3.7 KiB
Elastic EDR
Elastic EDR (Endpoint Detection and Response) is a component of Elastic Security designed to address cybersecurity threats at the endpoint level. It plays a crucial role in preventing, detecting, and responding to cyber threats like ransomware and malware.
- peasead/elastic-container - Stand up a simple Elastic container with Kibana, Fleet, and the Detection Engine
Setup
-
First, you need
docker
and thedocker-compose
plugin# Add Docker's official GPG key: sudo apt-get update sudo apt-get install ca-certificates curl sudo install -m 0755 -d /etc/apt/keyrings sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc sudo chmod a+r /etc/apt/keyrings/docker.asc # Add the repository to Apt sources: echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt-get update # Install docker from apt sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
-
You might want to grant the
docker
right to the default usersudo groupadd docker sudo usermod -aG docker $USER
-
Install the requirements for the elastic scripts
apt-get update apt-get install jq git curl
-
Clone the project
git clone https://github.com/peasead/elastic-container cd elastic-container
-
Edit
.env
to set the credentials and activate rulesELASTIC_PASSWORD="changeme" KIBANA_PASSWORD="changeme" STACK_VERSION="8.11.2" WindowsDR=1 LICENSE=trial # enable the platinum features
-
Download the images and run the containers
chmod +x ./elastic-container.sh ./elastic-container.sh start
-
Access the Elastic EDR interface at https://localhost:5601
-
Fleet >
Add agent
-
Enroll in Fleet (recommended)
-
Copy Windows PowerShell one-liner and append the
--insecure
flag if you are using untrusted certificatespowershell Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-7.15.1-windows-x86_64.zip -outfile elastic-agent-7.15.1-windows-x86_64.zip Expand-Archive -Path elastic-agent-7.15.1-windows-x86_64.zip -DestinationPath C:\ElasticAgent C:\ElasticAgent\elastic-agent-7.15.1-windows-x86_64\elastic-agent.exe install -f --fleet-server-es={{ fleet_server_es }} --fleet-server-service-token={{ fleet_token }} --fleet-server-policy={{ fleet_policy }}
-
Fleet > Integrations > Elastic Defend
- Switch
Prevent
toDetect
, to keep the execution running - Enable these features to collect more data
windows.advanced.memory_protection.shellcode_collect_sample windows.advanced.memory_protection.memory_scan_collect_sample windows.advanced.memory_protection.shellcode_enhanced_pe_parsing
- Switch
-
Destroy the containers
./elastic-container.sh destroy
References
- The Elastic Container Project for Security Research - Andrew Pease, Colson Wilhoit, Derek Ditch - 1 March 2023
- Cyber Security Lab Basics - Installing EDR in Malware Development Lab - AhmedS Kasmani
- Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection - IppSec - 10 oct. 2022