UFCFFY-15-M Cyber Security Analytics

Practical Lab 8: Splunk Attack Range


In this lab, we will experiment with the Splunk Attack Range. Firstly, we will want to use the UWEcyber 2022 (Ubuntu 20.04) image as a base operating system to work from. We also need to ensure that virtualise VT-x is enabled in VMware for this VM, so that we can virtualise systems within the host VM. Finally, this requires a fair amount of RAM to do so, therefore you may consider using a UWE lab machine if you have less than 32GB available on your machine.

#!/bin/bash
sudo apt-get update
sudo apt-get install -y python3-dev linux-headers-generic python-dev unzip python3-pip vagrant virtualbox virtualbox-dkms python3-virtualenv git
sudo gem install winrm-elevated
sudo gem install winrm
sudo apt install ansible
git clone https://github.com/splunk/attack_range_local
ansible-galaxy collection install community.windows

You can use a script to execute the above commands.

Below, execute these as single lines in your terminal.

cd attack_range_local

virtualenv -p python3 venv

source venv/bin/activate

pip install -r requirements.txt

python attack_range_local.py -a build

  • If you find that you attack-range-splunk-server halts with a dependency error on hyper-v, close the VM window for the attack-range-splunk-server, and retry the Python script python attack_range_local.py -a build

(Adapted from https://github.com/splunk/attack_range_local/wiki/Ubuntu-18.04-Installation)

(https://github.com/splunk/attack_range_local/)

You will need to ensure that you have allocated sufficient RAM and CPU cores to your virtual machine. We recommend using 16GB RAM and 8 processor cores (if necessary, please use the UWE lab machines). In addition, as we will be running nested virtual machines (i.e., we will run VMs within this primary VM) we need to enable Virtualise Intel VT-x.

If you have Hyper-V enabled on your system, there is the possibility that this can cause a conflict for this setting. Disabling Hyper-V should resolve this issue.

Perform Attack Simulation

  • python attack_range_local.py -a simulate -st T1003.001 -t attack-range-windows-domain-controller

Show Attack Range Status

  • python attack_range_local.py -lm

Destroy Attack Range Local

  • python attack_range_local.py -a destroy

Stop Attack Range Local

  • python attack_range_local.py -a stop

Resume Attack Range Local

  • python attack_range_local.py -a resume

Dump Attack Range Data

  • python attack_range_local.py -a dump -dn dump_data_folder

See full documentation on GitHub