forked from splunk/attack_range
-
Notifications
You must be signed in to change notification settings - Fork 0
/
attack_range.conf.template
507 lines (369 loc) · 16.6 KB
/
attack_range.conf.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
# This file contains possible settings you can use to configure Attack Range
[global]
log_path = attack_range.log
# Sets the log_path for the logging file
log_level = INFO
# Sets the log level for the logging
# Possible values: INFO, ERROR
attack_range_password = Pl3ase-k1Ll-me:p
# Master password for all administrative accounts
# default Pl3ase-k1Ll-me:p
provider = aws
# provider to deploy the Attack Range
# example_1: aws
# example_2: azure
# example_3: orca
tf_backend = local
# Specify terraform backend type
# Possible values: local, remote
[aws]
instance_type_ec2 = t3.2xlarge
# instance type for the aws ec2 instances
use_elastic_ips = 1
# define if you want to use AWS EIPs or not
tf_backend_name = threat_research_attack_range
# only needed when you specify a remote backend
# for AWS: need to be the name of the S3 bucket and DynamoDB table
[azure]
azure_subscription_id = xxx
# only for provider azure
# for instructions visit: https://docs.microsoft.com/en-us/azure/media-services/latest/how-to-set-azure-subscription?tabs=portal
instance_type_vms = Standard_D4_v4
# instance type for azure vms
tf_backend_ressource_group = resource_group
# only needed when you specify a remote backend
tf_backend_storage_account = attackrangestorage
# only needed when you specify a remote backend
tf_backend_container = tfstate
# only needed when you specify a remote backend
[orca]
# only for provider orca
splunk_instance_ip = 127.0.0.1
# Splunk IP set from orca
splunk_ssh_port = 2222
# Splunk ssh port from orca
splunk_rest_port = 8089
# Splunk rest port from orca
[range_settings]
key_name = attack-range-key-pair
# please configure your ssh key name on aws
# for instructions visit: https://github.com/splunk/attack_range/wiki/Ubuntu-18.04-Installation
ip_whitelist = 0.0.0.0/0
# Blocks from which Attack Range machines can be reached.
# This allow comma-separated blocks
# ip_whitelist = 0.0.0.0/0,35.153.82.195/32
private_key_path = ~/.ssh/id_rsa
# Specify the path to your private SSH key
# required for both AWS and Azure
public_key_path = ~/.ssh/id_rsa.pub
# Only for Azure needed
region = us-west-2
# Specify the region in which you want to build the attack range
# for aws cloud: please ensure that aws_cli has the same region specified
# example aws: us-west-2
# example azure: West Europe
range_name = default
# Specify a unique name for the assets in a region
# Setting this allows you to deploy additional ranges with the same key_name
# An example would be for user1 and user2 testing in seperate environments
# or user1 testing multiple use cases.
# we suggest to use multiple attack_range.conf files when you deploy multiple
# attack ranges.
[splunk_settings]
splunk_url = https://download.splunk.com/products/splunk/releases/8.2.5/linux/splunk-8.2.5-77015bc7a462-Linux-x86_64.tgz
# Specify the download URL of Splunk Enterprise
splunk_binary = splunk-8.2.5-77015bc7a462-Linux-x86_64.tgz
# Specify the name of the Splunk Enterprise executable
s3_bucket_url = https://attack-range-appbinaries.s3-us-west-2.amazonaws.com
# Specify the S3 bucket url from which you want to download the Splunk Apps
splunk_windows_ta = splunk-add-on-for-microsoft-windows_840.tgz
# Specify the Splunk Windows TA
#splunk_sysmon_ta = splunk-add-on-for-microsoft-sysmon_1062.tgz
splunk_sysmon_ta = splunk-add-on-for-sysmon_200.tgz
# Specify the Splunk Sysmon TA
splunk_sysmon_linux_ta = add-on-for-linux-sysmon_104.tgz
