Splunk Attack Range 2.0

by Suresh Ramasubbu


Splunk recently released “Splunk attack range project 2.0” which provides the open-source project for simulating attacks (could be in either cloud or local) development environments that can be easily implemented in Splunk estate and simulate the attacks.

Attack range project solves 3 main challenges in detection engineering.

  • User can quickly build small lab environment as close as possible to a production environment
  • It can perform the attack simulations using different engines such as Atomic Red Team or Caldera
  • It is built as a CLI, it integrates seamlessly into any continuous integration/continuous delivery (CI/CD) pipeline to automate the detection rule testing process

Logical diagram for this architecture:

New features introduced as part of v2.0 are as follows:

  • Updated Docker install – Implemented containerized dockers, Ansible and Terraform for easy deployment
  • PurpleSharp integration – Open-source simulator tool written in C#. Implemented multi-step attack simulations integrated with PurpleSharp
  • Nginx plus – Incorporates Nginx web proxy configured out-of-the-box with Splunk logging for log 4j vulnerability
  • Linux sysmon – Implemented simulator for Linux Sysmon
  • Splunk SOAR out-of-the-box support – Implemented for Splunk app, Win RM app, DNS app and Maxmind app
  • Pre-populated Active Directory using BadBlood – Targeted for set of PowerShell scripts that fill active directory with a structure
  • Prelude support, replacing Caldera – Replaces Caldera with Prelude and thus provides users with clear UI to run simulations
  • Red Team Tools pre-installed out-of-the-box – Includes Mimikatz, PowerSploit, UACMe, SharpGPOAbuse

Installation of attack 2.0 simulation can be found here.

Installation scripts can be found here.

Future releases:

Although Attack range 2.0 have covered wider range of simulators covering majority of the use cases, Splunk still working on v3.0 that helps Splunk customers in broader picture for the use cases such as Aurora, Sysmon, Zeek, Active Directory etc.

My opinion:

One is aware that Splunk environments totally rely on real-time data from security/authentication systems logs to detect attacks, however I don’t believe this is an effective proactive measure in terms of SOC monitoring.

I believe that it would be better to have a detection simulation system to implement within security/authentication systems, sending the logs to Splunk to identify whether the security use cases are covered.

Splunk Attack v1.0 have released versions with such simulators covering security use cases. However systems like Nginx, Linux Sysmon etc were not covered.

However, one can say that Splunk Attack 2.0 offers more capabilities for simulating attacks, especially the Splunk SOAR app, helping the Security engineer simulate attacks and mitigate security use cases.

By Suresh Ramasubbu