Simulate AWS TTP using ART:

.gitignore

@@ -6,7 +6,7 @@ ansible/vars/vars.yml
 *.idea
 
 # conf
-cloud_attack_range.conf
+attack_range_cloud.conf
 *.key
 *.pem
 

README.md

@@ -1,23 +1,23 @@
-# Splunk Cloud Attack Range ⚔️
+# Splunk Attack Range Cloud ⚔️
 
 ## Purpose 🛡
-The Cloud Attack Range is a detection development platform, which solves three main challenges in detection engineering. First, the user is able to build quickly a small lab infrastructure as close as possible to a cloud environment. Second, the Attack Range performs attack simulation using different engines such as [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) in order to generate real attack data.
+The Attack Range Cloud is a detection development platform, which solves three main challenges in detection engineering. First, the user is able to build quickly a small lab infrastructure as close as possible to a cloud environment. Second, the Attack Range performs attack simulation using different engines such as [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) in order to generate real attack data.
 ## Building 👷‍♂️
 
-Cloud Attack Range can be built is currently:
+Attack Range Cloud can be built is currently:
 
 - **cloud-only**, Specifically simulate attacks against AWS
 
 
 ## Architecture 🏯
-The Cloud Attack Range consists of:
+The Attack Range Cloud consists of:
 - pre-configured Splunk server with AWS Cloudtrail logs and Kubernetes logs
 - pre-configured Phantom server
 - AWS Elastic Kubernetes Service with a Wordpress app and [Splunk Connect for Kubernetes](https://github.com/splunk/splunk-connect-for-kubernetes)
 
 - integrated [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) cloud attacks
 
-![Architecture](docs/cloud_attack_range_architecture.png)
+![Architecture](docs/attack_range_cloud_architecture.png)
 
 ### Logging
 The following log sources are collected from the machines:
@@ -27,50 +27,50 @@ The following log sources are collected from the machines:
 - AWS Elastic Kubernetes Service logs (```index=aws sourcetype=aws:cloudwatchlogs```)
 
 ## Running 🏃‍♀️
-Follow [Getting Started](https://github.com/splunk/attack_range_cloud/wiki/Configure-Cloud-Attack-Range) to configure Cloud Attack Range.  
-Cloud Attack Range supports different actions:
-- Build Cloud Attack Range
+Follow [Getting Started](https://github.com/splunk/attack_range_cloud/wiki/Configure-Cloud-Attack-Range) to configure Attack Range Cloud.  
+Attack Range Cloud supports different actions:
+- Build Attack Range Cloud
 - Perform Cloud Attack Simulation
-- Destroy Cloud Attack Range
-- Stop Cloud Attack Range
-- Resume Cloud Attack Range
+- Destroy Attack Range Cloud
+- Stop Attack Range Cloud
+- Resume Attack Range Cloud
 
-### Cloud Attack Range Commands
-- Configure your Cloud Attack Range .conf
+### Attack Range Cloud Commands
+- Configure your Attack Range Cloud .conf
 ```
-- [x] python cloud_attack_range.py configure
+- [x] python attack_range_cloud.py configure
 ```
 
-### Cloud Attack Range Commands
-- Build Cloud Attack Range
+### Attack Range Cloud Commands
+- Build Attack Range Cloud
 ```
-- [x] python cloud_attack_range.py build
+- [x] python attack_range_cloud.py build
 
 ```
 
 ### Perform Cloud Attack Simulation
-[Work in Progress]
 - Perform Cloud Attack Simulation by Mitre technique
 ```
-python cloud_attack_range.py simulate -st T1136.003
+python attack_range_cloud.py simulate -st T1098 --clean_up yes
+python attack_range_cloud.py simulate -st T1098 --clean_up no
 ```
 
-### Destroy Cloud Attack Range
-- Destroy Cloud Attack Range
+### Destroy Attack Range Cloud
+- Destroy Attack Range Cloud
 ```
-python cloud_attack_range.py destroy
+python attack_range_cloud.py destroy
 ```
 
-### Stop Cloud Attack Range
-- Stop Cloud Attack Range
+### Stop Attack Range Cloud
+- Stop Attack Range Cloud
 ```
-python cloud_attack_range.py stop
+python attack_range_cloud.py stop
 ```
 
-### Resume Cloud Attack Range
-- Resume Cloud Attack Range
+### Resume Attack Range Cloud
+- Resume Attack Range Cloud
 ```
-python cloud_attack_range.py resume
+python attack_range_cloud.py resume
 ```
 
 ## Features 💍
@@ -83,13 +83,13 @@ python cloud_attack_range.py resume
 
 - [Splunk Enterprise Security](https://splunkbase.splunk.com/app/263/)
   * [Splunk Enterprise Security](https://splunkbase.splunk.com/app/263/) is a premium security solution requiring a paid license.
-  * Enable or disable [Splunk Enterprise Security](https://splunkbase.splunk.com/app/263/) in [cloud_attack_range.conf](cloud_attack_range.conf)
+  * Enable or disable [Splunk Enterprise Security](https://splunkbase.splunk.com/app/263/) in [attack_range_cloud.conf](attack_range_cloud.conf)
   * Purchase a license, download it and store it in the apps folder to use it.
 
