Attack Range is a tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk.
It solves two main challenges in development of detections. First, it allows the user to quickly build a small lab infrastructure as close as possible to your production environment. This lab infrastructure contains a Windows Domain Controller, Windows Workstation and Linux server, which comes pre-configured with multiple security tools and logging configuration. The infrastructure comes with a Splunk server collecting multiple log sources from the different servers.
Second, this framework allows the user to perform attack simulation using different engines. Therefore, the user can repeatedly replicate and generate data as close to “ground truth” as possible, in a format that allows the creation of detections, investigations, knowledge objects, and playbooks in Splunk.
Architecture
It can be used in two different ways:
In order to make it work on almost every laptop, the local version using Vagrant and Virtualbox consists of a subset of the full-blown cloud infrastructure in AWS using Terraform.
The local version consists of a Splunk single instance and a Windows 10 workstation pre-configured with best practice logging configuration according to Splunk. The cloud infrastructure in AWS using Terraform consists of a Windows 10 workstation, a Windows 2016 server and a Splunk server. More information can be found in the wiki.
Also Read – Fileintel : A Modular Python Application To Pull Intelligence About Malicious Files
Running
It supports different actions:
Build
python attack_range.py -m terraform -a build
python attack_range.py -m vagrant -a build
Perform Attack Simulation
python attack_range.py -m terraform -a simulate -st T1117,T1003 -t attack-range_windows_2016_dc
python attack_range.py -m vagrant -a simulate -st T1117,T1003 -t win10
Destroy
python attack_range.py -m terraform -a destroy
python attack_range.py -m vagrant -a destroy
Stop Attack Range
python attack_range.py -m terraform -a stop
python attack_range.py -m vagrant -a stop
Resume Attack Range
python attack_range.py -m terraform -a resume
python attack_range.py -m vagrant -a resume
Credit: Jose Hernandez
The cp command, short for "copy," is the main Linux utility for duplicating files and directories. Whether…
Introduction In digital investigations, images often hold more information than meets the eye. With the…
The cat command short for concatenate, It is a fast and versatile tool for viewing and merging…
What is a Port? A port in networking acts like a gateway that directs data…
The ls command is fundamental for anyone working with Linux. It’s used to display the files and…
The pwd (Print Working Directory) command is essential for navigating the Linux filesystem. It instantly shows your…