This repository has been archived by the owner on May 8, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 39
/
Copy pathattack_range_local.conf
344 lines (251 loc) · 11.7 KB
/
attack_range_local.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
# This file contains possible settings you can use to configure Attack Range
[global]
log_path = attack_range.log
# Sets the log_path for the logging file
log_level = INFO
# Sets the log level for the logging
# Possible values: INFO, ERROR
[splunk_settings]
splunk_admin_password = I-l1ke-Attack-Range!
# Specify the password for the admin user in Splunk
# It is recommended to change that value
splunk_url = https://download.splunk.com/products/splunk/releases/8.0.2/linux/splunk-8.0.2-a7f645ddaf91-Linux-x86_64.tgz
# Specify the download URL of Splunk Enterprise
splunk_binary = splunk-8.0.2-a7f645ddaf91-Linux-x86_64.tgz
# Specify the name of the Splunk Enterprise executable
s3_bucket_url = https://attack-range-appbinaries.s3-us-west-2.amazonaws.com
# Specify the S3 bucket url from which you want to download the Splunk Apps
splunk_windows_ta = splunk-add-on-for-microsoft-windows_800.tgz
# Specify the Splunk Windows TA
splunk_sysmon_ta = splunk-add-on-for-microsoft-sysmon_1062.tgz
# Specify the Splunk Sysmon TA
splunk_cim_app = splunk-common-information-model-cim_4180.tgz
# Specify the Splunk CIM App
splunk_escu_app = DA-ESS-ContentUpdate-latest.tar.gz
# Specify the Splunk ESCU App
splunk_asx_app = Splunk_ASX-latest.tar.gz
# Specify the Splunk ASX App
splunk_python_app = python-for-scientific-computing-for-linux-64-bit_200.tgz
# Specify the Splunk python for scientific computing dependency that is needed by the MLTK app
splunk_mltk_app = splunk-machine-learning-toolkit_510.tgz
# Specify the Splunk MLTK App
splunk_stream_app = splunk-stream_720.tgz
# Specify the Splunk Stream App
splunk_security_essentials_app = splunk-security-essentials_310.tgz
# Specify the Splunk SSE App
punchard_custom_visualization = punchcard-custom-visualization_140.tgz
# Specify the Punchard Custom Visualization App
status_indicator_custom_visualization = status-indicator-custom-visualization_140.tgz