#Specify the Splunk Sysmon for Linux TA
splunk_cim_app = splunk-common-information-model-cim_500.tgz
# Specify the Splunk CIM App
splunk_aws_ta = splunk-add-on-for-amazon-web-services-aws_520.tgz
# Specify the Splunk AWS TA
splunk_escu_app = DA-ESS-ContentUpdate-latest.tar.gz
# Specify the Splunk ESCU App
splunk_asx_app = Splunk_ASX-latest.tar.gz
# Specify the Splunk ASX App
splunk_python_app = python-for-scientific-computing-for-linux-64-bit_302.tgz
# Specify the Splunk python for scientific computing dependency that is needed by the MLTK app
splunk_mltk_app = splunk-machine-learning-toolkit_531.tgz
# Specify the Splunk MLTK App
splunk_stream_app = splunk-app-for-stream_802.tgz
# Specify the Splunk Stream App
splunk_ta_wire_data = splunk-add-on-for-stream-wire-data_802.tgz
# Specify the Splunk TA wire data
splunk_ta_stream = splunk-add-on-for-stream-forwarders_802.tgz
# Specify the Splunk TA stream
splunk_security_essentials_app = splunk-security-essentials_350.tgz
# Specify the Splunk SSE App
splunk_zeek_ta = splunk-add-on-for-zeek-aka-bro_400.tgz
# Specify the Splunk Zeek TA
splunk_kinesis_ta = splunk-add-on-for-amazon-kinesis-firehose_131r7d1d093.tgz
# Specify the Splunk Kinesis TA
splunk_office_365_ta = splunk-add-on-for-microsoft-office-365_300.tgz
# Specify the Office 365 TA
splunk_linux_ta = splunk-add-on-for-unix-and-linux_840.tgz
splunk_nginx_ta = splunk-add-on-for-nginx_310.tgz
punchard_custom_visualization = punchcard-custom-visualization_150.tgz
status_indicator_custom_visualization = status-indicator-custom-visualization_150.tgz
splunk_attack_range_dashboard = splunk_attack_range_reporting-1.0.7.tar.gz
timeline_custom_visualization = splunk-timeline-custom-visualization_161.tgz
ta_for_zeek = ta-for-zeek_105.tgz
splunk_bots_dataset = 0
# A comma separated list of values indicating which of the open-source Boss
# of the SOC (BOTS) datasets to install.
# 0 - Do not install any Boss of the SOC datasets (default)
# 1 - full BOTSv1 dataset index=botsv1
# 1a - attack-only BOTSv1 dataset index=botsv1 (recommended over full BOTSv1)
# 2 - full BOTSv2 dataset index=botsv2
# 2a - attack-only BOTSv2 dataset index=botsv2 (recommended over full BOTSv2)
# 3 - full BOTSv3 dataset index=botsv3 (there is no 'attack-only for BOTSv3)
#
# Examples:
#
# splunk_bots_dataset = 1a
# This setting works nicely with the 'Boss of the SOC (BOTS) Investigation
# Workshop for Splunk'
# https://splunkbase.splunk.com/app/3985/
#
# splunk_bots_dataset = 1a,2a,3
# This is the recommended setting to get the most BOTS data while incurring
# least storage and download times
#
# For BOTSv1 and BOTSv2 the 'attack-only' versions of the datasets are
# preferable. They contain all the malicious activity with none of the
# bulky background noise. You cannot select both 1 and 1a, nor 2 and 2a.
# doing so will result in an error during Attack Range Build.
#
# Note that specifying any of these datasets will cause the Attack Range build
# process to download large files and store them in your Attack Range Splunk
# instance. Slow network links combined with some of the larger BOTS datasets
# will add significant time to your Attack Range build. A summary of the
# datasets and their sizes can be found here:
# https://github.com/splunk/securitydatasets
#
# Note the Attack Range build process does not currently install the Splunk
# apps and add-ons for the BOTS data. You may view the list of apps and
# add-ons that are associated with each dataset here:
# https://github.com/splunk/securitydatasets
#
# For more information please see: https://github.com/splunk/securitydatasets
#
# Questions or comments? Please email the BOTS team: [email protected]
#
[dsp]
