Splunk Attack Range

Purpose

The Attack Range solves two main challenges in the development of detections. First, it allows the user to quickly build a small lab infrastructure as close as possible to your production environment. This lab infrastructure contains a Windows Domain Controller, Windows Workstation, and Linux server, which comes pre-configured with multiple security tools and logging configuration. The infrastructure comes with a Splunk server collecting multiple log sources from the different servers.

Second, this framework allows the user to perform attack simulations using different engines. Therefore, the user can repeatedly replicate and generate data as close to “ground truth” as possible, in a format that allows the creation of detections, investigations, knowledge objects, and playbooks in Splunk.

Architecture

Attack Range can be used in two different ways:

• local using vagrant and virtualbox
• in the cloud using Terraform and AWS

In order to make Attack Range work on almost every laptop, the local version using Vagrant and Virtualbox consists of a subset of the full-blown cloud infrastructure in AWS using Terraform. The local version consists of a Splunk single instance and a Windows 10 workstation pre-configured with best-practice logging configuration according to Splunk. The cloud infrastructure in AWS using Terraform consists of a Windows 10 workstation, a Windows 2016 server, and a Splunk server. More information can be found in the wiki.

Features 💍

• Splunk Server
  • Indexing of Microsoft Event Logs, PowerShell Logs, Sysmon Logs, DNS Logs, …
  • Preconfigured with multiple TAs for field extractions
  • Out of the box Splunk detections with Enterprise Security Content Update (ESCU) App
  • Preinstalled Machine Learning Toolkit (MLTK)
  • pre-indexed BOTS datasets
  • Splunk UI available through port 8000 with user admin
  • ssh connection over configured ssh key
• Splunk Enterprise Security
  • Splunk Enterprise Security is a premium security solution requiring a paid license.
  • Enable or disable Splunk Enterprise Security in attack_range.conf
  • Purchase a license, download it and store it in the apps folder to use it.
• Splunk Phantom
  • Splunk Phantom is a Security Orchestration and Automation platform
  • For a free development license (100 actions per day) register here
  • Enable or disable Splunk Phantom in attack_range.conf
• Windows Domain Controller & Window Server & Windows 10 Client
  • Can be enabled, disabled and configured over attack_range.conf
  • Collecting of Microsoft Event Logs, PowerShell Logs, Sysmon Logs, DNS Logs, …
  • Sysmon log collection with customizable Sysmon configuration
  • RDP connection over port 3389 with user Administrator
• Atomic Red Team
  • Attack Simulation with Atomic Red Team
  • Will be automatically installed on target during first execution of simulate
  • Atomic Red Team already uses the new Mitre sub-techniques
• Caldera
  • Adversary Emulation with Caldera
  • Installed on the Splunk Server and available over port 8888 with user admin
  • Preinstalled Caldera agents on windows machines
• Kali Linux
  • Preconfigured Kali Linux machine for penetration testing
  • ssh connection over configured ssh key

Install && Use

Copyright (C) 2021 splunk