Splunk Attack Range W/ Docker & AWS
“The Attack Range is a detection development platform, which solves three main challenges in detection engineering. First, the user is able to build quickly a small lab infrastructure as close as possible to a production environment. Second, the Attack Range performs attack simulation using different engines such as Atomic Red Team or Caldera in order to generate real attack data. Third, it integrates seamlessly into any Continuous Integration / Continuous Delivery (CI/CD) pipeline to automate the detection rule testing process.” — Splunk Attack Range GitHub.
What is the Attack Range?
So the Attack Range in a nutshell is a way to spin up an environment where you can emulate a threat actor (Red side) and then look at detecting it with the newly generated telemetry in Splunk (Blue side). The threats can be emulated in 3 ways:
- MITRE Caldera (GUI included, yay!)
- Atomic Red Team (CLI via Python on the Docker container, super easy to use)
- Kali Linux box (Provided in the lab)
Step 1 — Install Docker
I’m using Windows, so I’m going to download Docker Desktop: https://www.docker.com/products/docker-desktop
Step 2 — Download the Container and run it
Splunk provide a link to the container page, this is here:
The Attack Range can also be run from a docker container. This minimizes the dependencies and packages you would…
Run the following command in an administrative Powershell:
$ docker pull splunkresearch/attack_range
Once you’ve done that, the Docker ‘image’ should then show up on Docker Desktop:
You can now run the image as a container by clicking ‘Run’ next to it.
Step 3 — Configure AWS side
I’m not going to break down the steps for making an AWS IAM with Programmatic Access here, it’s found at:
In order for the attack_range to be built on AWS it requires a set of programmatic administrative credentials to AWS…
Once you’ve created the credentials, you then hop into the container via shell by going to Docker Desktop and clicking the CLI icon next to the running container. Once you’re in, you then need to run
# aws configure
Running this command will then take you through the steps to add the Access Key and Secret you created in the AWS IAM steps provided above.
Step 4 — Configure your range!
Read before beginning:
You need to subscribe on AWS marketplace to two Operating Systems, go to the AWS Marketplace, search & subscribe for these two:
- ‘CentOS 7 (x86_64) — with Updates HVM’
- ‘Kali Linux’
Running the below command (has to be python3) with the argument ‘configure’ will take you through the configuration wizard.
NOTE: Set your master password as something memorable, the wizard will generate one but it’s better to make one yourself. This is the password used to login to your CALDERA GUI and Splunk. Your username will default to “admin”.
NOTE: You need to know what your preferred AWS region is, when in the console you can look in the top right for a region list, I opted for ‘eu-west-1'.
NOTE: I opted to deploy: Windows DC, Windows Server and Kali. I left Zeek, Phantom and Windows client out. Extra configuration is required for Windows client and Phantom, Zeek gave me some errors but I didn’t require Zeek for this lab.
# python3 attack_range.py configure
Once configured, the wizard will finish, you can then run the same command, this time with the ‘build’ argument.
# python3 attack_range.py build
This command will automatically provision the lab for you, it’ll take around 20 minutes so grab a brew! ☕
Step 5 — Enjoy! Here’s some useful tips
Splunk is accessible via the Splunk servers IP:8000
MITRE CALDERA GUI is accessible via the Splunk servers IP:8888
You can find instructions to run the Atomic Red Team tests at the Splunk attack range repo, an example is:
python attack_range.py simulate -st T1003.001 -t ar-win-dc-default-username-33048
You simply change out the T1003.001 (Tactic number and Technique number) for any others in the Atomic Red Team library, don’t forget to substitute “ar-win-dc-default-username-33048” for whatever target machine name is in your lab.
To ‘stop’ the lab, run the command
python3 attack_range.py stop
To ‘destroy’ the lab, run the command
python3 attack_range.py destroy