[{"body":" Name Email Message Send ","link":"https://www.wriotsecurity.com/contact/","section":"","tags":null,"title":"Feel free to send me a message!"},{"body":"","link":"https://www.wriotsecurity.com/categories/","section":"categories","tags":null,"title":"Categories"},{"body":"","link":"https://www.wriotsecurity.com/tags/elastic/","section":"tags","tags":null,"title":"Elastic"},{"body":"Elastic Security is incredibly useful for threat hunting especially with the success of tools like RockNSM and the HELK project. But what about hunting through old logs aided by detection tools that threat hunters use? How feasible is it to use Elastic Security if just want to stand it up the tool and throw some data at it? In this blog we we will explore how to take advantage of Elastic Security and the open source detection rules that are bundled in each release.\nProblem Statement If you have been in information security for any length of time you have probably heard the phrase at one point or another: \u0026quot;Prevention is ideal, but detection is a must\u0026quot;. However detection, especially automated detection has traditionally been hard. Under-resourced security teams or even folks that are responsible for securing their enterprise without experience don't know what to focus on or how to start. For many years security teams have had to utilize a patchwork of customized tooling and APIs to make their own SOC due to everything being a shiny black box. This is still the case in most environments. In this case where there might be folks that know how to get the right telemetry they are often left with a pile of logs to sift through not knowing what to focus efforts on in the event of an incident.\nDisclaimer: There are a large amount of tools available to do log analysis, many of them that I have used that are no longer maintained they might have traditionally been better options previously.\nThankfully there are a number of options to get started with the rise of tooling like DeepBlueCLI, EQL, and the ever popular Sigma, The detection engineering space has exploded and the opportunity to learn security concepts has exploded with it. For this blog I was interested in Windows security specifically using Windows Event Logs and how they can be used as a goldmine for incident response.\nWindows Security All systems utilize some for of logging for troubleshooting, error reporting and security detail. The Windows event service write events to event channels. These event channels can be read using third party tools, Nirsoft’s MyEventViewer, Event Log Explorer, PowerShell, and if you're desperate the Event Log Viewer in Windows.\nFirst I started exploring the different logs available at EVTX-ATTACK-SAMPLES. This repository houses event logs that are Windows events samples associated to specific attack and post-exploitation techniques. A great place to start if we want to look at different examples of a tactic such as Privilege Escalation being manifested in our event log data.\nElastic Security I am a huge fan of open source. I'm an even bigger fan of security tools that are open source or open in nature and it's no surprise that the Elastic Stack or ELK Stack for short is used for security. Security teams have been using it for several use cases including threat hunting, network security monitoring, vulnerability assessment, incident response and so many more because of it's ease of use and versatility. Elastic doubled down on security which led to multiple product development choices including the Elastic Security SIEM or Security application within Kibana but it wasn't until 7.6 that Elastic released the Detections feature now deemed the detection engine which houses detection logic across log types with the majority being focused on Windows logs. However Elastic's primary use case when it comes to the Detection Engine is detection inside of a SIEM. I am using ThremulationStation for this blog post as well. :)\nLet's dive in!\nLet's first take a look around the Security app.\nTo get to Rules we want to click on Alerts -\u0026gt; Manage rules\nThremulationStation enables all Windows based rules OOTB (Except for the ML ones). Next we will use the filter for Windows so we are only looking at them.\nWe can see we have 324 prebuilt rules. Let's open one of them up!\nThis rule is fairly simple, it uses EQL or Elastic Query Language to query for a user that was added to a privileged group such as \u0026quot;Domain Admins\u0026quot;\nWe can see this rule runs every five minutes. So every five minutes this rule will run against x indices. This rule uses the @timestamp field in the index pattern.\nTo put that into simple terms the @timestamp field will contain the timestamp of the event data as it is ingested. This is an issue because the detection rule will run every five minutes relative to what time it is now be default. Another way to explain this is that we need be able to run rules backwards or rather trick Elastic into thinking the time is relative to now. Previous to this blog post, I used this exercise as a way of enablement by making an ingest pipeline to use event.ingested since it was closer to the current time and copied it's value to @timestamp. Tada! I had data! Thankfully Elastic has now addressed this in the Elastic discussion here: Run detection rules backwards, and implemented a timestamp override option that is enabled by default in all preloaded detection rules!