The Attack Range is a detection development platform, which solves three main challenges in detection engineering:
- 1. The user is able to quickly build a small lab infrastructure as close as possible to a production environment.
- 2. The Attack Range performs attack simulation using different engines such as Atomic Red Team or Caldera in order to generate real attack data.
- 3. It integrates seamlessly into any Continuous Integration / Continuous Delivery (CI/CD) pipeline to automate the detection rule testing process.
A short demo (< 3 min) which shows the basic functions of the attack range. It builds a testing environment using terraform, walks through the data collected by Splunk. Then attacks it using MITRE ATT&CK Technique T1003 and finally showcases how Splunk Security Content searches are used to detect the attack.
Attack Range can be built in three different ways:
- cloud with terraform plus AWS or Azure.
- locally with vagrant and virtualbox
- serverless with terraform and AWS services
docker pull splunk/attack_range
docker run -it splunk/attack_range
source <(curl -s 'https://raw.githubusercontent.com/splunk/attack_range/develop/scripts/ubuntu_deploy.sh')
aws configure
python attack_range.py configure
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/splunk/attack_range/develop/scripts/macos_deploy_aws.sh)" && cd attack_range && source venv/bin/activate
aws configure
python attack_range.py configure
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/splunk/attack_range/develop/scripts/macos_deploy_azure.sh)" && cd attack_range && source venv/bin/activate
az login
python attack_range.py configure
The virtualized deployment of Attack Range consists of:
- Windows Domain Controller
- Windows Server
- Windows Workstation
- A Kali Machine
- Splunk Server
- Phantom Server
- Zeek Sensor
Which can be added/removed/configured using attack_range.conf. More machines such as Phantom, Linux server, Linux client, MacOS clients are currently under development.
An approximate cost estimate for running attack_range on AWS can be found here.
The following log sources are collected from the machines:
- Windows Event Logs (
index = win
) - Sysmon Logs (
index = win
) - Powershell Logs (
index = win
) - Network Logs with Splunk Stream (
index = main
) - Attack Simulation Logs from Atomic Red Team and Caldera (
index = attack
)
Attack Range supports different actions:
- Configuring Attack Range
- Build Attack Range
- Perform Attack Simulation
- Test with Attack Range
- Destroy Attack Range
- Stop Attack Range
- Resume Attack Range
- Dump Log Data from Attack Range
python attack_range.py configure
python attack_range.py build
python attack_range.py show
python attack_range.py simulate -st T1003.001 -t ar-win-dc-default-username-33048
python attack_range.py test -tf tests/T1003_001.yml, tests/T1003_002.yml
python attack_range.py destroy
python attack_range.py stop
python attack_range.py resume
python attack_range.py dump -dn data_dump
- Replay previously saved dumps from Attack Range
python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
- default will dump all enabled dumps described in
attack_data/dumps.yml
- with optional argument
--dump
you can specify which dump to replay
python attack_range.py replay -dn data_dump --dump windows_sec_events
-
- Indexing of Microsoft Event Logs, PowerShell Logs, Sysmon Logs, DNS Logs, ...
- Preconfigured with multiple TAs for field extractions
- Out of the box Splunk detections with Enterprise Security Content Update (ESCU) App
- Preinstalled Machine Learning Toolkit (MLTK)
- pre-indexed BOTS datasets
- Splunk UI available through port 8000 with user admin
- ssh connection over configured ssh key
-
- Splunk Enterprise Security is a premium security solution requiring a paid license.
- Enable or disable Splunk Enterprise Security in attack_range.conf
- Purchase a license, download it and store it in the apps folder to use it.
-
- Splunk Phantom is a Security Orchestration and Automation platform
- For a free development license (100 actions per day) register here
- Enable or disable Splunk Phantom in attack_range.conf
-
Windows Domain Controller & Window Server & Windows 10 Client
- Can be enabled, disabled and configured over attack_range.conf
- Collecting of Microsoft Event Logs, PowerShell Logs, Sysmon Logs, DNS Logs, ...
- Sysmon log collection with customizable Sysmon configuration
- RDP connection over port 3389 with user Administrator
-
- Attack Simulation with Atomic Red Team
- Will be automatically installed on target during first execution of simulate
- Atomic Red Team already uses the new Mitre sub-techniques
-
- Adversary Emulation with Caldera
- Installed on the Splunk Server and available over port 8888 with user admin
- Preinstalled Caldera agents on windows machines
-
- Preconfigured Kali Linux machine for penetration testing
- ssh connection over configured ssh key
Please use the GitHub issue tracker to submit bugs or request features.
If you have questions or need support, you can:
- Join the #security-research room in the Splunk Slack channel
- Post a question to Splunk Answers
- If you are a Splunk Enterprise customer with a valid support entitlement contract and have a Splunk-related question, you can also open a support case on the https://www.splunk.com/ support portal
We welcome feedback and contributions from the community! Please see our contribution guidelines for more information on how to get involved.
- Bhavin Patel
- Rod Soto
- Russ Nolen
- Phil Royer
- Joseph Zadeh
- Rico Valdez
- Dimitris Lambrou
- Dave Herrald
- Ignacio Bermudez Corrales
- Peter Gael
- Josef Kuepker
- Shannon Davis
- Mauricio Velazco
- Teoderick Contreras
- Lou Stella