A Free Cybersecurity Lab for Security Teams To Analyse Cyber Threats

   February 17, 2025  Posted in CyberSecurityNews


In a significant step forward for cybersecurity professionals, PurpleLab offers an innovative open-source cybersecurity lab for creating and testing detection rules, simulating logs, and running malware tests.

Designed as an all-in-one lab environment, PurpleLab equips analysts with tools to enhance their threat detection capabilities while providing a sandboxed space for experimentation.

What is PurpleLab?

PurpleLab is a cybersecurity lab that integrates various tools and technologies to support analysts in testing detection rules and simulating real-world cyber threats.

The platform includes a web interface, a Windows 10 virtual machine (VM) preloaded with forensic tools, a Flask backend, MySQL database, and an Elasticsearch server. Its primary goal is to streamline the process of threat hunting and incident response.

Key Features

  1. Web Interface: A user-friendly control panel for managing features.
  2. Windows 10 VM: Preconfigured with forensic tools and Atomic Red Team modules.
  3. Log Simulation: Generates realistic traffic logs for analysis.
  4. Malware Testing: Downloads or uploads malware samples for execution in a controlled environment.
  5. Integration with SIEMs: Supports ELK stack configuration for log analysis.

PurpleLab Integration App for Splunk

TA-PurpleLab-Splunk is a free, all-in-one cybersecurity lab designed for security teams to detect, analyze, and simulate threats using Splunk. This toolkit provides hands-on threat intelligence, log analysis, and SIEM capabilities to enhance security operations.

Perfect for training, research, and real-world threat detection, TA-PurpleLab-Splunk empowers teams to strengthen their cybersecurity defenses efficiently.

Installation Process

Setting up PurpleLab requires a clean installation of Ubuntu Server 22.04 and hardware virtualization enabled on the host machine. Users can clone the repository from GitHub and execute the installation script.

The setup process includes configuring accounts, integrating the ELK stack, and connecting to the Windows VM for log collection.

However, users are cautioned that PurpleLab is not hardened for security by default. “Do not connect it to sensitive networks without implementing additional security measures,” the developers warn.

Pages and Functionalities

PurpleLab’s interface is divided into several specialized pages:

  • Home Page: Displays key performance indicators (KPIs) like event counts and detected MITRE ATT&CK techniques.
  • Hunting Page: Redirects users to Kibana for log analysis.
  • MITRE ATT&CK Page: Allows users to simulate attack techniques using Invoke-Atomic tools.
  • Malware Page: Enables downloading or uploading malware samples for testing.
  • Log Simulation Page: Generates firewall or Ubuntu logs to mimic real-world scenarios.
  • Usage Case Page: Provides prebuilt compromise scenarios for training purposes.
  • Sigma Page: Searches Sigma rules by keywords and converts them into Splunk or Lucene queries.
  • Health Page: Monitors system components like Kibana, Logstash, VirtualBox, and Flask backend.

Admin Capabilities

Administrators can configure LDAP settings for centralized authentication and generate API keys for secure communication between components. The platform also supports seamless integration with Splunk through its dedicated app.

To install and use PurpleLab, a comprehensive cybersecurity lab, follow these detailed steps:

Installation Process

1. Requirements

Before installation, ensure your system meets the following criteria:

Hardware specifications:

  • 200GB storage
  • 8 CPU cores
  • 13GB RAM
  • Operating System: A clean installation of Ubuntu Server 22.04 (Ubuntu 23.10 is not supported due to Python library issues).
  • Hardware Virtualization: Enable virtualization in your BIOS/UEFI settings or within your virtualization software (e.g., VMware or VirtualBox).

2. Download the Repository

Run the following commands in your home directory to download the PurpleLab repository and move the installation script:

git clone https://github.com/Krook9d/PurpleLab.git && mv PurpleLab/install.sh .

3. Start Installation

Execute the installation script:

sudo bash install.sh

During the installation, you will be prompted to:

  1. Choose whether to install the default ELK stack (recommended for first-time users).
  2. Select the network interface for the application.

Important Notes:

  • If you skip ELK installation, PHP errors may appear on the home page unless you edit the code.
  • The lab is not hardened for security; avoid connecting it to sensitive networks without additional protections.

4. Configure Accounts

After installation:

  1. Visit the server’s IP address in a browser.
  2. Register a user account by filling in details such as name, password (minimum 8 characters with complexity), and avatar (<1MB size).

An admin account is created by default, with credentials stored in admin.txt in your home directory.

Post-Installation Configuration

1. ELK Stack Setup

Run the following commands on the server to configure Elasticsearch and Kibana:

sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token --scope kibana

Copy the token into Kibana (accessible via the “Hunting” page). When prompted for a verification code, generate it using:

sudo /usr/share/kibana/bin/kibana-verification-code

Restart Elasticsearch if needed:

service elasticsearch restart

2. Windows VM Logs Configuration

  1. Connect to the Windows VM using its IP address (visible on the “Health” page).
  2. Edit winlogbeats.yml on the VM to update:
  • Password: Use the “elastic built-in superuser” password from admin.txt.
  • IP addresses: Replace placeholders with your ELK server’s IP.
  • CA fingerprint: Generate it on the PurpleLab server with: sudo openssl x509 -fingerprint -sha256 -in /etc/elasticsearch/certs/http_ca.crt | awk -F '=' '/Fingerprint/{print $2}' | tr -d ':'
  1. Test and set up Winlogbeat configuration using PowerShell commands.
  2. Restart the VM and take a snapshot named “Snapshot1”:
   sudo VBoxManage snapshot "sandbox" take "Snapshot1" --description "snapshot before the mess"

Using PurpleLab

1. Launch Services

Start PurpleLab’s Flask backend:

sudo python3 /home/$(logname)/app.py

Ensure the VM is running:

sudo VBoxManage startvm sandbox --type headless

Alternatively, manage services from the “Health Page.”

2. Explore Features

PurpleLab provides multiple pages for different functionalities:

  • Home Page: Monitor KPIs like event counts and detected MITRE ATT&CK techniques.
  • Hunting Page: Redirects to Kibana for log analysis.
  • MITRE ATT&CK Page: Simulate attack techniques using Invoke-Atomic tools.
  • Malware Page: Download or upload malware samples for testing.
  • Log Simulation Page: Generate logs (e.g., firewall) for analysis.
  • Usage Case Page: Execute predefined compromise scenarios.
  • Sigma Page: Search and convert Sigma rules into Splunk or Lucene queries.
  • Health Page: Monitor resources and manage components like Kibana and VirtualBox.

By completing these steps, you can fully install and utilize PurpleLab as a cybersecurity lab for testing detection rules, simulating attacks, and analyzing logs effectively.

A Tool for Cybersecurity Enthusiasts

PurpleLab fills a critical gap in cybersecurity training by offering an accessible platform for hands-on practice in threat detection and response.

With features like malware execution, log simulation, and MITRE ATT&CK integration, it provides analysts with valuable resources to sharpen their skills. For more information or to download PurpleLab, visit its GitHub repository.



Source link