\nGetting Started Without spending too much time on coming with a custom way to ingest these logs there are really two ways we can dive into this. We can use the Elastic Agent or Winlogbeat. Since we are using Thremulation Station we will give Elastic Agent a shot. According to the docs for the Windows integrations it will be pick up certain channels and we can configure a custom event channel. However the only way we can do that is to load up WEC/WEF which is quite frankily too much work so instead we will use Winlogbeat. Thankfully Samir has provided us a bulk read script that is incredibly handy. First, we will download Winlogbeat, and grab Samir's default Winlogbeat configuration.\nGrab Winlogbeat from: Download Winlogbeat | Ship Windows Event Logs | Elastic | Elastic\nUnzip the file\nMove Samir's configuration file or use the supplied command options in the bulk read script to inform the script where the Winlogbeat configuration file is. There are a few things in here to call out that are useful to know when reading in these logs.\n1winlogbeat.event_logs: 2- name: ${EVTX_FILE} This setting is using a variable called $EVTX_FILE that must be set in order to inform winlogbeat what EVTX log we want it to read.\n1winlogbeat.registry_file: \u0026#34;${CWD}/winlogbeat/evtx-registry.yml\u0026#34; The above line is keeping a history of the files read in by Winlogbeat. We will have to delete it if we want to reread a log. Just like above this line references a variable in this case called $CWD which is synomomous with \u0026quot;current working directory\u0026quot; Where ever we are running this script these files will be written to that directory. So we will want to keep our structure relatively flat so that Winlogbeat knows where to find this file for subsequent runs.\n1output.elasticsearch: 2enabled: false 3hosts: [\u0026#39;http://localhost:9200\u0026#39;] This last line is pretty important since it will determine whether or not our data reaches Elasticsearch! In ThremulationStation we need to use https and specify our username and password as vagrant.\n1output.elasticsearch: 2enabled: true 3hosts: [\u0026#39;https://localhost:9200\u0026#39;] 4# The setting below is for ThremulationStation since the certificate is self-signed 5ssl.verification_mode: none 6 7username: \u0026#34;vagrant\u0026#34; 8password: \u0026#34;vagrant\u0026#34; We are ready to give this a shot!\nWhy didn't it work? In older versions of Winlogbeat the parsing/processing of our data from Sysmon, Security and later Powershell happened in the form of js files or processors in the Winlogbeat module directory. Now, everything is done through ingest pipelines. We can examine these changes by comparing the configuration files between 7.16.3 and 8.5.0.\nBy looking at line 125 we can see that the output for Elasticsearch will point to a ingest pipeline called winlogbeat-%{[agent.version]}-routing. So we will need to change one line in our sample configuration to \u0026quot;route\u0026quot; the data appropriately. First we will run vanilla Winlogbeat with our correct settings in our configuration and then we will run winlogbeat.exe setup to make sure the pipelines, dashboards, etc are loaded for us.\nNow we can just pick a Tactic and start importing logs! For this example I moved the entire Privilege Escalation folder into my working directory.\nThe BulkRead script will just recursively look through this directory and should parse everything in that folder.\nLet's check on Elasticsearch..\nWe can see that we have data coming in from Winlogbeat, over 160 docs so far!\nValidation A peek at the Detection \u0026amp; Response dashboard shows us that we have alerts being generated from our data in the SIEM! Remember that event.ingested is populated with the timestamp of now.\nJust to make sure this data is what we expect we will open up just the alerts by clicking on View Alerts\nBy looking at the Reason column in the alerts table we can see a number of alerts from a default hostname of MSEDGEWIN10 which is a virtual machine that we historically could download directly form Microsoft for testing Windows 10.\nLastly, with an extremly lazy query using KQL in Discover we can see that the field log.file.path has our current working directory path and a reference to the files that were processed by Winlogbeat! We can also see with a simple sort that the oldest log we ingested was from February 2nd, 2019! This is a good gotcha to keep in mind that the alerts will exists when the script was ran however the data will reside wherever the original timestamps were from.