A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk
The Splunk Attack Range is an open-source project maintained by the Splunk Threat Research Team. It builds instrumented cloud and local environments, simulates attacks, and forwards the data into a Splunk instance. This environment can then be used to develop and test the effectiveness of detections.
The Attack Range is a detection development platform, which solves three main challenges in detection engineering:
The Attack Range Documentation can be found here.
Attack Range in AWS:
docker pull splunk/attack_range
docker run -it splunk/attack_range
aws configure
python attack_range.py configure
To install directly on Linux, or MacOS follow these instructions.
The deployment of Attack Range consists of:
Which can be added/removed/configured using attack_range.yml.
The following log sources are collected from the machines:
index = win
)index = win
)index = win
)index = win
)index = unix
)index = proxy
)index = main
)index = attack
)Attack Range supports different actions:
python attack_range.py configure
python attack_range.py build
python attack_range.py packer --image_name windows-2016
python attack_range.py show
python attack_range.py simulate -e ART -te T1003.001 -t ar-win-ar-ar-0
python attack_range.py simulate -e PurpleSharp -te T1003.001 -t ar-win-ar-ar-0
python attack_range.py destroy
python attack_range.py stop
python attack_range.py resume
python attack_range.py dump --file_name attack_data/dump.log --search 'index=win' --earliest 2h
python attack_range.py replay --file_name attack_data/dump.log --source test --sourcetype test
Windows Domain Controller & Window Server & Windows 10 Client
Please use the GitHub issue tracker to submit bugs or request features.
If you have questions or need support, you can:
We welcome feedback and contributions from the community! Please see our contribution guidelines for more information on how to get involved.