generate realistic attack logs
pwnSpoof generates realistic spoofed log files for common web servers with customisable attack scenarios. After you have generate the log, simply ingest it into a SIEM and go hunting! pwnSpoof is perfect for CTFs, hands-on training and comparing different log analysis tools
pwnSpoof was created on the back of a threat hunting training exercise we delivered for a customer. The training exercise was to use a log analytic tool such as Splunk and IIS logs to find login brute-force attacks and command injections.
The idea behind the pwnSpoof application is to;
- Provide a quick CTF style training environment
- Create unique logs every run
- Test threat hunting in IIS, Apache and NGINX logs
Once you have created a set of logs, load them in to Splunk and use various techniques to answer the following questions;
- What was the attackers IP address and user_agent?
- Did the attacker authenticate and if so, with what account?
- Where was geo-location of the attacker?
- When did the attack occur?
- What kind of attack was it?
- What happened during the attack?
- What artefacts may remain on the server?
- What steps can be taken to remediate?
Full installation and usage details is available on Github.