\nFrom here there are several things we can do with this data. For instance we could look at the different patterns in adversary tradecraft against the same detection rule. If we wanted to, we could single out a specific log file and see if we can ascertain what happened and if there are any detection gaps we could potentially fill! Lastly, we could take this same data and run it through other security tools that analyze Windows logs. As an analyst and a researcher I would encourage this! There could be more parts to this blog as well as turning it into a series in the future, more to come!\n","link":"https://www.wriotsecurity.com/posts/exploring-windows-event-logs-for-incident-response/","section":"posts","tags":["Windows","Security","Elastic"],"title":"Exploring Windows Event Logs and Elastic Security for Incident Response"},{"body":"Welcome to wrIOT Security. A place to find musings on applied information security research, IOT, devops, and technology. ","link":"https://www.wriotsecurity.com/","section":"","tags":null,"title":"Home"},{"body":"","link":"https://www.wriotsecurity.com/posts/","section":"posts","tags":null,"title":"Posts"},{"body":"","link":"https://www.wriotsecurity.com/categories/security/","section":"categories","tags":null,"title":"Security"},{"body":"","link":"https://www.wriotsecurity.com/tags/security/","section":"tags","tags":null,"title":"Security"},{"body":"","link":"https://www.wriotsecurity.com/tags/","section":"tags","tags":null,"title":"Tags"},{"body":"","link":"https://www.wriotsecurity.com/tags/windows/","section":"tags","tags":null,"title":"Windows"},{"body":"","link":"https://www.wriotsecurity.com/tags/ansible/","section":"tags","tags":null,"title":"Ansible"},{"body":"","link":"https://www.wriotsecurity.com/categories/devops/","section":"categories","tags":null,"title":"DevOps"},{"body":"","link":"https://www.wriotsecurity.com/tags/devops/","section":"tags","tags":null,"title":"DevOps"},{"body":"WSL stands for Windows Subsystem for Linux. It allows Windows to run a lightweight Linux environment for running Linux binaries on Windows. I have not set it up from scratch by myself but have used it in the past with lab VM's like the one associated with Black Hills Information Security's Pay What You Can courses. However, over the holidays I got myself an upgraded laptop and so I thought I would give it a try!\nWSL There are a few different ways to install WSL but the easiest is by using the wsl.exe command with a few options that we have available. If you don't feel comfortable using the command line at least for this step, you can also install WSL via the common Turn Windows features on and off found in the Control Panel under Programs and Features or in Settings under Apps - related settings. For this blog I am going to use the command line option.\nFirst start by running wsl.exe --list --online from command line (or PowerShell) as an Administrator.\n--list will show a list of WSL environments. --online will tell Windows that we want to see the online distros we have available to us. If we leave off this option the command will show us WSL environments that are installed locally. This list shows us all the distros we can download. I am going to use Ubuntu-18.04 I can install it by using the --install and -d switch and specifying the distro name!\nwsl.exe --install -d Ubuntu-18.04\nIt might take a bit to install based on your download speed and such. As part of this process, the latest WSL kernel is also installed. The last step will be rebooting to properly install the kernel otherwise our WSL environment will not boot. To launch our environment we can run wsl.exe, or bash.exe on the commandline or in the search bar. Take note that the user account for Windows is mounted under /mnt/c/Users/username we will get to the importance of this in the future.\nAwesome! We now have a fully functional WSL environment. We will now need to set up a user/password for the account. Alright now onto the fun part, Installing tools!\nAnsible My primary inspiration for this blog is Ansible. For those that aren't familiar, Ansible is an open source software that can be used for configuration management, and software provisioning. Simply put, it's goal is to automate IT. I will not go into specifics about Ansible here as there are multiple blog posts and tools that use Ansible. Instead I will go over what I intend to do with it. I have used Ansible in the past most times in conjuction with setting up some open source project on GitHub but it has never had great compatibility with Windows. While it is possible with Cgywin is is pretty clunky and not at all convenient to \u0026quot;make Ansible work\u0026quot; on Windows. Until now!\nInstalling Ansible in WSL To install Ansible I am going to use Pip, but it needs to be installed first.\nsudo apt-get -y install python-pip python-dev libffi-dev libssl-dev Next we need to run Pip to install Ansible.\npip install ansible --user --user - This switch will allow us to install our packages local to the user account instead of globally. Since the ansible commands are installed under ~/.local/bin, we need to add that to the $PATH. echo 'PATH=$HOME/.local/bin:$PATH' \u0026gt;\u0026gt; ~/.bashrc\nFrom here we can launch a new instance of bash by closing the current window or we can run source .bashrc. Personally, I like closing and reopening the window. We can validate that Ansible is mapped correctly by running which ansible and then run ansible --version.