From da323c6cd416121e88665e70b15d8cc741bb22c0 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 30 Jan 2024 23:21:27 +0100 Subject: [PATCH] Elastic EDR --- docs/active-directory/CVE/PrintNightmare.md | 3 +- docs/active-directory/ad-adds-enumerate.md | 8 +- docs/redteam/evasion/elastic-edr.md | 92 +++++++++++++++++++++ 3 files changed, 98 insertions(+), 5 deletions(-) create mode 100644 docs/redteam/evasion/elastic-edr.md diff --git a/docs/active-directory/CVE/PrintNightmare.md b/docs/active-directory/CVE/PrintNightmare.md index 788ddee..71c4251 100644 --- a/docs/active-directory/CVE/PrintNightmare.md +++ b/docs/active-directory/CVE/PrintNightmare.md @@ -96,4 +96,5 @@ cme smb -u user -p password -d domain.local -M webdav [TARGET] ## References -* [Playing with PrintNightmare - 0xdf - Jul 8, 2021](https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html) \ No newline at end of file +* [Playing with PrintNightmare - 0xdf - Jul 8, 2021](https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html) +* [A Practical Guide to PrintNightmare in 2024 - itm4n - Jan 28, 2024](https://itm4n.github.io/printnightmare-exploitation/) \ No newline at end of file diff --git a/docs/active-directory/ad-adds-enumerate.md b/docs/active-directory/ad-adds-enumerate.md index 403b8c0..757aedc 100644 --- a/docs/active-directory/ad-adds-enumerate.md +++ b/docs/active-directory/ad-adds-enumerate.md @@ -12,9 +12,9 @@ Use the correct collector: **Examples**: -* use [BloodHoundAD/AzureHound](https://github.com/BloodHoundAD/AzureHound) (more info: [Cloud - Azure Pentest](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#azure-recon-tools)) +* Use [BloodHoundAD/AzureHound](https://github.com/BloodHoundAD/AzureHound) (more info: [Cloud - Azure Pentest](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#azure-recon-tools)) -* use [BloodHoundAD/SharpHound.exe](https://github.com/BloodHoundAD/BloodHound) - run the collector on the machine using SharpHound.exe +* Use [BloodHoundAD/SharpHound.exe](https://github.com/BloodHoundAD/BloodHound) - run the collector on the machine using SharpHound.exe ```powershell .\SharpHound.exe -c all -d active.htb --searchforest .\SharpHound.exe -c all,GPOLocalGroup # all collection doesn't include GPOLocalGroup by default @@ -24,12 +24,12 @@ Use the correct collector: .\SharpHound.exe -c all --LdapUsername --LdapPassword --domaincontroller 10.10.10.100 -d active.htb .\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23 ``` -* use [BloodHoundAD/SharpHound.ps1](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1) - run the collector on the machine using Powershell +* Use [BloodHoundAD/SharpHound.ps1](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1) - run the collector on the machine using Powershell ```powershell Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public Invoke-BloodHound -CollectionMethod All -LDAPUser -LDAPPass -OutputDirectory ``` -* Collect more data for certificates exploitation using Certipy +* Use [ly4k/Certipy](https://github.com/ly4k/Certipy) to collect certificates data ```ps1 certipy find 'corp.local/john:Passw0rd@dc.corp.local' -bloodhound certipy find 'corp.local/john:Passw0rd@dc.corp.local' -old-bloodhound diff --git a/docs/redteam/evasion/elastic-edr.md b/docs/redteam/evasion/elastic-edr.md new file mode 100644 index 0000000..ad32354 --- /dev/null +++ b/docs/redteam/evasion/elastic-edr.md @@ -0,0 +1,92 @@ +# Elastic EDR + +> Elastic EDR (Endpoint Detection and Response) is a component of Elastic Security designed to address cybersecurity threats at the endpoint level. It plays a crucial role in preventing, detecting, and responding to cyber threats like ransomware and malware. + +* [peasead/elastic-container](https://github.com/peasead/elastic-container) - Stand up a simple Elastic container with Kibana, Fleet, and the Detection Engine + + +## Setup + +* First, you need `docker` and the `docker-compose` plugin + ```ps1 + # Add Docker's official GPG key: + sudo apt-get update + sudo apt-get install ca-certificates curl + sudo install -m 0755 -d /etc/apt/keyrings + sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc + sudo chmod a+r /etc/apt/keyrings/docker.asc + + # Add the repository to Apt sources: + echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ + $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ + sudo tee /etc/apt/sources.list.d/docker.list > /dev/null + sudo apt-get update + + # Install docker from apt + sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin + ``` + +* You might want to grant the `docker` right to the default user + ```ps1 + sudo groupadd docker + sudo usermod -aG docker $USER + ``` + +* Install the requirements for the elastic scripts + ```ps1 + apt-get update + apt-get install jq git curl + ``` + +* Clone the project + ```ps1 + git clone https://github.com/peasead/elastic-container + cd elastic-container + ``` + +* Edit `.env` to set the credentials and activate rules + ```ps1 + ELASTIC_PASSWORD="changeme" + KIBANA_PASSWORD="changeme" + STACK_VERSION="8.11.2" + WindowsDR=1 + LICENSE=trial # enable the platinum features + ``` + +* Download the images and run the containers + ```ps1 + chmod +x ./elastic-container.sh + ./elastic-container.sh start + ``` + +* Access the Elastic EDR interface at https://localhost:5601 +* Fleet > `Add agent` +* Enroll in Fleet (recommended) +* Copy Windows PowerShell one-liner and append the `--insecure` flag if you are using untrusted certificates + ```ps1 + powershell Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-7.15.1-windows-x86_64.zip -outfile elastic-agent-7.15.1-windows-x86_64.zip + Expand-Archive -Path elastic-agent-7.15.1-windows-x86_64.zip -DestinationPath C:\ElasticAgent + C:\ElasticAgent\elastic-agent-7.15.1-windows-x86_64\elastic-agent.exe install -f --fleet-server-es={{ fleet_server_es }} --fleet-server-service-token={{ fleet_token }} --fleet-server-policy={{ fleet_policy }} + ``` + +* Fleet > Integrations > Elastic Defend + * Switch `Prevent` to `Detect`, to keep the execution running + * Enable these features to collect more data + ``` + windows.advanced.memory_protection.shellcode_collect_sample + windows.advanced.memory_protection.memory_scan_collect_sample + windows.advanced.memory_protection.shellcode_enhanced_pe_parsing + ``` + +* Destroy the containers + ```ps1 + ./elastic-container.sh destroy + ``` + + +## References + +* [The Elastic Container Project for Security Research - Andrew Pease, Colson Wilhoit, Derek Ditch - 1 March 2023](https://www.elastic.co/security-labs/the-elastic-container-project) +* [Cyber Security Lab Basics - Installing EDR in Malware Development Lab - AhmedS Kasmani](https://www.youtube.com/watch?v=1luhjL7TN9U) +* [Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection - IppSec - 10 oct. 2022](https://youtu.be/Ts-ofIVRMo4) \ No newline at end of file