-
Notifications
You must be signed in to change notification settings - Fork 334
Demo: Splunk Mission Control DEPRECATED
DEPRECATED FEATURE - see branch https://github.com/splunk/attack_range/tree/mission_control
The attack_range can be configured in integrate with [Splunk Mission Control] and run a prebuilt attack demo scenario. NOTE: This is only available to users who have access to the Splunk Connect for Mission Control app
- Splunk Connect for Mission Control and Enterprise Security splunk application
- Access to a Mission Control tenant that the
attack_range_splunk_servercan connect with and forward events to.
To configure Mission Control in the attack range follow these steps:
- edit attack_range.conf
install_mission_controlparameters, toinstall_mission_control = 1to integrate with Mission Control - edit attack_range.conf
run_demoparameters, torun_demo = 1, to run the prebuilt demo - edit attack_range.conf
enterprise_securityparameters, toinstall_es = 1, to install Enterprise Security - Update following [environment] variables attack_range.conf to setup demo environment.
windows_domain_controller = 1
windows_server = 1
kali_machine = 1
windows_server_join_domain = 1
windows_client_join_domain = 1
You can also find an example of this attack_range.conf
Then build the attack range.
When the attack range is successfully built, an ansible task automatically runs the attack scenario:-
- Execution of Malicious .exe (masqueraded as putty.exe)
- Reverse HTTP shell to Kali Linux (C&C Server)
- Local user enumeration
- Local network enumeration
- Credential dumping using Mimikatz and copying SAM
- Lateral movement with PsExec
- Copy malicious putty.exe to domain controller
All the logs from various endpoint are indexed in the Splunk Server where you can configure various detection searches to create notable events in Enterprise Security, which are then be forwarded to Splunk Mission Control.
For installation and troubleshooting Mission Control, please refer the docs