\n![Verifying Ansible is installed](ansible v 1.png)\nAwesome! Fairly painless to install.\nDealing with DevOps With my involvement in open source I am a contributer of a few projects which utilize Vagrant and optionally Packer. Here lately I have noticed that when using the latest version of Vagrant (2.2.19) and the lateslt VirtualBox (6.1.30), boxes running Centos 7/8 will not deploy with Vagrant due to some SSH issue that intermittedly affects macOS and WIndows that hasn't fully been solved yet. This is a problem when the boxes are available via VagrantCloud to make a deployment automagic but they can't be brought up with Vagrant once they are on your workstation. However instead of pivoting to my NUC for launching a Packer build, I thought \u0026quot;why not throw this at WSL?\u0026quot;\nPacker For those that don't know, Packer allows us to automate the creation of any type of machine image via several different providers. To simplify, I can use Packer to create a lightweight VM, set it up with software, and then configure that software as well. There are multiple ways of doing this from bash scripts to using tools like Chef or in our case Ansible.\nInstalling Packer in WSL This is fairly straight forward to do thankfully. Packer is just a binary we can grab and install from Hashicorp. Here is their process as it is documented on https://packer.io\n1curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add - 2 3sudo apt-add-repository \u0026#34;deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main\u0026#34; 4 5sudo apt-get update \u0026amp;\u0026amp; sudo apt-get install packer and voila we have Packer now. Can run it via packer to make sure it is working as we expect.\nTesting Alright so now it's time to grab our project. In this instance I am using ThremulationStation. ThremulationStation is an project built on free and open tools for small scale threat-emulation with the goal that you can run it on your laptop. ThremulationStation uses Vagrant to build out a small lab of three machines running Elastic Security, Caldera, and Atomic Red Team. By running attacks against the victim machines inside of the lab, (Windows 10, Centos 7) the telemetry of thise attacks will logged by the Elastic Endpoint agent for detection and response.\nFirst we will git clone the project somewhere on disk and then cd into the proper directory. For ease of use and locating I opted for threm-wsl in my user directory.\n1mkdir threm-wsl 2cd threm-wsl 3git clone --branch devel https://github.com/thremulation-station/thremulation-station In this example I am using the devel branch. Alright now we need to cd to the Packer directory.\ncd thremulation-station/packer/\nHere we can see multiple folders representative of each machine in ThremulationStation. Let's start with vbox-elastic.\n![Enumerating directories](dir_enum 1.png)\ncd vbox-elastic\nThere are a few files here and the one we are interested in is elastic.json\nThis is the Packer configuration that we have to declare for Packer when we are ready to try building it. So let's kick off a build!\npacker build elastic.json\nWell that didn't work. We can start troubleshooting at this point but the key takeaway here is the way Packer is executing VBoxManage. See if we run VBoxManage in our terminal Ubuntu will tell us it isn't installed. However, I will not be able to use VirtualBox in the terminal if I had it installed anyway because of a few reasons:\nThere is no GUI/display for WSL. That isn't how it was designed and quite frankly it wouldn't make any sense. Paths in Windows. Remember above when I told you to take note of what your working directory was? Well this is another byproduct of the way WSL works. Below are two different path notations, first in Linux and then in Windows:\nLinux: /mnt/c/Users/Username/threm-wsl/thremulation-station/packer/vbox-elastic\nWindows: C:\\Users\\Username\\threm-wsl\\thremulation-station\\packer\\vbox-elastic\nThis paths are exactly the same which means that WSL is required to alter them to pass them off to Windows and vice versa. This is done using a tool called wslpath the likes of which I don't want to discuss here. All that matters for our purpose is no matter how hard we try to make this work it will not work easily as Packer is going to be running several instances and variations of the VBoxManage command to get us to our end state.\nIn fact Elastic Security is running on my workstation and I can use a data table to demonstrate what I am referring to.\nHere I was testing a different box called redops but you can see the variations of the VBoxManage command options that are being passed to the process. Several commands are getting passed as a result of building a box with Packer. This problem compounds when we start passing Windows paths for things like ISO's taking into consideration spacing and even the disk itself for the VM when the box is being packaged.