Attack Simulation
The Attack Range supports multiple attack simulation engines.
Atomic Red Team
Atomic Red Team is a library of tests mapped to the Mitre ATT&CK framework.
It can be executed with the following command:
python attack_range.py simulate -e ART -te T1003.001 -t ar-win-ar-ar-0
This will execute all atomics for a given ATT&CK technique on the given target. The target need to match the name given from the python attack_range.py show
command.
Purple Sharp
PurpleSharp is an open source adversary simulation tool written in C# that executes adversary techniques within Windows Active Directory environments.
It can be executed with the following command to specify a technique:
python attack_range.py simulate -e PurpleSharp -te T1003.001 -t ar-win-ar-ar-0
or you can execute a given playbook:
python attack_range.py simulate -e PurpleSharp -t ar-win-ar-ar-0 -p configs/purplesharp_playbook_T1003.pb
Prelude
Prelude Operator can be automatically configured and deployed with a Splunk Attack Range allowing a user to easily launch attacks via Operator on a running range using the pre-installed Penuma agents. To get started with Prelude follow these simple steps:
Install Prelude Operator on your local machine
Configure an attack range with Prelude (configure the accountEmail setting)
Build an attack range
Add a manual new redirector to Prelude Operator
For an overview on how Prelude works inside the attack range see the general architecture below:
A few things to note from this architecture:
A Headless Operator/Redirector is installed on the Splunk server, this means a user needs:
Operator installed in their local machine (can be downloaded here) to connect and manage it, see screenshot below.
Or talk through it via the API on TCP port
Pneuma is installed and supported on the Windows (server and domain controller) and Linux machines ONLY today
Pneuma connects back to the Headless Operator/Redirector via TCP port 2323
Prelude accountEmail
When an Splunk Attack Range is configured it will need to know the auto generated accountEmail
to connect to. This can be obtained via the Prelude Operator client via clicking on Connect -> Deploy Manual Redirectors, see screenshot below for an example.
Once an Attack Range has successfully been built with Prelude Operator the show
command will include a token and FQDN like below:
Access Prelude Operator UI via:
redirector FQDN > 18.225.27.90
Token: fbe9254b-5fb8-44d2-a02c-31e0a10f62c9
Add a manual redirector
This should then be inserted in the Deploy Manual Redirectors form on the locally installed Operator, click on Add
to be able to attack these hosts via Operator. If all worked well you should end up with a list of hosts and a purple “Your are connected” message above available like the screenshot below.
Kali Linux
Kali Linux is an open-source Debian-based Linux distribution geared towards various information security tasks such as Penetration Testing, Security Research, Computer Forensics, and Reverse Engineering. Attack Range AWS and local is able to build a Kali Linux instance.