Splunk Attack Range Now With Caldera and Kali Linux

The Splunk Security Research Team has been working on new improvements and additions to the Splunk Attack Range, a tool that allows security researchers and analysts to quickly deploy environments locally and in the cloud in order to replicate attacks based on attack simulation engines. This deployment attempts to replicate environments at scale, including Windows, workstation/server, domain controller, Kali Linux, Splunk server and Splunk Phantom server. 

Initially the Splunk Attack Range included Atomic Read Team, which quickly allows you to execute attack and detection tests based on MITRE ATT&CK framework. This data is then fed to the Splunk server where the operator can visualize attack data and craft detections. A recent addition to the Splunk Attack Range is the Mitre Caldera adversarial simulation framework. 

Mitre Caldera is the original attack framework from Mitre and allows operators  to “...easily run autonomous breach-and-simulation exercises. It can also be used to run manual red-team engagements or automated incident response.”*

Quick Demo Run Using Caldera

In the following example, we will be building a test environment with a Windows domain controller, a Kali machine, a Splunk server and Caldera machine. Remember before deploying to change your configuration file. We can quickly deploy the environment in the cloud using the following commands: 

python -m terraform -a build 

The above command builds the range according to the configuration specified in attack_range.conf in this case we are going to demo an environment with the machines specified above. 

Once we have the machines online, we can access them and start applying simulations either via command line (Atomic Read Team) or we can do it via the Caldera interface which runs under port 8888 at the Splunk server machine. Once the deployment is complete, browse to your Splunk server at port 8000 or to the Caldera adversarial simulation engine at port 8888. The Caldera agent should also be deployed to the Windows machine — in this case, the windows domain controller. You can navigate to the ‘agents tab’ to confirm, as shown in the following graphic. 

Once installation finishes, we should have our Caldera agent and universal forwarder installed at the Windows machine (win-dc). Then we can proceed to operate Caldera. First, we set up an adversary profile under the Campaign menu and we can select from preset profiles. The profiles vary on the type of adversary abilities that will be performed against the target machine (win-dc). Once we have selected the adversary profile, we proceed to the operations menu and select the operations we want to perform on agent — this is determined by the adversary profile you chose.

There are 17 adversary profiles here is an example of the Discovery profile. As it can be seen in the following graphic, it describes the number of abilities that can be performed on Agent. 

Once a profile has been selected — and knowing the actions that will be performed on agent based on profiles — we must select the menu operations, which basically shows parameters that can be applied to actual abilities from adversary profile (e.g. the level of obfuscation when executing against targeted agent/system).

Once we complete our selections and save our settings, we can proceed to execute. 

As we can see in the above figure, the Caldera interface provides visual feedback as the abilities are being performed. Once the abilities have finished to execute we can download a report for further inquiry or we can simply look at the Splunk instance. Let’s look for one of the items in the above operations; specifically let’s look for “Create stage directory” or Mitre ATT&CK T1074. This technique involves the creation of a local directory for exfiltration purposes. Look for commands that indicate the creation and writing of data to a newly created directory as displayed in the following Splunk screen capture. 

This is also referenced in the .json report from the Caldera interface as well.

Kali Linux is now part of attack_range!

Finally another goodie that will be appreciated by the security community in general: a Kali Linux machine ready to go, that can be deployed locally or in the cloud. 

With the availability of the Kali Linux machine, Splunk Attack Range operators can now perform exploit development or manual exploitation of just-released exploit code. They can also test malware evasion techniques, or reverse actual malware, and most of all, operators now have a complete lab ready to go to create signatures as shown in previous blogs, and enhance their capacity of response towards present and future threats. More to come...

About Splunk Security Research Team
The Security Research Team is devoted to delivering actionable intelligence to Splunk's customers, in an unceasing effort to safeguard them against modern enterprise risks. Composed of elite researchers, engineers, and consultants who have served in both public and private sector organizations, this innovative team of digital defenders monitors emerging cybercrime trends and techniques, then translates them into practical analytics that Splunk users can operationalize within their environments. Download Splunk Enterprise Security Content Update in Splunkbase to learn more.

Rod Soto
Posted by

Rod Soto

Worked at Prolexic, Akamai, Caspida. Won BlackHat CTF in 2012. Co-founded Hackmiami, Pacific Hackers meetup and conferences.