Skip to content

Demo: Splunk Mission Control DEPRECATED

Jose Enrique Hernandez edited this page Aug 19, 2020 · 1 revision

The attack_range can be configured in integrate with [Splunk Mission Control] and run a prebuilt attack demo scenario. NOTE: This is only available to users who have access to the Splunk Connect for Mission Control app

Requirements

  • Splunk Connect for Mission Control and Enterprise Security splunk application
  • Access to a Mission Control tenant that the attack_range_splunk_server can connect with and forward events to.

Configure Mission Control and demo parameters

To configure Mission Control in the attack range follow these steps:

  1. edit attack_range.conf install_mission_control parameters, to install_mission_control = 1 to integrate with Mission Control
  2. edit attack_range.conf run_demo parameters, to run_demo = 1 , to run the prebuilt demo
  3. edit attack_range.conf enterprise_security parameters, to install_es = 1, to install Enterprise Security
  4. Update following [environment] variables attack_range.conf to setup demo environment.
windows_domain_controller = 1
windows_server = 1
kali_machine = 1
windows_server_join_domain = 1
windows_client_join_domain = 1

You can also find an example of this attack_range.conf

Then build the attack range.

Attack Demo Details

When the attack range is successfully built, an ansible task automatically runs the attack scenario:-

  1. Execution of Malicious .exe (masqueraded as putty.exe)
  2. Reverse HTTP shell to Kali Linux (C&C Server)
  3. Local user enumeration
  4. Local network enumeration
  5. Credential dumping using Mimikatz and copying SAM
  6. Lateral movement with PsExec
  7. Copy malicious putty.exe to domain controller

All the logs from various endpoint are indexed in the Splunk Server where you can configure various detection searches to create notable events in Enterprise Security, which are then be forwarded to Splunk Mission Control.

For installation and troubleshooting Mission Control, please refer the docs