From 439c015f576c66d54996703bfbd6ae4fae32448e Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Sat, 26 Aug 2017 11:01:47 -0400 Subject: [PATCH 1/4] Removed DC IP to work on any env --- .../.ipynb_checkpoints/LM_Basic_Behavior-checkpoint.ipynb | 3 +-- .../jupyter_notebooks/lateral_movement/LM_Basic_Behavior.ipynb | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/data_science/jupyter_notebooks/lateral_movement/.ipynb_checkpoints/LM_Basic_Behavior-checkpoint.ipynb b/data_science/jupyter_notebooks/lateral_movement/.ipynb_checkpoints/LM_Basic_Behavior-checkpoint.ipynb index e3e8aa0..9535177 100644 --- a/data_science/jupyter_notebooks/lateral_movement/.ipynb_checkpoints/LM_Basic_Behavior-checkpoint.ipynb +++ b/data_science/jupyter_notebooks/lateral_movement/.ipynb_checkpoints/LM_Basic_Behavior-checkpoint.ipynb @@ -97,6 +97,7 @@ "cell_type": "code", "execution_count": 4, "metadata": { + "collapsed": true, "scrolled": false }, "outputs": [], @@ -113,7 +114,6 @@ " ],\n", " 'must_not': [\n", " {\"match\" : {'event_data.IpAddress': \"::1\" }},\n", - " {\"match\" : {'event_data.IpAddress': \"172.18.39.2\" }},\n", " {\"match\": {'event_data.TargetUserName': \"ANONYMOUS LOGON\"}}\n", " ],\n", " \"filter\": [\n", @@ -149,7 +149,6 @@ " {\"match\": {'event_id': 3}}\n", " ],\n", " 'must_not': [\n", - " {\"match\" : {'event_data.DestinationIp': \"172.18.39.2\" }}, \n", " {\"match\" : {'event_data.User': \"NT AUTHORITY\\SYSTEM\"}}\n", " ],\n", " \"filter\": [\n", diff --git a/data_science/jupyter_notebooks/lateral_movement/LM_Basic_Behavior.ipynb b/data_science/jupyter_notebooks/lateral_movement/LM_Basic_Behavior.ipynb index e3e8aa0..9535177 100644 --- a/data_science/jupyter_notebooks/lateral_movement/LM_Basic_Behavior.ipynb +++ b/data_science/jupyter_notebooks/lateral_movement/LM_Basic_Behavior.ipynb @@ -97,6 +97,7 @@ "cell_type": "code", "execution_count": 4, "metadata": { + "collapsed": true, "scrolled": false }, "outputs": [], @@ -113,7 +114,6 @@ " ],\n", " 'must_not': [\n", " {\"match\" : {'event_data.IpAddress': \"::1\" }},\n", - " {\"match\" : {'event_data.IpAddress': \"172.18.39.2\" }},\n", " {\"match\": {'event_data.TargetUserName': \"ANONYMOUS LOGON\"}}\n", " ],\n", " \"filter\": [\n", @@ -149,7 +149,6 @@ " {\"match\": {'event_id': 3}}\n", " ],\n", " 'must_not': [\n", - " {\"match\" : {'event_data.DestinationIp': \"172.18.39.2\" }}, \n", " {\"match\" : {'event_data.User': \"NT AUTHORITY\\SYSTEM\"}}\n", " ],\n", " \"filter\": [\n", From 19a5e4657689fa4f2b0f184f9f1cd08816c14f61 Mon Sep 17 00:00:00 2001 From: Robby Winchester Date: Thu, 7 Sep 2017 16:21:12 -0700 Subject: [PATCH 2/4] Update ACE enrichment and add docker volumes Added docker volume for elasticsearch data to persist Added documentation for increasing memory of elasticsearch Updated ACE logstash input for durable queue --- README.md | 8 ++++++-- docker-compose.yml | 7 +++++++ enrichments/ACE/logstash/03-ace-rabbitmq-input.conf | 1 + 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a48d5c1..49059a4 100644 --- a/README.md +++ b/README.md @@ -44,8 +44,11 @@ sudo nano enrichments/ACE/logstash/03-ace-rabbitmq-input.conf sudo cp -a enrichments/ACE/logstash/* logstash/pipeline/ ``` -## HELK Installation -The HELK can be installed via a bash script or a docker-compose file. After installing the HELK, browse to your HELK (host) IP address and log on with username:helk & password:hunting. +## HELK Configuration & Installation +The HELK can be installed via a bash script or a docker-compose file. HELK will by default create a docker named volume `helk_esdata` which will persist your elasticsearch data between containers. Additionally, HELK by default starts elasticsearch with 256mb of RAM allocated, if HELK will be used in higher resource environments, `ES_JAVA_OPTS: "-Xmx256m -Xms256m"` can be modified in the docker-compose.yml, however do not allocate more than 50% of available memory. After installing the HELK, browse to your HELK (host) IP address and log on with + +* username: helk +* password: hunting ### Bash Script ``` @@ -65,6 +68,7 @@ sudo docker-compose up -d * Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g) # Contributors +* Robby Winchester [@robwinchester3](https://twitter.com/robwinchester3) # Contributing There are a few things that I would like to accomplish with the HELK as shown in the To-Do list below, but I would also woult love to make the HELK a stable build for everyone in the community. If you are interested on making this build a more robust one and adding some cool features to it, PLEASE feel free to submit a pull request. #SharingIsCaring diff --git a/docker-compose.yml b/docker-compose.yml index 49092fb..6284bb5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -11,6 +11,9 @@ services: image: docker.elastic.co/elasticsearch/elasticsearch:5.5.1 volumes: - ./elasticsearch/docker/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml + - esdata:/usr/share/elasticsearch/data + ports: + - "9200:9200" environment: ES_JAVA_OPTS: "-Xmx256m -Xms256m" networks: @@ -52,3 +55,7 @@ networks: helk: driver: bridge + +volumes: + edsdata: + driver: local diff --git a/enrichments/ACE/logstash/03-ace-rabbitmq-input.conf b/enrichments/ACE/logstash/03-ace-rabbitmq-input.conf index 58ae6f8..df2568d 100644 --- a/enrichments/ACE/logstash/03-ace-rabbitmq-input.conf +++ b/enrichments/ACE/logstash/03-ace-rabbitmq-input.conf @@ -4,6 +4,7 @@ input { queue => "siem" user => "user" password => "P@ssw0rd!" + durable => "true" port => 5672 add_field => { "[@metadata][source]" => "rabbitmq" } } From fcf65bc04975a60cb1d192ede1a2703d48a08efe Mon Sep 17 00:00:00 2001 From: Robby Winchester Date: Thu, 7 Sep 2017 16:57:57 -0700 Subject: [PATCH 3/4] fixed typo fixed typo in esdata volume --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 6284bb5..85e6bec 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -57,5 +57,5 @@ networks: driver: bridge volumes: - edsdata: + esdata: driver: local From 979310193b2e8c99f824193287f492feecb98a6a Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Mon, 4 Dec 2017 12:14:12 -0800 Subject: [PATCH 4/4] Create start-winlogbeat.ps1 first draft --- scripts/start-winlogbeat.ps1 | 108 +++++++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 scripts/start-winlogbeat.ps1 diff --git a/scripts/start-winlogbeat.ps1 b/scripts/start-winlogbeat.ps1 new file mode 100644 index 0000000..d0d4eef --- /dev/null +++ b/scripts/start-winlogbeat.ps1 @@ -0,0 +1,108 @@ +function start-winlogbeat +{ + [CmdletBinding()] + Param ( + [Parameter(Mandatory=$false, Position=0)] + [Alias('wc')] + [string]$winconfig="https://raw.githubusercontent.com/Cyb3rWard0g/HELK/master/winlogbeat/winlogbeat.yml", + + [Parameter(Mandatory=$true, Position=1)] + [Alias('lsip')] + [String]$logstaship + ) + + function invoke-unzip + { + [CmdletBinding()] + Param ( + [Parameter()] + [string]$file + ) + + write-verbose "[+++] Unzipping file.." + [string]$RemoteFolderPath = $env:ProgramFiles + [int32]$copyOption = 20 + $shell = New-Object -ComObject shell.application + $zip = $shell.Namespace($file) + foreach($item in $zip.items()){ + $shell.Namespace($RemoteFolderPath).copyhere($item, $copyOption) | Out-Null + } + } + + $winInstall_source = "https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-6.0.0-windows-x86_64.zip" + $winInstall_dest = ($env:ProgramFiles + "\winlogbeat-6.0.0-windows-x86_64.zip") + $winconfig_dest = ($env:ProgramFiles + "\winlogbeat\winlogbeat.yml") + $winInstall_old = $env:ProgramFiles + "\winlogbeat-6.0.0-windows-x86_64" + $winInstall_new = $env:ProgramFiles + "\winlogbeat" + + if (Get-WmiObject -class win32_service | Where-Object {$_.Name -like "winlogbeat"}) + { + Write-Verbose "[+++] Winlogbeat service already exists." + + if (Get-WmiObject -class win32_service | Where-Object {$_.Name -like "winlogbeat" -and $_.State -eq "Running"}){ + Write-Verbose "[!!!] Winlogbeat service already exists and it is running.." + } + else + { + Write-Verbose "[!!!] Winlogbeat service already exists but it is not running.." + } + } + else + { + $wc=New-Object System.Net.WebClient; + $wc.Proxy = [System.Net.WebRequest]::GetSystemWebProxy(); + $wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials; + + write-verbose "[+++] Downloading Winlogbeat from $winInstall_source" + $wc.DownloadFile($winInstall_source,$winInstall_dest) + + + if (get-item $winInstall_dest) + { + invoke-unzip -file $winInstall_dest + + Rename-Item -Path $winInstall_old -NewName $winInstall_new + Remove-Item -Path $winInstall_dest + + if (get-item $winInstall_new) + { + & ($winInstall_new +"\install-service-winlogbeat.ps1") + if (get-wmiobject Win32_Service -Filter 'Name LIKE "%winlogbeat%"') + { + Rename-Item ($winInstall_new + "\winlogbeat.yml") -NewName ($winInstall_new + "\BACKUP_winlogbeat_config.yml") + + write-verbose "[+++] Downloading Winlogbeat config from $winconfig" + $wc.DownloadFile($winconfig,$winconfig_dest) + + if (get-item $winconfig_dest) + { + write-verbose "[+++] Replacing default localhost string for logstash connection with $logstaship" + (get-content $winconfig_dest) -replace 'hosts: \[\"localhost\:5044\"\]', ('hosts: ["'+$logstaship+':5044"]') | Set-Content $winconfig_dest + } + else + { + Write-Verbose "[!!!] $winconfig_dest does not exist locally.." + Write-verbose $_.Exception.Message + break + } + write-verbose "[+++] Starting winlogbeat service.." + start-service winlogbeat + if (Get-WmiObject -class win32_service | Where-Object {$_.Name -like "winlogbeat" -and $_.State -eq "Running"}) + { + Write-Verbose "[!!!] Winlogbeat was installed successfully and it is running.." + } + else + { + Write-verbose $_.Exception.Message + break + } + } + } + } + else + { + Write-Verbose "[!!!] $winInstall_dest does not exist locally.." + Write-verbose $_.Exception.Message + } + } +}