π Table of Contents
- What is PurpleLab?
-
Installation
-
Usage
- Splunk App
- Cortex Analyzer
- API Documentation
π What is PurpleLab ?
PurpleLab is a cybersecurity laboratory that enables security professionals to easily deploy an entire testing environment for creating and validating detection rules, simulating realistic attack scenarios, and training security analysts.
ποΈ Architecture Components
The lab includes:
- π Web Interface - Complete frontend for controlling all features
- π» VirtualBox Environment - Ready-to-use Windows server 2019 with sysmon and opensearch collector
- βοΈ Flask Backend - Robust API and application logic
- ποΈ PostgreSQL Database - Secure data storage
- π Opensearch Server - Advanced log analysis and search capabilities
(β¬οΈ back to top)
π§ Installation procedure
β οΈ Important: For a completely clean installation, follow ALL chapters of the installation procedure from requirements to accounts configuration.
β οΈ Security Notice: This lab has not been hardened and runs with basic credentials. Do not connect it to production networks or secure it with proper PKI and authentication systems.
Requirements
Minimum Hardware Resources:
- Storage: 200GB available space
- CPU: 8 cores minimum
- RAM: 13GB minimum
Software Requirements:
β οΈ Note: Ubuntu Server 23.10 may cause issues with Python library installation.
β οΈ Hardware Virtualization Setup:
VMware Workstation:
- Go to VM settings β Processors β Virtualization engine
- Enable βVirtualize Intel VT-x/EPT or AMD-V/RVIβ
VirtualBox:
- Select VM β Right-click β Settings β System β Processor
- Check βEnable Nested VT-x/AMD-Vβ
Physical Machine (Host):
- Access BIOS/UEFI settings
- Enable hardware virtualization (VT-x/AMD-V)
- Save changes and restart
Download Repository:
git clone https://github.com/Krook9d/PurpleLab.git && mv PurpleLab/install_ansible.sh
Installation
Execute the Ansible installation script:
sudo bash install_ansible.sh
The script will automatically:
- Install all components: OpenSearch, PostgreSQL, VirtualBox, and web interface
- Configure the Windows Server VM: Set up monitoring and security tools
- Generate credentials: Save all login information to
admin.txt
Accounts
π€ Admin Account
A default admin account is automatically created and stored in ~/admin.txt
with the format:
[email protected]:password
π₯ User Account Setup
- Access the application using your serverβs IP address
- Click βRegisterβ button
- Fill required fields:
- First Name: Your first name
- Last Name: Your last name
- Analyst Level: Your analyst level (N1/N2/N3)
- Avatar: Select an avatar (< 1MB)
- Password: Must contain at least 8 characters with uppercase, lowercase, number, and special character
(β¬οΈ back to top)
π‘ Usage
Start the Flask server:
sudo python3 /home/$(logname)/app.py
πͺ Windows Server 2019 Sandbox VM
The automatically configured VM includes:
- Windows Server 2019 with admin user
oem/oem
- Sysmon with SwiftOnSecurity configuration for advanced logging
- Winlogbeat OSS 7.12.1 automatically sending logs to OpenSearch
- Atomic Red Team with full test suite for attack simulation
- Python environment and Chocolatey package manager
- PowerShell-YAML module for YAML file processing
- Pre-configured directories: samples, malware_upload, and upload folders
- Windows Defender exclusions for testing scenarios
Home Page π
The dashboard displays key performance indicators from OpenSearch:
- Event Count from Windows Server VM
- Unique IP Addresses detected in logs
- MITRE ATT&CK techniques and sub-techniques count
- Log Distribution from VM collection
Hunting Page π―
Direct access to OpenSearch Dashboards for log analysis. Navigate to Discover to examine:
- Automatically collected VM logs from Windows Server sandbox
- Simulated log data and security events
- Real-time monitoring of system activities
- Sysmon events with detailed process and network information
Mitre Att&ck Page π‘οΈ
Interactive MITRE ATT&CK framework interface for:
π Technique Discovery:
- Search using technique IDs (e.g., βT1070β)
- Browse sub-techniques and detailed information
- Access comprehensive technique documentation
β‘ Payload Execution:
- Execute Atomic Red Team payloads
- Simulate real attack scenarios
- Generate detection-worthy events
π Database Management:
- Update MITRE ATT&CK database with latest data
- Maintain current threat intelligence
Reference: Atomic Red Team Tests