 - [Splunk Phantom](https://www.splunk.com/en_us/software/splunk-security-orchestration-and-automation.html)
   * [Splunk Phantom](https://www.splunk.com/en_us/software/splunk-security-orchestration-and-automation.html) is a Security Orchestration and Automation platform
   * For a free development license (100 actions per day) register [here](https://my.phantom.us/login/?next=/)
-  * Enable or disable [Splunk Phantom](https://www.splunk.com/en_us/software/splunk-security-orchestration-and-automation.html) in [cloud_attack_range.conf](cloud_attack_range.conf)
+  * Enable or disable [Splunk Phantom](https://www.splunk.com/en_us/software/splunk-security-orchestration-and-automation.html) in [attack_range_cloud.conf](attack_range_cloud.conf)
 
 -  [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)
   * Attack Simulation with  [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)
@@ -103,7 +103,7 @@ If you have questions or need support, you can:
 
 * Post a question to [Splunk Answers](http://answers.splunk.com)
 * Join the [#security-research](https://splunk-usergroups.slack.com/archives/C1S5BEF38) room in the [Splunk Slack channel](http://splunk-usergroups.slack.com)
-* If you are a Splunk Enterprise customer with a valid support entitlement contract and have a Splunk-related question, you can also open a support case on the https://www.splunk.com/ support portal
+* If you are a Splunk Enterprise customer with a valid support entitlement contract and have a Splunk-related question, you can also open a support case on the https://www.splunk.com/ support portalxx`
 
 
 ## Author

cloud_attack_range.conf.template → attack_range_cloud.conf.template

@@ -22,7 +22,7 @@ instance_type_ec2 = t2.2xlarge
 # instance type for the aws ec2 instances
 
 [range_settings]
-key_name = cloud-attack-range
+key_name = attack-range-cloud
 # Specify the name of the EC2 key pair name
 # This is only needed for modes: terraform and packer
 
@@ -89,7 +89,7 @@ splunk_security_essentials_app = splunk-security-essentials_312.tgz
 
 splunk_aws_app = splunk-add-on-for-amazon-web-services_500.tgz
 # Specify the Splunk AWS App
-# Will be only installed when cloud_attack_range=1
+# Will be only installed when attack_range_cloud=1
 
 
 [phantom_settings]
@@ -140,7 +140,6 @@ splunk_server_private_ip = 10.0.1.12
 # for mode terraform should be in subnet: 10.0.1.0/24
 
 
-
 [phantom_server]
 # customize the phantom server
 
@@ -150,7 +149,7 @@ phantom_server_private_ip = 10.0.1.13
 
 
 [cloudtrail]
-sqs_queue_url = https://sqs.us-west-2.amazonaws.com/591511147606/cloudtrail-cloud-attack-range
+sqs_queue_url = 
 # specify the sqs queue for the cloudtrail logs. Cloudtrail needs to be enabled and configured manually.
 # more information can be found here: https://docs.splunk.com/Documentation/AddOns/released/AWS/CloudTrail
 

cloud_attack_range.py → attack_range_cloud.py

@@ -22,14 +22,14 @@ def init(args):
           .-~~~-.
   .- ~ ~-(       )_ _
  /                     ~ -.
-|   Cloud Attack Range     \
- \                         .'
-   ~- . _____________ . -~
+|   Attack Range Cloud     |
+ '                        ,
+  ` ~- . _____________ . `
           ||/__'`.
           |//()'-.:
           |-.||
           |o(o)
-          |||\\\  .==._    
+          ||| .==._    
           |||(o)==::'
            `|T  ""
             ()
@@ -60,9 +60,6 @@ def init(args):
     log = logger.setup_logging(config['log_path'], config['log_level'])
     log.info("INIT - attack_range v" + str(VERSION))
 
-    # if ARG_VERSION:
-    #     log.info("version: {0}".format(VERSION))
-    #     sys.exit(0)
 
     return TerraformController(config, log), config, log
 
@@ -77,18 +74,16 @@ def show(args):
 def simulate(args):
     controller, config, _ = init(args)
     simulation_techniques = args.simulation_technique
-    attack_chain_file = args.attack_chain_file
     clean_up = args.clean_up
 
     # lets give CLI priority over config file for pre-configured techniques
     if not simulation_techniques:
         simulation_techniques = 'no'
-    if not attack_chain_file:
-        attack_chain_file = 'no'
+
     if not clean_up:
         clean_up = 'no'
 
