Skip to content

A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk

License

Notifications You must be signed in to change notification settings

olafhartong/attack_range

 
 

Repository files navigation

Splunk Attack Range

Purpose

The Attack Range solves two main challenges in development of detections. First, it allows the user to quickly build a small lab infrastructure as close as possible to your production environment. This lab infrastructure contains a Windows Domain Controller, Windows Workstation and Linux server, which comes pre-configured with multiple security tools and logging configuration. The infrastructure comes with a Splunk server collecting multiple log sources from the different servers.

Second, this framework allows the user to perform attack simulation using different engines. Therefore, the user can repeatedly replicate and generate data as close to "ground truth" as possible, in a format that allows the creation of detections, investigations, knowledge objects, and playbooks in Splunk.

Architecture

Attack Range can be used in two different ways:

  • local using vagrant and virtualbox
  • in the cloud using terraform and AWS

In order to make Attack Range work on almost every laptop, the local version using Vagrant and Virtualbox consists of a subset of the full-blown cloud infrastructure in AWS using Terraform. The local version consists of a Splunk single instance and a Windows 10 workstation pre-configured with best practice logging configuration according to Splunk. The cloud infrastructure in AWS using Terraform consists of a Windows 10 workstation, a Windows 2016 server and a Splunk server. More information can be found in the wiki

Logical Diagram

Configuration

Running

Attack Range supports different actions:

  • Build Attack Range
  • Perform Attack Simulation
  • Search with Attack Range
  • Destroy Attack Range
  • Stop Attack Range
  • Resume Attack Range

Build Attack Range

  • Build Attack Range using Terraform
python attack_range.py -m terraform -a build
  • Build Attack Range using Vagrant
python attack_range.py -m vagrant -a build

Perform Attack Simulation

  • Perform Attack Simulation using Terraform
python attack_range.py -m terraform -a simulate -st T1117,T1003 -t attack-range_windows_2016_dc
  • Perform Attack Simulation using Vagrant
python attack_range.py -m vagrant -a simulate -st T1117,T1003 -t win10

Search with Attack Range

  • Run a savedsearch with Terraform and return the results:
python attack_range.py -m terraform -a search -sn search_name
  • Run a savedsearch with Vagrant and return the results:
python attack_range.py -m vagrant -a search -sn search_name

Destroy Attack Range

  • Destroy Attack Range using Terraform
python attack_range.py -m terraform -a destroy
  • Destroy Attack Range using Vagrant
python attack_range.py -m vagrant -a destroy

Stop Attack Range

  • Stop Attack Range using Terraform
python attack_range.py -m terraform -a stop
  • Stop Attack Range using Vagrant
python attack_range.py -m vagrant -a stop

Resume Attack Range

  • Resume Attack Range using Terraform
python attack_range.py -m terraform -a resume
  • Resume Attack Range using Vagrant
python attack_range.py -m vagrant -a resume

Support

Please use the GitHub issue tracker to submit bugs or request features.

If you have questions or need support, you can:

Author

Contributors

Contributing

We welcome feedback and contributions from the community! Please see our contribution guidelines for more information on how to get involved.

Acknowledgements

About

A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 60.3%
  • Ruby 16.9%
  • HCL 15.3%
  • PowerShell 7.5%