Splunk Attack Range v5 Demos Adversary Simulation

The Splunk Attack Range is an open-source tool maintained by the Splunk Threat Research Team that allows security professionals to build small, production-like lab environments. These labs can be deployed locally, on AWS, Azure, or GCP, and come instrumented with a Splunk instance, Windows and Linux servers, and other tools to generate telemetry. At its core, the Attack Range utilizes adversary simulation engines like Atomic Red Team, which are aligned with the MITRE ATT&CK framework. This enables engineers to execute specific attack techniques, such as those related to credential access or discovery, and forward the resulting logs and events directly into Splunk to test and validate detection rules. The DoD's Zero Trust model is structured around seven pillars, with "User" being a critical component focused on identity, credentialing, and access management. The ultimate goal is to move from a perimeter-based security model to one that continuously verifies every access request, assuming that adversaries are already within the network. For engineers focused on the User pillar, the Attack Range can simulate techniques commonly used in identity-based attacks. This includes scenarios like OS credential dumping (T1003.001) and command and scripting interpreter use (T1059.003), allowing for the creation and tuning of Splunk detections mapped directly to these threats. Version 5 of the Splunk Attack Range introduced a Docker Compose-based setup, simplifying the initial build process. It also allows for customization with different Ansible roles, enabling the creation of more complex environments that can better mimic a multi-client architecture. The tool can be integrated into a CI/CD pipeline, automating the testing of detection rules as they are developed. While the core functionality focuses on detection, there is also support for Splunk SOAR, allowing teams to test and refine their automated response playbooks in a controlled environment.