infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into develop

keyword-vs-text-changes
Roberto Rodriguez 2017-12-17 15:51:28 -05:00
parent 845895ccca 979310193b
commit 04695170b2
6 changed files with 124 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -44,8 +44,11 @@ sudo nano enrichments/ACE/logstash/03-ace-rabbitmq-input.conf
sudo cp -a enrichments/ACE/logstash/* logstash/pipeline/
```
## HELK Installation
The HELK can be installed via a bash script or a docker-compose file. After installing the HELK, browse to your HELK (host) IP address and log on with username:helk & password:hunting.
## HELK Configuration & Installation
The HELK can be installed via a bash script or a docker-compose file. HELK will by default create a docker named volume `helk_esdata` which will persist your elasticsearch data between containers. Additionally, HELK by default starts elasticsearch with 256mb of RAM allocated, if HELK will be used in higher resource environments, `ES_JAVA_OPTS: "-Xmx256m -Xms256m"` can be modified in the docker-compose.yml, however do not allocate more than 50% of available memory. After installing the HELK, browse to your HELK (host) IP address and log on with
* username: helk
* password: hunting
### Bash Script
```
@ -65,6 +68,7 @@ sudo docker-compose up -d
* Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g)
# Contributors
* Robby Winchester [@robwinchester3](https://twitter.com/robwinchester3)
# Contributing
There are a few things that I would like to accomplish with the HELK as shown in the To-Do list below, but I would also woult love to make the HELK a stable build for everyone in the community. If you are interested on making this build a more robust one and adding some cool features to it, PLEASE feel free to submit a pull request. #SharingIsCaring

3
data_science/jupyter_notebooks/lateral_movement/.ipynb_checkpoints/LM_Basic_Behavior-checkpoint.ipynb
View File

@ -97,6 +97,7 @@
"cell_type": "code",
"execution_count": 4,
"metadata": {
"collapsed": true,
"scrolled": false
},
"outputs": [],
@ -113,7 +114,6 @@
" ],\n",
" 'must_not': [\n",
" {\"match\" : {'event_data.IpAddress': \"::1\" }},\n",
" {\"match\" : {'event_data.IpAddress': \"172.18.39.2\" }},\n",
" {\"match\": {'event_data.TargetUserName': \"ANONYMOUS LOGON\"}}\n",
" ],\n",
" \"filter\": [\n",
@ -149,7 +149,6 @@
" {\"match\": {'event_id': 3}}\n",
" ],\n",
" 'must_not': [\n",
" {\"match\" : {'event_data.DestinationIp': \"172.18.39.2\" }}, \n",
" {\"match\" : {'event_data.User': \"NT AUTHORITY\\SYSTEM\"}}\n",
" ],\n",
" \"filter\": [\n",

3
data_science/jupyter_notebooks/lateral_movement/LM_Basic_Behavior.ipynb
View File

@ -97,6 +97,7 @@
"cell_type": "code",
"execution_count": 4,
"metadata": {
"collapsed": true,
"scrolled": false
},
"outputs": [],
@ -113,7 +114,6 @@
" ],\n",
" 'must_not': [\n",
" {\"match\" : {'event_data.IpAddress': \"::1\" }},\n",
" {\"match\" : {'event_data.IpAddress': \"172.18.39.2\" }},\n",
" {\"match\": {'event_data.TargetUserName': \"ANONYMOUS LOGON\"}}\n",
" ],\n",
" \"filter\": [\n",
@ -149,7 +149,6 @@
" {\"match\": {'event_id': 3}}\n",
" ],\n",
" 'must_not': [\n",
" {\"match\" : {'event_data.DestinationIp': \"172.18.39.2\" }}, \n",
" {\"match\" : {'event_data.User': \"NT AUTHORITY\\SYSTEM\"}}\n",
" ],\n",
" \"filter\": [\n",

7
docker-compose.yml
View File

@ -11,6 +11,9 @@ services:
image: docker.elastic.co/elasticsearch/elasticsearch:5.5.1
volumes:
- ./elasticsearch/docker/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- esdata:/usr/share/elasticsearch/data
ports:
- "9200:9200"
environment:
ES_JAVA_OPTS: "-Xmx256m -Xms256m"
networks:
@ -52,3 +55,7 @@ networks:
helk:
driver: bridge
volumes:
esdata:
driver: local

