In this corner, from Roberto Rodriguez, @Cyb3rWard0g, the specter in SpecterOps, it's...The...HELK! This, my friends, is the s**t, worth every ounce of hype we can muster.
And in the other corner, from Florian Roth, @cyb3rops, the The Fracas of Frankfurt, we have APTSimulator. All your worst adversary apparitions in one APT mic drop. This...is...Death Battle!
Now with that out of our system, let's begin. There's a lot of goodness here, so I'm definitely going to do this in two parts so as not undervalue these two offerings.
HELK is incredibly easy to install. Its also well documented, with lots of related reading material, let me propose that you take the tine to to review it all. Pay particular attention to the wiki, gain comfort with the architecture, then review installation steps.
On an Ubuntu 16.04 LTS system I ran:
- git clone https://github.com/Cyb3rWard0g/HELK.git
- cd HELK/
- sudo ./helk_install.sh
|Figure 1: HELK Installation|
For my test Windows system I created a Windows 7 x86 virtual machine with Virtualbox. The key to success here is ensuring that you install Winlogbeat on the Windows systems from which you'd like to ship logs to HELK. More important, is ensuring that you run Winlogbeat with the right winlogbeat.yml file. You'll want to modify and copy this to your target systems. The critical modification is line 123, under Kafka output, where you need to add the IP address for your HELK server in three spots. My modification appeared as hosts: ["192.168.248.29:9092","192.168.248.29:9093","192.168.248.29:9094"]. As noted in the HELK architecture diagram, HELK consumes Winlogbeat event logs via Kafka.
On your Windows systems, with a properly modified winlogbeat.yml, you'll run:
- ./winlogbeat -c winlogbeat.yml -e
- ./winlogbeat setup -e
With all set up and working you should see results in your Kibana dashboard as seen in Figure 2.
|Figure 2: Initial HELK Kibana Sysmon dashboard.|
- POCs: Endpoint detection agents / compromise assessment tools
- Test your security monitoring's detection capabilities
- Test your SOCs response on a threat that isn't EICAR or a port scan
- Prepare an environment for digital forensics classes
- Creating typical attacker working directory C:\TMP...
- Activating guest user account
- Adding the guest user to the local administrators group
- Placing a svchost.exe (which is actually srvany.exe) into C:\Users\Public
- Modifying the hosts file
- Adding update.microsoft.com mapping to private IP address
- Using curl to access well-known C2 addresses
- C2: msupdater.com
- Dropping a Powershell netcat alternative into the APT dir
- Executes nbtscan on the local network
- Dropping a modified PsExec into the APT dir
- Registering mimikatz in At job
- Registering a malicious RUN key
- Registering mimikatz in scheduled task
- Registering cmd.exe as debugger for sethc.exe
- Dropping web shell in new WWW directory
Download and install APTSimulator from the Releases section of its GitHub pages.
APTSimulator includes curl.exe, 7z.exe, and 7z.dll in its helpers directory. Be sure that you drop the correct version of 7 Zip for your system architecture. I'm assuming the default bits are 64bit, I was testing on a 32bit VM.
Let's do a fast run-through with HELK's Kibana Discover option looking for the above mentioned APTSimulator activities. Starting with a search for TMP in the sysmon-* index yields immediate results and strikes #1, 6, 7, and 8 from our APTSimulator list above, see for yourself in Figure 3.
|Figure 3: TMP, PS nc, nbtscan, and PsExec in one shot|
How about enabling the guest user account and adding it to the local administrator's group? Figure 4 confirms.
|Figure 4: Guest enabled and escalated|
|Figure 5: I've got your svchost right here|
|Figure 6. tasks OR schtasks|
|Figure 7: Timelion|
|Figure 8: Powerful visualization capabilities|
Next month Part 2 will explore the Network side of the equation via the Network Dashboard and related visualizations, as well as HELK integration with Spark, Graphframes & Jupyter notebooks.
Aw snap, more goodness to come, I can't wait.
Cheers...until next time.