Malware Page π¦
Comprehensive malware management platform with dual functionality:
π₯ Malware Downloader
- Search & Download: Enter malware types (e.g., βTrojanβ)
- Auto-Integration: Automatically uploads to Windows VM
- Batch Processing: Downloads 10 latest samples from Malware Bazaar
- Execution Control: Run malware with single-click execution
π€ Malware Uploader
- Custom Uploads: Upload your own executables and scripts
- Supported Formats:
.exe
, .dll
, .bin
, .py
, .ps1
- Inventory Management: List and manage uploaded malware
Storage Location: /var/www/html/Downloaded/malware_upload/
Sharing Page βοΈ
Collaborative knowledge sharing platform:
- Query Sharing: Publish effective detection queries
- Rule Exchange: Share custom detection rules
- Community Benefit: Learn from other analystsβ discoveries
Sigma Page π‘οΈ
Advanced Sigma rule management:
π Search Capabilities
- Keyword Search: Find rules by technique IDs or keywords (e.g., βpowershellβ)
- Rule Display: View complete Sigma rule details
- Format Conversion: Convert rules to Splunk or Lucene syntax
π Conversion Features
- Splunk Format: One-click conversion to Splunk queries
- Lucene Format: Transform to Elasticsearch-compatible syntax
Rule Lifecycle Page βοΈ
Advanced rule lifecycle management system for connecting and managing security rules across multiple SIEM platforms:
π Connectors Management
- Splunk Integration: Configure connections to Splunk instances with SSL support
- OpenSearch Integration: Connect to OpenSearch clusters for rule synchronization
- Connection Testing: Validate configurations before deployment
- Status Monitoring: Real-time connector health and connectivity status
π Rules & Payloads
- Rule Synchronization: Automatically fetch detection rules from connected SIEM platforms
- Payload Association: Link PowerShell payloads to specific detection rules
- Custom Payload Creation: Build and edit PowerShell scripts for rule testing
- Rule Filtering: Filter rules by payload status and connector type
- Last Sync Tracking: Monitor synchronization timestamps and rule freshness
β‘ Execution & Results
- Payload Execution: Run individual or batch payloads against associated rules
- Result Analysis: View detailed execution outputs and error messages
- Status Filtering: Filter results by triggered/not triggered/error states
- Time-based Filtering: Analyze executions over different time periods
- Batch Operations: Execute all payloads for displayed rules simultaneously
(β¬οΈ back to top)
Health Page π©Ί
Comprehensive system monitoring dashboard:
π₯οΈ Component Status
- Opensearch Dashboard - Web interface status
- Postgres - Database
- Opensearch - Search engine status
- VirtualBox - Virtualization platform
- Flask Backend - Application server
π Resource Monitoring
- RAM Usage - Memory utilization
- Disk Usage - Storage consumption
π§ VM Management
- Status Monitoring - Current VM state
- IP Information - Network configuration
- Snapshot Control - Restore points management
Note: Snapshot restoration may show errors even when successful - verify by connecting to the VM.
Admin Page π
Administrative control center for system configuration:
π Key Features
- LDAP Configuration: Centralized authentication setup
- API Key Generation: Secure API access management
- AlienVault OTX API Key: Configure threat intelligence integration for enhanced KPIs
- System Settings: Core configuration management
π Access Requirements
Login with administrator account: [email protected]
(β¬οΈ back to top)
π Splunk App
Repository: TA-Purplelab-Splunk
Features
- π Atomic Red Team Integration: Execute tests directly from Splunk
- π Threat Hunting Dashboard: Dedicated hunting interface
- π Seamless Integration: Easy PurpleLab-Splunk connectivity
Demo
https://github.com/Krook9d/TA-Purplelab-Splunk/assets/40600995/eb5d0c27-06e5-416d-b707-af806c02323e
π Cortex Analyzer
Repository: PurpleLab-Cortex-Analyzer
Capabilities
- π€ Automated Uploads: Seamless executable transfer to PurpleLab
- π₯ Detonation Analysis: Automated malware execution and analysis
- π TheHive Integration: Enhanced incident response workflows
Demo
https://github.com/Krook9d/PurpleLab-Cortex-Analyzer/assets/40600995/690a8728-4ba7-4fda-a12e-48708e9b7d1d
(β¬οΈ back to top)
π API documentation
For comprehensive API usage and integration details, see our complete documentation:
π API Documentation
(β¬οΈ back to top)