated rules
- Result Analysis: View detailed execution outputs and error messages
- Status Filtering: Filter results by triggered/not triggered/error states
- Time-based Filtering: Analyze executions over different time periods
- Batch Operations: Execute all payloads for displayed rules simultaneously
Comprehensive system monitoring dashboard:
- Opensearch Dashboard - Web interface status
- Postgres - Database
- Opensearch - Search engine status
- VirtualBox - Virtualization platform
- Flask Backend - Application server
- RAM Usage - Memory utilization
- Disk Usage - Storage consumption
- Status Monitoring - Current VM state
- IP Information - Network configuration
- Snapshot Control - Restore points management
Note: Snapshot restoration may show errors even when successful - verify by connecting to the VM.
Administrative control center for system configuration:
- LDAP Configuration: Centralized authentication setup
- API Key Generation: Secure API access management
- AlienVault OTX API Key: Configure threat intelligence integration for enhanced KPIs
- System Settings: Core configuration management
Login with administrator account: admin@local.com
Repository: TA-Purplelab-Splunk
- π Atomic Red Team Integration: Execute tests directly from Splunk
- π Threat Hunting Dashboard: Dedicated hunting interface
- π Seamless Integration: Easy PurpleLab-Splunk connectivity
Ta-purplelab.mp4
Repository: PurpleLab-Cortex-Analyzer
- π€ Automated Uploads: Seamless executable transfer to PurpleLab
- π₯ Detonation Analysis: Automated malware execution and analysis
- π TheHive Integration: Enhanced incident response workflows
analyzer.purplelab.mp4
For comprehensive API usage and integration details, see our complete documentation: