Add GCP support

Patrick Bareiss · Patrick Bareiss · commit a52d2af254f4 · 2025-04-09T15:01:45.000+02:00
diff --git a/docs/source/Attack_Range_GCP.md b/docs/source/Attack_Range_GCP.md
@@ -0,0 +1,79 @@
+# Attack Range GCP
+
+## Docker
+We built a docker image which you can use to build and run the attack range. The image includes all needed binaries. 
+````bash
+docker pull splunk/attack_range
+docker run -it splunk/attack_range
+gcloud auth application-default login
+python attack_range.py configure
+````
+
+## MacOS
+Clone attack_range git repo to local machine:
+````bash
+git clone https://github.com/splunk/attack_range.git
+cd attack_range
+````
+
+Install and configure Terraform:
+````bash
+brew update
+brew install terraform
+cd terraform/gcp && terraform init && cd ../..
+````
+
+Install the GCP CLI by follwoing this [guide](https://cloud.google.com/sdk/docs/install-sdk).
+
+Install and run Poetry:
+````bash
+curl -sSL https://install.python-poetry.org/ | python -
+poetry shell
+poetry install
+````
+
+Configure Attack Range:
+````bash
+python attack_range.py configure
+````
+
+Once the configuration is complete, you can proceed to build and control your range [here](Control_Attack_Range.md)
+
+## Linux
+Install the required packages:
+````bash
+apt-get update
+apt-get install -y python3.10 git unzip python3-pip curl
+````
+
+Install and configure Terraform:
+````bash
+curl -s https://releases.hashicorp.com/terraform/1.9.8/terraform_1.9.8_linux_amd64.zip -o terraform.zip && \
+unzip terraform.zip && \
+mv terraform /usr/local/bin/
+````
+
+Clone attack_range git repo to local machine:
+````bash
+git clone https://github.com/splunk/attack_range.git
+cd attack_range
+````
+
+Install the GCP CLI by follwoing this [guide](https://cloud.google.com/sdk/docs/install-sdk).
+
+Install and run Poetry:
+````bash
+curl -sSL https://install.python-poetry.org/ | python -
+poetry shell
+poetry install
+````
+
+````bash
+python attack_range.py configure
+````
+
+Once the configuration is complete, you can proceed to build and control your range [here](Control_Attack_Range.md)
+
+## Windows
+
+We recommend using the Windows Subsystem for Linux (WSL). You can find a tutorial [here](https://docs.microsoft.com/en-us/windows/wsl/install). After installing WSL, you can follow the steps described in the [Linux section](#linux).
diff --git a/docs/source/index.md b/docs/source/index.md
@@ -13,6 +13,7 @@ The Attack Range is a detection development platform, which solves three main ch
 
 Attack Range AWS <Attack_Range_AWS>
 Attack Range Azure <Attack_Range_Azure>
+Attack Range GCP <Attack_Range_GCP>
 Attack Range Local <Attack_Range_Local>
 Attack Range Cloud <Attack_Range_Cloud>
 Control Attack Range <Control_Attack_Range>
diff --git a/modules/configuration.py b/modules/configuration.py
@@ -466,6 +466,8 @@ def _configure_linux_servers(self) -> None:
                 "message": "Shall we include Splunk SOAR",
                 "name": "phantom",
                 "default": False,
+                "when": lambda answers: self.configuration["general"]["cloud_provider"]
+                != "gcp",
             },
             {
                 "type": "text",
diff --git a/terraform/ansible/roles/set_hostname_win/tasks/main.yml b/terraform/ansible/roles/set_hostname_win/tasks/main.yml
@@ -3,31 +3,42 @@
 - name: Verify WinRM connection
   win_ping:
   register: winrm_result
-  retries: 3
-  delay: 10
+  retries: 5
+  delay: 15
   until: winrm_result.ping == "pong"
+  ignore_errors: true
 
 - name: Change the hostname
   win_hostname:
     name: "{{ windows_servers.hostname }}"
   register: hostname_result
-  retries: 3
-  delay: 10
+  retries: 5
+  delay: 15
   until: hostname_result is success
+  ignore_errors: true
 
 - name: Wait for hostname change to take effect
   win_wait_for:
-    timeout: 60
-    delay: 10
+    timeout: 120
+    delay: 15
+  ignore_errors: true
 
 - name: reboot | Rebooting Server
   win_reboot:
     msg: "Reboot initiated by Ansible"
-    connect_timeout: 60
+    connect_timeout: 120
     pre_reboot_delay: 30
-    post_reboot_delay: 30
-    reboot_timeout: 600
+    post_reboot_delay: 60
+    reboot_timeout: 900
   register: reboot_result
-  retries: 3
+  retries: 5
   delay: 30
-  until: reboot_result is success
+  until: reboot_result is success
+  ignore_errors: true
+
+- name: Wait for WinRM to be available after reboot
+  win_wait_for:
+    port: 5985
+    timeout: 300
+    delay: 15
+  ignore_errors: true
diff --git a/terraform/ansible/windows.yml b/terraform/ansible/windows.yml
@@ -4,8 +4,15 @@
     ansible_connection: winrm
     ansible_winrm_server_cert_validation: ignore
     ansible_port: 5985
-    ansible_winrm_operation_timeout_sec: 300
-    ansible_winrm_read_timeout_sec: 900
+    ansible_winrm_operation_timeout_sec: 600
+    ansible_winrm_read_timeout_sec: 1200
+    ansible_winrm_connection_timeout: 600
+    ansible_winrm_transport: basic
+    ansible_winrm_scheme: http
+    ansible_winrm_kerberos_delegation: false
+    ansible_winrm_message_encryption: auto
+    ansible_winrm_retry_timeout: 600
+    ansible_winrm_retry_interval: 10
   roles:
     - windows_common
     - windows_universal_forwarder
diff --git a/terraform/azure/modules/windows/files/winrm.ps1 b/terraform/azure/modules/windows/files/winrm.ps1
@@ -1,15 +1,37 @@
 Enable-PSRemoting -Force -SkipNetworkProfileCheck
 winrm quickconfig -q
 winrm quickconfig -transport:http
-powershell.exe -c "winrm set winrm/config '@{MaxTimeoutms=\`"1800000\`"}'"
-powershell.exe -c "winrm set winrm/config/winrs '@{MaxMemoryPerShellMB=\`"800\`"}'"
-powershell.exe -c "winrm set winrm/config/service '@{AllowUnencrypted=\`"true\`"}'"
+
+# Configure WinRM with optimized settings
+powershell.exe -c "winrm set winrm/config '@{MaxTimeoutms=\`"3600000\`"}'"
+powershell.exe -c "winrm set winrm/config/winrs '@{MaxMemoryPerShellMB=\`"2048\`"; MaxShellsPerUser=\`"50\`"; MaxProcessesPerShell=\`"25\`"; IdleTimeout=\`"3600000\`"}'"
+powershell.exe -c "winrm set winrm/config/service '@{AllowUnencrypted=\`"true\`"; MaxConcurrentOperations=\`"4294967295\`"; MaxConcurrentOperationsPerUser=\`"4294967295\`"; MaxConnections=\`"4294967295\`"}'"
 powershell.exe -c "winrm set winrm/config/service/auth '@{Basic=\`"true\`"}'"
 powershell.exe -c "winrm set winrm/config/client/auth '@{Basic=\`"true\`"}'"
 powershell.exe -c "winrm set winrm/config/listener?Address=*+Transport=HTTP '@{Port=\`"5985\`"}'"
 powershell.exe -c "winrm set winrm/config/client '@{TrustedHosts=\`"*\`"}'"
+
+# Configure firewall rules
 netsh advfirewall firewall set rule group="Windows Remote Administration" new enable=yes
 netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new enable=yes action=allow remoteip=any
+netsh advfirewall firewall add rule name="Port 5985" dir=in action=allow protocol=TCP localport=5985
+
+# Configure WinRM service for auto-start and recovery
 reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v StartWinRM /t REG_SZ /f /d "cmd.exe /c 'sc config winrm start= auto & sc start winrm'"
+sc.exe config winrm start= auto
+sc.exe failure winrm reset= 0 actions= restart/5000/restart/5000/restart/5000
+
+# Restart WinRM service
 Restart-Service winrm
-netsh advfirewall firewall add rule name="Port 5985" dir=in action=allow protocol=TCP localport=5985
+
+# Set LocalAccountTokenFilterPolicy to 1 for better authentication
+$token_path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+$token_prop_name = "LocalAccountTokenFilterPolicy"
+$token_key = Get-Item -Path $token_path
+$token_value = $token_key.GetValue($token_prop_name, $null)
+if ($token_value -ne 1) {
+    if ($null -ne $token_value) {
+        Remove-ItemProperty -Path $token_path -Name $token_prop_name
+    }
+    New-ItemProperty -Path $token_path -Name $token_prop_name -Value 1 -PropertyType DWORD > $null
+}
diff --git a/terraform/gcp/modules/linux-server/resources.tf b/terraform/gcp/modules/linux-server/resources.tf
@@ -36,7 +36,11 @@ resource "google_compute_instance" "linux_server" {
 
   # Use local-exec provisioner to clean known_hosts
   provisioner "local-exec" {
-    command = "ssh-keygen -f ~/.ssh/known_hosts -R ${self.network_interface.0.access_config.0.nat_ip}"
+      command = <<-EOT
+          mkdir -p ~/.ssh
+          touch ~/.ssh/known_hosts
+          ssh-keygen -f ~/.ssh/known_hosts -R ${self.network_interface.0.access_config.0.nat_ip}
+      EOT
   }
 
   # Assign the Linux Service Account to this instance
diff --git a/terraform/gcp/modules/nginx-server/resources.tf b/terraform/gcp/modules/nginx-server/resources.tf
@@ -37,7 +37,11 @@ resource "google_compute_instance" "nginx_server" {
 
   # Use local-exec provisioner to clean known_hosts
   provisioner "local-exec" {
-    command = "ssh-keygen -f ~/.ssh/known_hosts -R ${self.network_interface.0.access_config.0.nat_ip}"
+      command = <<-EOT
+          mkdir -p ~/.ssh
+          touch ~/.ssh/known_hosts
+          ssh-keygen -f ~/.ssh/known_hosts -R ${self.network_interface.0.access_config.0.nat_ip}
+      EOT
   }
 
   # Metadata for SSH and Custom Commands
diff --git a/terraform/gcp/modules/phantom-server/resources.tf b/terraform/gcp/modules/phantom-server/resources.tf
@@ -41,7 +41,11 @@ resource "google_compute_instance" "phantom_server" {
 
   # Use local-exec provisioner to clean known_hosts
   provisioner "local-exec" {
-    command = "ssh-keygen -f ~/.ssh/known_hosts -R ${self.network_interface.0.access_config.0.nat_ip}"
+      command = <<-EOT
+          mkdir -p ~/.ssh
+          touch ~/.ssh/known_hosts
+          ssh-keygen -f ~/.ssh/known_hosts -R ${self.network_interface.0.access_config.0.nat_ip}
+      EOT
   }
 
   # Assign the Phantom Service Account to this instance
diff --git a/terraform/gcp/modules/snort-server/resources.tf b/terraform/gcp/modules/snort-server/resources.tf
@@ -36,7 +36,11 @@ resource "google_compute_instance" "snort_sensor" {
 
   # Use local-exec provisioner to clean known_hosts
   provisioner "local-exec" {
-    command = "ssh-keygen -f ~/.ssh/known_hosts -R ${self.network_interface.0.access_config.0.nat_ip}"
+      command = <<-EOT
+          mkdir -p ~/.ssh
+          touch ~/.ssh/known_hosts
+          ssh-keygen -f ~/.ssh/known_hosts -R ${self.network_interface.0.access_config.0.nat_ip}
+      EOT
   }
 
   # SSH key metadata for user access
diff --git a/terraform/gcp/modules/zeek-server/resources.tf b/terraform/gcp/modules/zeek-server/resources.tf
@@ -35,7 +35,11 @@ resource "google_compute_instance" "zeek_sensor" {
 
   # Use local-exec provisioner to clean known_hosts
   provisioner "local-exec" {
-    command = "ssh-keygen -f ~/.ssh/known_hosts -R ${self.network_interface.0.access_config.0.nat_ip}"
+      command = <<-EOT
+          mkdir -p ~/.ssh
+          touch ~/.ssh/known_hosts
+          ssh-keygen -f ~/.ssh/known_hosts -R ${self.network_interface.0.access_config.0.nat_ip}
+      EOT
   }
 
   # Assign the Zeek Service Account to this instance

Original file line number	Diff line number	Diff line change
`@@ -466,6 +466,8 @@ def _configure_linux_servers(self) -> None:`
`466`	`466`	`"message": "Shall we include Splunk SOAR",`
`467`	`467`	`"name": "phantom",`
`468`	`468`	`"default": False,`
	`469`	`+ "when": lambda answers: self.configuration["general"]["cloud_provider"]`
	`470`	`+ != "gcp",`
`469`	`471`	`},`
`470`	`472`	`{`
`471`	`473`	`"type": "text",`