Skip to content


Switch branches/tags

Splunk Attack Range ⚔️

Attack Range Log

Purpose 🛡

The Attack Range is a detection development platform, which solves three main challenges in detection engineering:

  • The user is able to quickly build a small lab infrastructure as close as possible to a production environment.
  • The Attack Range performs attack simulation using different engines such as Atomic Red Team or Prelude Operator in order to generate real attack data.
  • It integrates seamlessly into any Continuous Integration / Continuous Delivery (CI/CD) pipeline to automate the detection rule testing process.

Demo 📺

A demo (~12 min) which shows the basic functions of the attack range. It builds a testing environment using terraform, walks through the data collected by Splunk. Then attacks it using Atomic Red Team with MITRE ATT&CK Technique T1003.002, and Threat Actor simulation playbook using PurpleSharp. Finally showcases how Splunk Security Content searches are used to detect the attack.

Attack Range Demo

Installation 🏗

Using Docker

  1. docker pull splunk/attack_range
  2. docker run -it splunk/attack_range
  3. aws configure
  4. python configure

To install directly on Ubuntu, MacOS follow these instructions.

Architecture 🏯

Logical Diagram

The deployment of Attack Range consists of:

  • Windows Domain Controller
  • Windows Server
  • Windows Workstation
  • A Kali Machine
  • Splunk Server
  • Splunk SOAR Server
  • Nginx Server
  • Linux + Sysmon
  • Zeek Sensor

Which can be added/removed/configured using attack_range.conf.

An approximate cost estimate for running attack_range on AWS can be found here.


The following log sources are collected from the machines:

  • Windows Event (index = win)
  • Windows Powershell (index = win)
  • Sysmon for Windows EDR (index = win)
  • Aurora for Windows EDR (index = win)
  • Sysmon for Linux EDR (index = unix)
  • OSquery for Linux EDR (index = osquery)
  • Nginx Proxy (index = proxy)
  • Splunk Streams Network (index = main)
  • Zeek Network (index = main)
  • Attack Simulations from Atomic Red Team (index = attack)

Running 🏃‍♀️

Attack Range supports different actions:

Configure Attack Range

python configure

Build Attack Range

python build

Show Attack Range Infrastructure

python show

Perform Attack Simulations with Atomic Red Team or PurpleSharp

python simulate -e ART -st T1003.001 -t ar-win-dc-default-username-33048

python simulate -e PurpleSharp -st T1003.001 -t ar-win-dc-default-username-33048

python simulate -e PurpleSharp -sp AD_Discovery.json -t ar-win-dc-default-username-33048

Test with Attack Range

python test -tf tests/T1003_001.yml, tests/T1003_002.yml

Destroy Attack Range

python destroy

Stop Attack Range

python stop

Resume Attack Range

python resume

Dump Log Data from Attack Range

python dump -dn data_dump 

Replay Dumps into Attack Range Splunk Server

  • Replay previously saved dumps from Attack Range
python replay -dn data_dump -fn FILE_NAME --source SOURCE --sourcetype SOURCETYPE --index INDEX

Features 💍

  • Splunk Server

    • Indexing of Microsoft Event Logs, PowerShell Logs, Sysmon Logs, DNS Logs, ...
    • Preconfigured with multiple TAs for field extractions
    • Out of the box Splunk detections with Enterprise Security Content Update (ESCU) App
    • Preinstalled Machine Learning Toolkit (MLTK)
    • pre-indexed BOTS datasets
    • Splunk UI available through port 8000 with user admin
    • ssh connection over configured ssh key
  • Splunk Enterprise Security

  • Splunk SOAR

  • Windows Domain Controller & Window Server & Windows 10 Client

    • Can be enabled, disabled and configured over attack_range.conf
    • Collecting of Microsoft Event Logs, PowerShell Logs, Sysmon Logs, DNS Logs, ...
    • Sysmon log collection with customizable Sysmon configuration
    • RDP connection over port 3389 with user Administrator
  • Atomic Red Team

    • Attack Simulation with Atomic Red Team
    • Will be automatically installed on target during first execution of simulate
    • Atomic Red Team already uses the new Mitre sub-techniques
  • PurpleSharp

    • Native adversary simulation support with PurpleSharp
    • Will be automatically downloaded on target during first execution of simulate
    • Supports two parameters -st for comma separated ATT&CK techniques and -sp for a simulation playbook
  • Prelude Operator

    • Adversary Emulation with Prelude Operator
    • Headless v1.6 Installed on the Splunk Server, see guide for more details.
    • Preinstalled Prelude Operator Pneuma agent across Windows and Linux machines
  • Kali Linux

    • Preconfigured Kali Linux machine for penetration testing
    • ssh connection over configured ssh key

Support 📞

Please use the GitHub issue tracker to submit bugs or request features.

If you have questions or need support, you can:

Contributing 🥰

We welcome feedback and contributions from the community! Please see our contribution guidelines for more information on how to get involved.