Elastic EDR

pull/5/head
Swissky 2024-01-30 23:21:27 +01:00
parent d1c8cc53ba
commit da323c6cd4
3 changed files with 98 additions and 5 deletions

View File

@ -96,4 +96,5 @@ cme smb -u user -p password -d domain.local -M webdav [TARGET]
## References ## References
* [Playing with PrintNightmare - 0xdf - Jul 8, 2021](https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html) * [Playing with PrintNightmare - 0xdf - Jul 8, 2021](https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html)
* [A Practical Guide to PrintNightmare in 2024 - itm4n - Jan 28, 2024](https://itm4n.github.io/printnightmare-exploitation/)

View File

@ -12,9 +12,9 @@ Use the correct collector:
**Examples**: **Examples**:
* use [BloodHoundAD/AzureHound](https://github.com/BloodHoundAD/AzureHound) (more info: [Cloud - Azure Pentest](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#azure-recon-tools)) * Use [BloodHoundAD/AzureHound](https://github.com/BloodHoundAD/AzureHound) (more info: [Cloud - Azure Pentest](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#azure-recon-tools))
* use [BloodHoundAD/SharpHound.exe](https://github.com/BloodHoundAD/BloodHound) - run the collector on the machine using SharpHound.exe * Use [BloodHoundAD/SharpHound.exe](https://github.com/BloodHoundAD/BloodHound) - run the collector on the machine using SharpHound.exe
```powershell ```powershell
.\SharpHound.exe -c all -d active.htb --searchforest .\SharpHound.exe -c all -d active.htb --searchforest
.\SharpHound.exe -c all,GPOLocalGroup # all collection doesn't include GPOLocalGroup by default .\SharpHound.exe -c all,GPOLocalGroup # all collection doesn't include GPOLocalGroup by default
@ -24,12 +24,12 @@ Use the correct collector:
.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100 -d active.htb .\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100 -d active.htb
.\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23 .\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23
``` ```
* use [BloodHoundAD/SharpHound.ps1](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1) - run the collector on the machine using Powershell * Use [BloodHoundAD/SharpHound.ps1](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1) - run the collector on the machine using Powershell
```powershell ```powershell
Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
Invoke-BloodHound -CollectionMethod All -LDAPUser <UserName> -LDAPPass <Password> -OutputDirectory <PathToFile> Invoke-BloodHound -CollectionMethod All -LDAPUser <UserName> -LDAPPass <Password> -OutputDirectory <PathToFile>
``` ```
* Collect more data for certificates exploitation using Certipy * Use [ly4k/Certipy](https://github.com/ly4k/Certipy) to collect certificates data
```ps1 ```ps1
certipy find 'corp.local/john:Passw0rd@dc.corp.local' -bloodhound certipy find 'corp.local/john:Passw0rd@dc.corp.local' -bloodhound
certipy find 'corp.local/john:Passw0rd@dc.corp.local' -old-bloodhound certipy find 'corp.local/john:Passw0rd@dc.corp.local' -old-bloodhound

View File

@ -0,0 +1,92 @@
# Elastic EDR
> Elastic EDR (Endpoint Detection and Response) is a component of Elastic Security designed to address cybersecurity threats at the endpoint level. It plays a crucial role in preventing, detecting, and responding to cyber threats like ransomware and malware.
* [peasead/elastic-container](https://github.com/peasead/elastic-container) - Stand up a simple Elastic container with Kibana, Fleet, and the Detection Engine
## Setup
* First, you need `docker` and the `docker-compose` plugin
```ps1
# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
# Install docker from apt
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
```
* You might want to grant the `docker` right to the default user
```ps1
sudo groupadd docker
sudo usermod -aG docker $USER
```
* Install the requirements for the elastic scripts
```ps1
apt-get update
apt-get install jq git curl
```
* Clone the project
```ps1
git clone https://github.com/peasead/elastic-container
cd elastic-container
```
* Edit `.env` to set the credentials and activate rules
```ps1
ELASTIC_PASSWORD="changeme"
KIBANA_PASSWORD="changeme"
STACK_VERSION="8.11.2"
WindowsDR=1
LICENSE=trial # enable the platinum features
```
* Download the images and run the containers
```ps1
chmod +x ./elastic-container.sh
./elastic-container.sh start
```
* Access the Elastic EDR interface at https://localhost:5601
* Fleet > `Add agent`
* Enroll in Fleet (recommended)
* Copy Windows PowerShell one-liner and append the `--insecure` flag if you are using untrusted certificates
```ps1
powershell Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-7.15.1-windows-x86_64.zip -outfile elastic-agent-7.15.1-windows-x86_64.zip
Expand-Archive -Path elastic-agent-7.15.1-windows-x86_64.zip -DestinationPath C:\ElasticAgent
C:\ElasticAgent\elastic-agent-7.15.1-windows-x86_64\elastic-agent.exe install -f --fleet-server-es={{ fleet_server_es }} --fleet-server-service-token={{ fleet_token }} --fleet-server-policy={{ fleet_policy }}
```
* Fleet > Integrations > Elastic Defend
* Switch `Prevent` to `Detect`, to keep the execution running
* Enable these features to collect more data
```
windows.advanced.memory_protection.shellcode_collect_sample
windows.advanced.memory_protection.memory_scan_collect_sample
windows.advanced.memory_protection.shellcode_enhanced_pe_parsing
```
* Destroy the containers
```ps1
./elastic-container.sh destroy
```
## References
* [The Elastic Container Project for Security Research - Andrew Pease, Colson Wilhoit, Derek Ditch - 1 March 2023](https://www.elastic.co/security-labs/the-elastic-container-project)
* [Cyber Security Lab Basics - Installing EDR in Malware Development Lab - AhmedS Kasmani](https://www.youtube.com/watch?v=1luhjL7TN9U)
* [Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection - IppSec - 10 oct. 2022](https://youtu.be/Ts-ofIVRMo4)