install_dsp = 0
# specify whether enable DSP output in Splunk or not
dsp_client_cert_path =
# specify the certificate path for the DSP client. A certificate must be generated using the following instructions:
# https://docs.splunk.com/Documentation/DSP/1.1.0/Data/Forwarder#Configure_your_forwarder_to_use_the_client_certificate
# specifically the path to the generated my_forwarder-keys.pem
dsp_node =
# specify a comma delimited list of DSP nodes to forward data to.
# Please verify that your attack_range network can connect to port 9997
[phantom_settings]
phantom_community_username = user
# Specify the username needed to login to my.phantom.us to download Phantom
# This must be changed to a real username
# You can register under my.phantom.us
phantom_community_password = password
# Specify the password used to login to my.phantom.us to download Phantom
# This must be changed to a real password
# You can register under my.phantom.us
phantom_api_token = FIXME
# Specify the API token used to setup communication from Splunk
# docs: https://docs.splunk.com/Documentation/PhantomApp/4.1.3/UserGuide/Configurephantomserver
phantom_byo_ip = 8.8.8.8
# Specify the IP to connect to your existing Phantom instance
phantom_app = phantom-app-for-splunk_4035.tgz
# Specify the Splunk App for Phantom
phantom_repo_url = https://repo.phantom.us/phantom/5.2/base/7/x86_64/phantom_repo-5.2.1.78411-1.x86_64.rpm
# Specify the Phantom install RPM
[windows_settings]
splunk_uf_win_url = https://download.splunk.com/products/universalforwarder/releases/8.2.5/windows/splunkforwarder-8.2.5-77015bc7a462-x64-release.msi
# Specify the download URL of the Splunk windows universal forwarder
win_sysmon_url = https://attack-range-appbinaries.s3-us-west-2.amazonaws.com/Sysmon.zip
# Specify the download URL of sysmon
win_sysmon_template = AttackRangeSysmon.xml
# Specify the sysmon template
# Possible Values: SysmonConfig-moti.xml, SysmonConfig-Neo23x0-server.xml, SysmonConfig-Neo23x0-workstations.xml, SysmonConfig-TSwift.xml, SysmonConfig-Verbose.xml, SysmonConfigCustom.xml
win_4688_cmd_line = 1
# Enables cmd line logging of Windows Security Events 4688
verbose_win_security_logging = 0
# Enable verbose windows security logging
[enterprise_security]
install_es = 0
# Specify whether install Splunk Enterprise Security or not.
# Splunk Enterprise Security is a Splunk Premium App, that's why it needs to be downloaded and stored into apps folder.
# After installing ES, Splunk is available under https://[ip]:8000
# possible values: 1, 0
splunk_es_app = splunk-enterprise-security_700.spl
# Spefify the name of the Splunk Enterprise Security file, which you saved into the apps folder.
[testing]
update_escu_app = 0
# update the ESCU app with a local security content version
security_content_path = ../security_content
# path to local security content project
[simulation]
engine = ART
# Specify the simulation engine to use
# You can specify this value either over the command line or in this configuration file. Command line is prioritized over configuration file.
art_run_techniques = T1003.001
# Specify the run technique of atomic_red_team
# You can specify this value either over the command line or in this configuration file. Command line is prioritized over configuration file.
art_repository = redcanaryco
# Specify the Atomic Red Team repository fork, which you want to use.
art_branch = master
# Specify new branch of the Atomic Red Team repository, which you want to use.
purplesharp_simulation_playbook = T1003.001.pb
# Specify the simulation playbook file executed by PurpleSharp. The default is located at ansible/roles/purplesharp/files
# You can specify this value either over the command line or in this configuration file. Command line is prioritized over configuration file.
install_red_team_tools = 0
# Specify whether to install multiple red team tools for simulating threats.
# The specific tools are: https://github.com/splunk/attack_range/wiki/Red-Team-Tools
prelude = 0
# Specify whether to install Prelude Operator headless on the Splunk server for simulations and agents on each machine
prelude_operator_url = https://download.prelude.org/latest?arch=x64&platform=linux&variant=zip&edition=headless