# Specify the Status Indicator Custom Visualization App
splunk_attack_range_dashboard = splunk_attack_range_reporting-1.0.5.tar.gz
# Specify the Attack Range Dashboard App
timeline_custom_visualization = timeline-custom-visualization_140.tgz
# Specify the Timeline Custom Visualization App
splunk_aws_app = splunk-add-on-for-amazon-web-services_500.tgz
# Specify the Splunk AWS App
# Will be only installed when cloud_attack_range=1
splunk_bots_dataset = 0
# A comma separated list of values indicating which of the open-source Boss
# of the SOC (BOTS) datasets to install.
# 0 - Do not install any Boss of the SOC datasets (default)
# 1 - full BOTSv1 dataset index=botsv1
# 1a - attack-only BOTSv1 dataset index=botsv1 (recommended over full BOTSv1)
# 2 - full BOTSv2 dataset index=botsv2
# 2a - attack-only BOTSv2 dataset index=botsv2 (recommended over full BOTSv2)
# 3 - full BOTSv3 dataset index=botsv3 (there is no 'attack-only for BOTSv3)
#
# Examples:
#
# splunk_bots_dataset = 1a
# This setting works nicely with the 'Boss of the SOC (BOTS) Investigation
# Workshop for Splunk'
# https://splunkbase.splunk.com/app/3985/
#
# splunk_bots_dataset = 1a,2a,3
# This is the recommended setting to get the most BOTS data while incurring
# least storage and download times
#
# For BOTSv1 and BOTSv2 the 'attack-only' versions of the datasets are
# preferable. They contain all the malicious activity with none of the
# bulky background noise. You cannot select both 1 and 1a, nor 2 and 2a.
# doing so will result in an error during Attack Range Build.
#
# Note that specifying any of these datasets will cause the Attack Range build
# process to download large files and store them in your Attack Range Splunk
# instance. Slow network links combined with some of the larger BOTS datasets
# will add significant time to your Attack Range build. A summary of the
# datasets and their sizes can be found here:
# https://github.com/splunk/securitydatasets
#
# Note the Attack Range build process does not currently install the Splunk
# apps and add-ons for the BOTS data. You may view the list of apps and
# add-ons that are associated with each dataset here:
# https://github.com/splunk/securitydatasets
#
# For more information please see: https://github.com/splunk/securitydatasets
#
# Questions or comments? Please email the BOTS team: bots@splunk.com
[phantom_settings]
phantom_community_username = user
# Specify the username needed to login to my.phantom.us to download Phantom
# This must be changed to a real username
# You can register under my.phantom.us
phantom_community_password = password
# Specify the password used to login to my.phantom.us to download Phantom
# This must be changed to a real password
# You can register under my.phantom.us
phantom_admin_password = I-l1ke-Attack-Range!
# Specify the password that will be used to login to the new Phantom instance as admin
# It is recommended that you change this value
phantom_app = phantom-app-for-splunk_305.tgz
# Specify the Splunk App for Phantom
[windows_settings]
win_username = Administrator
# Specify the Administrator user in your windows machine
# It is recommended to keep that value as it is
win_password = I-l1ke-Attack-Range!
# Specify the password for the Administrator User in Windows
# It is recommended to change that value
# The default windows password policy must be followed (at least three of uppercase letters, lowercase letters, numbers, and special characters)
splunk_uf_win_url = https://download.splunk.com/products/universalforwarder/releases/8.0.2/windows/splunkforwarder-8.0.2-a7f645ddaf91-x64-release.msi
# Specify the download URL of the Splunk windows universal forwarder
win_sysmon_url = https://attack-range-appbinaries.s3-us-west-2.amazonaws.com/Sysmon.zip
# Specify the download URL of sysmon
win_sysmon_template = AttackRangeSysmon.xml
# Specify the sysmon template
# Possible Values: SysmonConfig-moti.xml, SysmonConfig-Neo23x0-server.xml, SysmonConfig-Neo23x0-workstations.xml, SysmonConfig-TSwift.xml, SysmonConfig-Verbose.xml, SysmonConfigCustom.xml
win_timezone = GMT Standard Time
#Specify the timezone to be set on the windows hosts
# A list of possible values can be found here: https://docs.microsoft.com/en-us/previous-versions/windows/embedded/ms912391(v=winembedded.11)?redirectedfrom=MSDN
[enterprise_security]
install_es = 0
# Specify whether install Splunk Enterprise Security or not.
# Splunk Enterprise Security is a Splunk Premium App, that's why it needs to be downloaded and stored into apps folder.
# After installing ES, Splunk is available under https://[ip]:8000
# possible values: 1, 0
splunk_es_app = splunk-enterprise-security_640.spl
# Spefify the name of the Splunk Enterprise Security file, which you saved into the apps folder.
[mltk]
install_mltk = 0
# Specify whether install Splunk MLTK or not.
# After installing MLTK, Splunk is available under https://[ip]:8000
# possible values: 1, 0
[simulation]
art_run_techniques = T1003.001
# Specify the run technique of atomic_red_team
# You can specify this value either over the command line or in this configuration file. Command line is prioritized over configuration file.
art_repository = splunk
# Specify the Atomic Red Team repository fork, which you want to use.
art_branch = local-master
# Specify new branch of the Atomic Red Team repository, which you want to use.
[caldera]
caldera_password = I-l1ke-Attack-Range!