\nSo.... Now what? Well after some digging I found someone that created a wrapper for WSL. GitHub - finarfin/wsl-virtualbox: VBoxManage wrapper to use Virtualbox from WSL for Packer\nWhat this script does is really exactly what we need. It passes the full path of VBoxManage to xargs and converts process command line as needed. All we have to do is drop it in usr/local/bin and create a symbolic link back to the Linux equivalent for VBoxManage in /usr/bin/VBoxManage.\n1sudo su 2mkdir -p /usr/local/bin 3wget -O /usr/local/bin/VBoxManage.sh https://raw.githubusercontent.com/finarfin/wsl-virtualbox/master/VBoxManage.sh 4chmod +x /usr/local/bin/VBoxManage.sh 5ln -s /usr/local/bin/VBoxManage.sh /usr/bin/VBoxManage 6exit Now that we are back in our user directory running VBoxManage should call the script located in /usr/local/bin. One last thing I noticed after testing is that sometimes the script fails to account for a storage medium from being ejected. So I added a quick patch to it here: GitHub - webhead404/wsl-virtualbox: VBoxManage wrapper to use Virtualbox from WSL for Packer\nYou should now be able to successfully build Packer boxes with Ansible!\nTips and tricks Once your box is built, from the bash terminal you can run explorer.exe . this will allow you to see the .box files that are created.\nSpecial Thanks Special thanks to Jeff Geerling and Can Hanhan!\ngeerlingguy (Jeff Geerling) · GitHub finarfin (Can Hanhan) · GitHub Other Resources Install WSL with a single command now available in Windows 10 version 2004 and higher - Windows Command Line\nHow to install Windows Subsystem for Linux (WSL) on Windows 10 | Windows Central\nUsing Ansible through Windows 10's Subsystem for Linux | Jeff Geerling\nWelcome - Thremulation Station\n","link":"https://www.wriotsecurity.com/posts/setting-up-wsl-ansible-and-packer-for-devops/","section":"posts","tags":["Ansible","DevOps"],"title":"Setting up WSL, Ansible, and Packer for DevOps"},{"body":" Hey, I'm Keith!\nI am an information security professional, researcher and mentor with over a decade of experience in IT/information security. I have a passion for developing relevant security solutions and enjoy sharing that experience with my peers in the industry. I am a rapid learner and thrive in creative problem solving.\nExperience I currently work in security education developing course material around network security and threat hunting. Prior to that I was a cyber security liason for an electric utility where I provided and maintained solutions around network/endpoint security, risk management, and SCADA.\nNotable Accomplishments Participated in Cyber Shield 2019 as a member of Gold Team assisting and supporting the Blue Team with detecting attacks carried out by the Red Team.\nSpeaker at NRECA TechAdvantage - Best Practice for SIEM Implementations Speaker at NRECA Member Advisory Group - Security Monitoring for Free.99 Placed First in Threat Hunting CTF with Elastic at BSides SATX ","link":"https://www.wriotsecurity.com/about/","section":"","tags":null,"title":"About me"},{"body":"This page is writing instruction for me only.\nCard {{\u0026lt; card title=\"Bước 0 - Học lập trình cơ bản với Python\" icon=\"python.svg\"\u003e}} \u0026lt;p style=\"width: 100%\"\u003eLập trình là điều đầu tiên bạn cần học để có thể bắt kịp việc thực hành về sau. Python hiện tại là một ngôn ngữ rất phổ biến trong ngành trí tuệ nhân tạo. Có rất nhiều các khoá học được dạy với Python. Do vậy tôi khuyến khích các bạn bắt đầu với ngôn ngữ này. Có một vài khoá học và tài liệu tôi nghĩ có thể dùng được như:\u0026lt;/p\u003e {{\u0026lt; card-list \u003e}} {{\u0026lt; card-list-item link=\"https://www.codecademy.com/learn/learn-python-3\" \u003e}} Khoá **Learn Python 3** của Codecademy {{\u0026lt; /card-list-item \u003e}} {{\u0026lt; card-list-item link=\"https://www.howkteam.vn/course/lap-trinh-python-co-ban-37\" \u003e}} Khoá **Lập trình Python** cơ bản của How kTeam {{\u0026lt; /card-list-item \u003e}} {{\u0026lt; card-list-item link=\"https://greenteapress.com/wp/think-python/\" \u003e}} Sách **Think Python: How to Think Like a Computer Scientist** - Allen B. Downey. {{\u0026lt; /card-list-item \u003e}} {{\u0026lt; /card \u003e}} Table Generator: https://tableconvert.com/ Word table to markdown: https://tabletomarkdown.com/convert-spreadsheet-to-markdown/ ","link":"https://www.wriotsecurity.com/formeonly/","section":"","tags":null,"title":""},{"body":"","link":"https://www.wriotsecurity.com/archives/","section":"","tags":null,"title":""},{"body":"","link":"https://www.wriotsecurity.com/tags/config/","section":"tags","tags":null,"title":"Configuration"},{"body":"","link":"https://www.wriotsecurity.com/search/","section":"","tags":null,"title":"Local Search Engine"},{"body":"","link":"https://www.wriotsecurity.com/tags/og/","section":"tags","tags":null,"title":"Opengraph"},{"body":"","link":"https://www.wriotsecurity.com/series/","section":"series","tags":null,"title":"Series"},{"body":"","link":"https://www.wriotsecurity.com/write-ups/","section":"write-ups","tags":null,"title":"Write-ups coming soon!"}]