# Specify where to download Prelude Operator from
prelude_account_email =
# Email account login into a Prelude Operator UI
# required for connecting to redirector, can be found on the GUI under connect>deploy manual redirector> accountEmail.
[environment]
# specify your Attack Range environment by enabling (1) or disabling (0) machines
phantom_server = 0
# enable a phantom server
# possible values: 1, 0
phantom_byo = 0
# enable BYO Phantom
# possible values: 1, 0
windows_domain_controller = 1
# enable a windows domain controller
# possible values: 1, 0
windows_server = 0
# enable a windows server
# possible values: 1, 0
kali_machine = 0
# enable a kali linux machine
# possible values: 1, 0
windows_client = 0
# enable a windows client
# this is only possible for vagrant in the moment
# possible values: 1, 0
zeek_sensor = 0
# enable a zeek zeek_sensor
# possible values: 1, 0
osquery_machine = 0
# enable a osquery linux server
# possible values: 1, 0
sysmon_linux = 0
# enable a sysmon on linux server
# possible values: 1, 0
nginx_web_proxy = 0
# enable a nginx plus web proxy
# possible values: 1, 0
[splunk_server]
# customize the splunk server
splunk_server_private_ip = 10.0.1.12
# specify the splunk server's private ip
# Should be in subnet: 10.0.1.0/24
[phantom_server]
# customize the phantom server
phantom_server_private_ip = 10.0.1.13
# specify the phantom server's private ip
# Should be in subnet: 10.0.1.0/24
[windows_domain_controller]
# customize the windows domain controller
windows_domain_controller_private_ip = 10.0.1.14
# specify the windows domain controller's private ip
# should be in subnet: 10.0.1.0/24
windows_domain_controller_os = Windows_Server-2016-English-Full-Base-*
# specify the windows domain controller operating System
# currently only Windows_Server_2016 is supported
windows_domain_controller_zeek_capture = 0
#specify if you want to capture wire data from the Windows Domain Controller
# possible values: 1, 0
windows_domain_controller_run_badblood = 0
# specify if you want to install and run BadBlood on the Domain Controller
# possible values: 1, 0
[windows_server]
# customize the windows server
windows_server_private_ip = 10.0.1.15
# specify the windows server private ip
# should be in subnet: 10.0.1.0/24
windows_server_os = Windows_Server-2016-English-Full-Base-*
# specify the windows server operating System
# currently only Windows_Server_2016 is supported
windows_server_join_domain = 1
# specify if the windows server should join the windows domain
# possible values: 1, 0
windows_server_zeek_capture = 0
#specify if you want to capture wire data from the Windows server
# possible values: 1, 0
[kali_machine]
# customize the kali machine
kali_machine_private_ip = 10.0.1.16
# specify the kali machine private ip
# should be in subnet: 10.0.1.0/24
[windows_client]
# customize the windows client
windows_client_private_ip = 10.0.1.17
# specify the windows client private ip
# should be in subnet: 10.0.1.0/24
windows_client_os = import-ami-0e5a092cc20dbb992
# specify the windows server operating System
# specify the ami name
# instructions to upload your own Windows 10 ami: https://github.com/splunk/attack_range/wiki/Upload-Windows-10-AMI-to-AWS
windows_client_join_domain = 1
# specify if the windows client should join the windows domain
# possible values: 1, 0
windows_client_zeek_capture = 0
#specify if you want to capture wire data from the Windows client
# possible values: 1, 0
[zeek_sensor]
# customize the zeek sensor
splunk_uf_linux_deb_url = https://download.splunk.com/products/universalforwarder/releases/8.2.5/linux/splunkforwarder-8.2.5-77015bc7a462-linux-2.6-amd64.deb
# Specify the download URL of the Splunk Linux (debian based) universal forwarder
splunk_uf_binary = splunkforwarder-8.2.5-77015bc7a462-linux-2.6-amd64.deb
# Specify the name of the Splunk binary installer
zeek_sensor_private_ip = 10.0.1.18
# specify the zeek sensor private ip
# for mode terraform should be in subnet: 10.0.1.0/24
[osquery_machine]
# customize the osquery machine
osquery_linux_private_ip = 10.0.1.19
# specify the osquery linux server's private ip
# Should be in subnet: 10.0.1.0/24
osquery_custom_config_file = custom_osquery.conf
# customized osquery config file
osquery_custom_config_flag = custom_osquery.flags
# customized osquery config flag
[sysmon_linux]
# customize the sysmon on linux machine
sysmon_linux_private_ip = 10.0.1.20
# specify the osquery linux server's private ip
# should be in the subnet: 10.0.1.0/24
sysmon_linux_template = SysMonLinux-CatchAll.xml
# sysmon config file
[nginx_web_proxy]
# customize the nginx web proxy, can only proxy http port 80 traffic today
nginx_web_proxy_private_ip = 10.0.1.21
# specify the nginx_web_proxy machine private ip
# should be in subnet: 10.0.1.0/24
nginx_web_proxy_host = 10.0.1.20
# what machine to proxy web traffic to, defaults to sysmon_linux_private_ip
nginx_web_proxy_port = 8080
# what port to proxy web traffic to, defaults to 8080
[aurora_agent]
install_aurora_agent = 0
# specify whether enable installing the Nextron Aurora EDR Agent on Windows Hosts
aurora_agent_url = https://update1.nextron-systems.com/getupdate.php?product=aurora-agent-lite-win
# specify the URL where the aurora binary will be downloaded from.
aurora_agent_license = https://portal.nextron-systems.com/api/lite/license/2022-2/6beda56036fbe184dd0950fd24acfd59_a1f1081c9d6f0dc29aa0e5609fadf855.lic
# specify the license url that contains the license to use for the aurora agent.