# specify the caldera password for the user: admin
[environment]
# specify your Attack Range environment by enabling (1) or disabling (0) machines
splunk_server = 1
# enable a splunk server
# possible values: 1, 0
# if set to 0, logs will be forwarded to an existing splunk instance
phantom_server = 0
# enable a phantom server
# possible values: 1, 0
windows_domain_controller = 1
# enable a windows domain controller
# possible values: 1, 0
windows_server = 0
# enable a windows server
# possible values: 1, 0
kali_machine = 0
# enable a kali linux machine
# possible values: 1, 0
windows_client = 0
# enable a windows client
# this is only possible for vagrant in the moment
# possible values: 1, 0
[splunk_server]
# customize the splunk server
splunk_server_private_ip = 10.0.1.12
# specify the splunk server's private ip
# in case of splunk_server = 0, the ip adress of an existing splunk instance
# for mode terraform should be in subnet: 10.0.1.0/24
splunk_server_cpus = 4
# specify with how many cpus the machine should be equipted.
splunk_server_memory = 6144
# specify with how much memory in kb the machine should be equipted.
# It is not recommended to use any value lower than then default (6144) one.
[caldera_server]
# customize the caldera server
# only run when no splunk_server = 0
caldera_server_private_ip = 10.0.1.12
# specify the calderas server's private ip
caldera_server_cpus = 2
# specify with how many cpus the machine should be equipted.
caldera_server_memory = 2048
# specify with how much memory in kb the machine should be equipted.
# It is not recommended to use any value lower than then default (6144) one.
[phantom_server]
# customize the phantom server
phantom_server_private_ip = 10.0.1.13
# specify the phantom server's private ip
# for mode terraform should be in subnet: 10.0.1.0/24
phantom_server_cpus = 4
# specify with how many cpus the machine should be equipted.
phantom_server_memory = 4096
# specify with how much memory in kb the machine should be equipted.
# It is not recommended to use any value lower than then default (4096) one.
[windows_domain_controller]
# customize the windows domain controller
windows_domain_controller_private_ip = 10.0.1.14
# specify the windows domain controller's private ip
# for mode terraform should be in subnet: 10.0.1.0/24
windows_domain_controller_os = Windows_Server-2016-English-Full-Base-*
# specify the windows domain controller operating System
# Currently only Windows_Server_2016 is supported
windows_domain_controller_cpus = 1
# specify with how many cpus the machine should be equipted.
windows_domain_controller_memory = 2048
# specify with how much memory in kb the machine should be equipted.
# It is not recommended to use any value lower than then default (2048) one.
[windows_server]
# customize the windows server
windows_server_private_ip = 10.0.1.15
# specify the windows server private ip
# for mode terraform should be in subnet: 10.0.1.0/24
windows_server_os = Windows_Server-2016-English-Full-Base-*
# specify the windows server operating System
# Currently only Windows_Server_2016 is supported
windows_server_join_domain = 0
# specify if the windows server should join the windows domain
# possible values: 1, 0
windows_server_cpus = 1
# specify with how many cpus the machine should be equipted.
windows_server_memory = 2048
# specify with how much memory in kb the machine should be equipted.
# It is not recommended to use any value lower than then default (2048) one.
[kali_machine]
# customize the kali machine
kali_machine_private_ip = 10.0.1.16
# specify the kali machine private ip
# for mode terraform should be in subnet: 10.0.1.0/24
kali_machine_cpus = 1
# specify with how many cpus the machine should be equipted.
kali_machine_memory = 2048
# specify with how much memory in kb the machine should be equipted.
# It is not recommended to use any value lower than then default (2048) one.
[windows_client]
# customize the windows client
windows_client_private_ip = 10.0.1.17
# specify the windows client private ip
# for mode terraform should be in subnet: 10.0.1.0/24
windows_client_os = Windows-10
# specify the windows server operating System
# for mode Vagrant use Windows-10
windows_client_join_domain = 0
# specify if the windows client should join the windows domain
# possible values: 1, 0
windows_client_cpus = 1
# specify with how many cpus the machine should be equipted.
windows_client_memory = 2048
# specify with how much memory in kb the machine should be equipted.
# It is not recommended to use any value lower than then default (2048) one.