PurpleLab: A Free Cybersecurity Lab for Security Teams to Detect, Analyze & Simulate Threats

PurpleLab is an open-source cybersecurity lab designed to empower security teams with tools for testing detection rules, simulating cyber threats, and running malware tests in a controlled environment. This comprehensive lab enables analysts to enhance their threat detection capabilities while experimenting in a safe, isolated space.

What is PurpleLab?

PurpleLab is a cutting-edge cybersecurity platform that combines various tools and technologies to support analysts in detecting and responding to cyber threats. The lab includes a web interface, a Windows 10 virtual machine (VM) with forensic tools, a Flask backend, MySQL database, and an Elasticsearch server. Its primary objective is to simplify threat hunting and incident response workflows.

Key Features

• Web Interface: An intuitive control panel for managing all features of the lab.
• Windows 10 VM: Preconfigured with forensic tools and Atomic Red Team modules.
• Log Simulation: Simulates realistic network traffic logs for analysis.
• Malware Testing: Upload and execute malware samples in a controlled environment.
• SIEM Integration: Integrates with ELK stack for advanced log analysis.

PurpleLab Integration App for Splunk

The TA-PurpleLab-Splunk is a free, all-in-one toolkit designed for Splunk users. It allows security teams to detect, analyze, and simulate threats, providing hands-on experience with threat intelligence, log analysis, and SIEM operations. This tool is perfect for research, training, and real-world threat detection.

Installation Process

To install PurpleLab, you’ll need a fresh installation of Ubuntu Server 22.04 and hardware virtualization enabled. You can then clone the repository from GitHub and run the installation script. The process also includes setting up accounts, configuring the ELK stack, and connecting to the Windows VM for log collection.

Note: PurpleLab is not hardened for security by default. Developers advise against connecting it to sensitive networks unless proper security measures are implemented.

Interface and Pages

PurpleLab’s interface is organized into several pages to support various functions:

• Home Page: Displays key metrics like event counts and detected MITRE ATT&CK techniques.
• Hunting Page: Links to Kibana for detailed log analysis.
• MITRE ATT&CK Page: Use Invoke-Atomic tools to simulate attack techniques.
• Malware Page: Upload or download malware samples for testing.
• Log Simulation Page: Generate traffic logs to mimic real-world conditions.
• Usage Case Page: Access predefined attack scenarios for training.
• Sigma Page: Search Sigma rules and convert them into Splunk or Lucene queries.
• Health Page: Monitor the status of components like Kibana, Logstash, and the Flask backend.

Administrator Capabilities

Admins can configure LDAP for centralized authentication and generate API keys for secure communication. The platform also integrates seamlessly with Splunk via a dedicated app.

How to Install PurpleLab

Prerequisites

Before installation, make sure your system meets the following specifications:

• Storage: 200GB
• CPU: 8 cores
• RAM: 13GB
• OS: Ubuntu Server 22.04 (Ubuntu 23.10 not supported due to Python library issues)
• Hardware Virtualization: Enabled in BIOS/UEFI or virtualization software (e.g., VMware/VirtualBox).

Installation Steps

1. Clone the Repository: Run the following commands to download the PurpleLab repository and move the installation script:bashCopygit clone https://github.com/Krook9d/PurpleLab.git && mv PurpleLab/install.sh .
2. Start the Installation: Execute the installation script:nginxCopysudo bash install.sh
3. Configure Accounts: After installation, visit the server’s IP address in your browser and register a user account. The admin account credentials are stored in admin.txt.

Post-Installation Configuration

1. ELK Stack Setup: Set up Elasticsearch and Kibana with the following commands:pgsqlCopysudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token --scope kibana sudo /usr/share/kibana/bin/kibana-verification-code service elasticsearch restart
2. Windows VM Logs Configuration: Connect to the Windows VM and edit the winlogbeats.yml file with the appropriate settings for your ELK server.

Using PurpleLab

To get started with PurpleLab, follow these steps:

1. Start the Flask Backend:bashCopysudo python3 /home/$(logname)/app.py
2. Ensure the Windows VM is Running:bashCopysudo VBoxManage startvm sandbox --type headless
3. Explore Features: Use the various pages for threat hunting, malware testing, log simulation, and more. Each page is dedicated to a specific function, such as log analysis, malware testing, and MITRE ATT&CK simulation.

A Resource for Cybersecurity Enthusiasts

PurpleLab is a valuable resource for cybersecurity professionals, offering an accessible platform for hands-on training in threat detection and response. With tools for malware execution, log simulation, and MITRE ATT&CK integration, it helps analysts sharpen their skills in a safe, isolated environment. For more information or to download PurpleLab, visit the official GitHub repository.