1
enrichments/ACE/logstash/03-ace-rabbitmq-input.conf
View File

@ -4,6 +4,7 @@ input {
queue => "siem"
user => "user"
password => "P@ssw0rd!"
durable => "true"
port => 5672
add_field => { "[@metadata][source]" => "rabbitmq" }
}

108
scripts/start-winlogbeat.ps1 Normal file
View File

@ -0,0 +1,108 @@
function start-winlogbeat
{
[CmdletBinding()]
Param (
[Parameter(Mandatory=$false, Position=0)]
[Alias('wc')]
[string]$winconfig="https://raw.githubusercontent.com/Cyb3rWard0g/HELK/master/winlogbeat/winlogbeat.yml",
[Parameter(Mandatory=$true, Position=1)]
[Alias('lsip')]
[String]$logstaship
)
function invoke-unzip
{
[CmdletBinding()]
Param (
[Parameter()]
[string]$file
)
write-verbose "[+++] Unzipping file.."
[string]$RemoteFolderPath = $env:ProgramFiles
[int32]$copyOption = 20
$shell = New-Object -ComObject shell.application
$zip = $shell.Namespace($file)
foreach($item in $zip.items()){
$shell.Namespace($RemoteFolderPath).copyhere($item, $copyOption) | Out-Null
}
}
$winInstall_source = "https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-6.0.0-windows-x86_64.zip"
$winInstall_dest = ($env:ProgramFiles + "\winlogbeat-6.0.0-windows-x86_64.zip")
$winconfig_dest = ($env:ProgramFiles + "\winlogbeat\winlogbeat.yml")
$winInstall_old = $env:ProgramFiles + "\winlogbeat-6.0.0-windows-x86_64"
$winInstall_new = $env:ProgramFiles + "\winlogbeat"
if (Get-WmiObject -class win32_service | Where-Object {$_.Name -like "winlogbeat"})
{
Write-Verbose "[+++] Winlogbeat service already exists."
if (Get-WmiObject -class win32_service | Where-Object {$_.Name -like "winlogbeat" -and $_.State -eq "Running"}){
Write-Verbose "[!!!] Winlogbeat service already exists and it is running.."
}
else
{
Write-Verbose "[!!!] Winlogbeat service already exists but it is not running.."
}
}
else
{
$wc=New-Object System.Net.WebClient;
$wc.Proxy = [System.Net.WebRequest]::GetSystemWebProxy();
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials;
write-verbose "[+++] Downloading Winlogbeat from $winInstall_source"
$wc.DownloadFile($winInstall_source,$winInstall_dest)
if (get-item $winInstall_dest)
{
invoke-unzip -file $winInstall_dest
Rename-Item -Path $winInstall_old -NewName $winInstall_new
Remove-Item -Path $winInstall_dest
if (get-item $winInstall_new)
{
& ($winInstall_new +"\install-service-winlogbeat.ps1")
if (get-wmiobject Win32_Service -Filter 'Name LIKE "%winlogbeat%"')
{
Rename-Item ($winInstall_new + "\winlogbeat.yml") -NewName ($winInstall_new + "\BACKUP_winlogbeat_config.yml")
write-verbose "[+++] Downloading Winlogbeat config from $winconfig"
$wc.DownloadFile($winconfig,$winconfig_dest)
if (get-item $winconfig_dest)
{
write-verbose "[+++] Replacing default localhost string for logstash connection with $logstaship"
(get-content $winconfig_dest) -replace 'hosts: \[\"localhost\:5044\"\]', ('hosts: ["'+$logstaship+':5044"]') | Set-Content $winconfig_dest
}
else
{
Write-Verbose "[!!!] $winconfig_dest does not exist locally.."
Write-verbose $_.Exception.Message
break
}
write-verbose "[+++] Starting winlogbeat service.."
start-service winlogbeat
if (Get-WmiObject -class win32_service | Where-Object {$_.Name -like "winlogbeat" -and $_.State -eq "Running"})
{
Write-Verbose "[!!!] Winlogbeat was installed successfully and it is running.."
}
else
{
Write-verbose $_.Exception.Message
break
}
}
}
}
else
{
Write-Verbose "[!!!] $winInstall_dest does not exist locally.."
Write-verbose $_.Exception.Message
}
}
}