The Splunk Attack Range is an open-source project maintained by the Splunk Threat Research Team. It builds instrumented cloud (AWS, Azure) and local environments (Virtualbox), simulates attacks, and forwards the data into a Splunk instance. This environment can then be used to develop and test the effectiveness of detections.
The Attack Range is a detection development platform, which solves three main challenges in detection engineering:
- The user is able to quickly build a small lab infrastructure as close as possible to a production environment.
- The Attack Range performs attack simulation using different engines such as Atomic Red Team or Caldera in order to generate real attack data.
- It integrates seamlessly into any Continuous Integration / Continuous Delivery (CI/CD) pipeline to automate the detection rule testing process.
The Attack Range Documentation can be found here.
Attack Range in AWS:
docker pull splunk/attack_range
docker run -it splunk/attack_range
aws configure
python attack_range.py configure
To install directly on Linux, or MacOS follow these instructions.
The deployment of Attack Range consists of:
- Windows Domain Controller
- Windows Server
- Windows Workstation
- A Kali Machine
- Splunk Server
- Splunk SOAR Server
- Nginx Server
- Linux Server
- Zeek Server
- Snort Server
Which can be added/removed/configured using attack_range.yml.
The following log sources are collected from the machines:
- Windows Event Logs (
index = win
) - Sysmon Logs (
index = win
) - Powershell Logs (
index = win
) - Aurora EDR (
index = win
) - Sysmon for Linux Logs (
index = unix
) - Nginx logs (
index = proxy
) - Network Logs with Splunk Stream (
index = main
) - Attack Simulation Logs from Atomic Red Team and Caldera (
index = attack
) - Zeek Logs (
index = zeek
) - Snort Logs (
index = snort
) - Cisco Secure Endpoint Logs (
index = cisco_secure_endpoint
) - CrowdStrike Falcon Logs (
index = crowdstrike_falcon
) - Carbon Black Logs (
index = carbon_black_cloud
)
Attack Range supports different actions:
python attack_range.py configure
python attack_range.py build
python attack_range.py show
python attack_range.py simulate -e ART -te T1003.001 -t ar-win-ar-ar-0
python attack_range.py simulate -e PurpleSharp -te T1003.001 -t ar-win-ar-ar-0
python attack_range.py destroy
python attack_range.py stop
python attack_range.py resume
python attack_range.py dump --file_name attack_data/dump.log --search 'index=win' --earliest 2h
python attack_range.py replay --file_name attack_data/dump.log --source test --sourcetype test
-
- Indexing of Microsoft Event Logs, PowerShell Logs, Sysmon Logs, DNS Logs, ...
- Preconfigured with multiple TAs for field extractions
- Out of the box Splunk detections with Enterprise Security Content Update (ESCU) App
- Preinstalled Machine Learning Toolkit (MLTK)
- pre-indexed BOTS datasets
- Splunk UI available through port 8000 with user admin
- ssh connection over configured ssh key
-
- Splunk Enterprise Security is a premium security solution requiring a paid license.
- Enable or disable Splunk Enterprise Security in attack_range.yml
- Purchase a license, download it and store it in the apps folder to use it.
-
- Splunk SOAR is a Security Orchestration and Automation platform
- For a free development license (100 actions per day) register here
- Enable or disable Splunk SOAR in attack_range.yml
-
Windows Domain Controller & Window Server & Windows 10 Client
- Can be enabled, disabled and configured over attack_range.yml
- Collecting of Microsoft Event Logs, PowerShell Logs, Sysmon Logs, DNS Logs, ...
- Sysmon log collection with customizable Sysmon configuration
- RDP connection over port 3389 with user Administrator
-
- Attack Simulation with Atomic Red Team
- Will be automatically installed on target during first execution of simulate
- Atomic Red Team already uses the new Mitre sub-techniques
-
- Native adversary simulation support with PurpleSharp
- Will be automatically downloaded on target during first execution of simulate
- Supports two parameters -st for comma separated ATT&CK techniques and -sp for a simulation playbook
-
- Preconfigured Kali Linux machine for penetration testing
- ssh connection over configured ssh key
-
- Attack Simulation with Caldera
- Can be enabled, disabled and configured over attack_range.yml
Please use the GitHub issue tracker to submit bugs or request features.
If you have questions or need support, you can:
- Join the #security-research room in the Splunk Slack channel
- Post a question to Splunk Answers
- If you are a Splunk Enterprise customer with a valid support entitlement contract and have a Splunk-related question, you can also open a support case on the https://www.splunk.com/ support portal
We welcome feedback and contributions from the community! Please see our contribution guidelines for more information on how to get involved.
- Bhavin Patel
- Rod Soto
- Russ Nolen
- Phil Royer
- Joseph Zadeh
- Rico Valdez
- Dimitris Lambrou
- Dave Herrald
- Ignacio Bermudez Corrales
- Peter Gael
- Josef Kuepker
- Shannon Davis
- Mauricio Velazco
- Teoderick Contreras
- Lou Stella
- Christian Cloutier
- Eric McGinnis
- Micheal Haag
- Gowthamaraj Rajendran
- Christopher Caldwell
- Zachary Christensen