-    return controller.simulate(simulation_techniques,attack_chain_file,clean_up)
+    return controller.simulate(simulation_techniques,clean_up)
 
 
 def dump(args):
@@ -128,8 +123,8 @@ def test(args):
 def main(args):
     # grab arguments
     parser = argparse.ArgumentParser(
-        description="Use `cloud_attack_range.py action -h` to get help with any Attack Range action")
-    parser.add_argument("-c", "--config", required=False, default="cloud_attack_range.conf",
+        description="Use `attack_range_cloud.py action -h` to get help with any Attack Range action")
+    parser.add_argument("-c", "--config", required=False, default="attack_range_cloud.conf",
                         help="path to the configuration file of the attack range")
     parser.add_argument("-v", "--version", default=False, action="version", version="version: {0}".format(VERSION),
                         help="shows current attack_range version")
@@ -138,11 +133,13 @@ def main(args):
     actions_parser = parser.add_subparsers(title="Attack Range actions", dest="action")
     configure_parser = actions_parser.add_parser("configure", help="configure a new attack range")
     build_parser = actions_parser.add_parser("build", help="Builds attack range instances")
-    #simulate_parser = actions_parser.add_parser("simulate", help="Simulates attack techniques")
+    simulate_parser = actions_parser.add_parser("simulate", help="Simulates attack techniques")
     destroy_parser = actions_parser.add_parser("destroy", help="destroy attack range instances")
     stop_parser = actions_parser.add_parser("stop", help="stops attack range instances")
     resume_parser = actions_parser.add_parser("resume", help="resumes previously stopped attack range instances")
     show_parser = actions_parser.add_parser("show", help="list machines")
+
+    # Use attack range to use these functions
     # test_parser = actions_parser.add_parser("test")
     # dump_parser = actions_parser.add_parser("dump", help="dump locally logs from attack range instances")
     # replay_parser = actions_parser.add_parser("replay", help="replay dumps into the Splunk Enterprise server")
@@ -160,40 +157,27 @@ def main(args):
     resume_parser.set_defaults(func=resume)
 
     # Configure arguments
-    configure_parser.add_argument("-c", "--config", required=False, type=str, default='cloud_attack_range.conf',
+    configure_parser.add_argument("-c", "--config", required=False, type=str, default='attack_range_cloud.conf',
                                     help="provide path to write configuration to")
     configure_parser.set_defaults(func=configure)
 
     # Simulation arguments
-    # simulate_parser.add_argument("-st", "--simulation_technique", required=False, type=str, default="",
-    #                              help="Specify an single atomic for AWS "
-    #                                   "attack_range, example:  T1136.003, requires --simulation flag")
-    # simulate_parser.add_argument("-acf", "--attack_chain_file", required=False,
-    #                              help="attack chain file")
+    simulate_parser.add_argument("-st", "--simulation_technique", required=False, type=str, default="",
+                                 help="Specify an single atomic for AWS "
+                                      "attack_range, example:  T1098, requires --simulation flag")
 
-    # simulate_parser.add_argument("-cu", "--clean_up", required=False, type=str, default="",
-    #                              help="cleanup simulations")
-    # simulate_parser.set_defaults(func=simulate)
+    simulate_parser.add_argument("-cu", "--clean_up", required=False, type=str, default="",
+                                 help="cleanup simulations")
+
+    simulate_parser.set_defaults(func=simulate)
 
-    # # Dump  Arguments
+    # Dump  Arguments
     # dump_parser.add_argument("-dn", "--dump_name", required=True,
     #                          help="name for the dumped attack data")
     # dump_parser.add_argument("--last-sim", required=False, action='store_true',
     #                          help="overrides dumps.yml time and dumps from the start of previous simulation")
     # dump_parser.set_defaults(func=dump)
 
-    # # Replay Arguments
-    # replay_parser.add_argument("-dn", "--dump_name", required=True,
-    #                            help="name for the dumped attack data")
-    # replay_parser.add_argument("--dump", required=False,
-    #                     help="name of the dump as defined in attack_data/dumps.yml")
-    # replay_parser.set_defaults(func=replay)
-
-    # # Test Arguments
-    # test_parser.add_argument("-tf", "--test_file", required=True,
-    #                          type=str, default="", help='test file for test command')
-    # test_parser.set_defaults(func=test)
-
     # Show arguments
     show_parser.add_argument("-m", "--machines", required=False, default=False,
                              action="store_true", help="prints out all available machines")

modules/IEnvironmentController.py

@@ -26,7 +26,7 @@ def resume(self):
         pass
 
     @abstractmethod
-    def simulate(self, simulation_techniques,attack_chain_file,clean_up):
+    def simulate(self, simulation_techniques,clean_up):
         pass
 
     @abstractmethod