trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added Malcolm

Browse Source
This commit is contained in:
Trinitor
2021-08-06 10:35:01 +02:00
parent f043730066
commit 70f1922e80
751 changed files with 195277 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

188
Vagrant/resources/malcolm/scripts/beats/windows_vm_example/Malcolm_Windows_Forwarder_Download_and_Config.ps1 Normal file
View File

@@ -0,0 +1,188 @@
# configure a windows host to forward auditbeat and winlogbeat logs
# to Malcolm (see https://github.com/idaholab/Malcolm/tree/master/scripts/beats)
$beatversion = "7.6.2"
################################################################################
# Uninstall-Beat
#
# - Remove previous traces of this beat
#
function Uninstall-Beat {
param( [string]$beat )
try {
& "C:\\Program Files\\$beat\\uninstall-service-$beat.ps1"
}
catch {
}
remove-item "C:\\Program Files\\$beat" -Recurse -erroraction 'silentlycontinue';
}
################################################################################
# Download-Beat
#
# - Download $beat-$beatversion-windows-x86_64.zip from artifacts.elastic.co
# - Unzip to C:\Program Files\beat
# - Download sample config for $beat from idaholab/Malcolm to C:\Program Files\beat
#
function Download-Beat {
param( [string]$beat )
Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/$beat/$beat-oss-$beatversion-windows-x86_64.zip -OutFile $beat-$beatversion-windows-x86_64.zip -UseBasicParsing
Expand-Archive -LiteralPath $beat-$beatversion-windows-x86_64.zip -DestinationPath 'C:\\Program Files'
Remove-Item $beat-$beatversion-windows-x86_64.zip
Rename-Item "C:\\Program Files\\$beat-$beatversion-windows-x86_64" "C:\\Program Files\\$beat"
((Get-Content -path "C:\\Program Files\\$beat\\install-service-$beat.ps1" -Raw) -replace 'ProgramData','Program Files') | Set-Content -Path "C:\\Program Files\\$beat\\install-service-$beat.ps1"
((Get-Content -path "C:\\Program Files\\$beat\\install-service-$beat.ps1" -Raw) -replace ' -path',' --path') | Set-Content -Path "C:\\Program Files\\$beat\\install-service-$beat.ps1"
Invoke-WebRequest -UseBasicParsing -OutFile "C:\\Program Files\\$beat\\$beat.yml" -Uri https://raw.githubusercontent.com/idaholab/Malcolm/master/scripts/beats/windows_vm_example/$beat.yml
(Get-Content "C:\\Program Files\\$beat\\$beat.yml") | Set-Content "C:\\Program Files\\$beat\\$beat.yml"
}
################################################################################
# Connectivity boilerplate to add to the sample .yml files downloaded from
# idaholab/Malcolm
#
$beat_boilerplate = @'
#================================ General ======================================
fields_under_root: true
#================================ Outputs ======================================
#-------------------------- Elasticsearch output -------------------------------
output.elasticsearch:
enabled: true
hosts: ["${BEAT_ES_HOST}"]
protocol: "${BEAT_ES_PROTOCOL}"
username: "${BEAT_HTTP_USERNAME}"
password: "${BEAT_HTTP_PASSWORD}"
ssl.verification_mode: "${BEAT_ES_SSL_VERIFY}"
setup.template.enabled: true
setup.template.overwrite: false
setup.template.settings:
index.number_of_shards: 1
index.number_of_replicas: 0
#============================== Dashboards =====================================
setup.dashboards.enabled: "${BEAT_KIBANA_DASHBOARDS_ENABLED}"
setup.dashboards.directory: "${BEAT_KIBANA_DASHBOARDS_PATH}"
#============================== Kibana =====================================
setup.kibana:
host: "${BEAT_KIBANA_HOST}"
protocol: "${BEAT_KIBANA_PROTOCOL}"
username: "${BEAT_HTTP_USERNAME}"
password: "${BEAT_HTTP_PASSWORD}"
ssl.verification_mode: "${BEAT_KIBANA_SSL_VERIFY}"
#================================ Logging ======================================
logging.metrics.enabled: false
'@
################################################################################
# Run-Beat-Command
#
# - Run C:\Program Files\$beat\$beat.exe with correct defaults for config paths
# - specify beat, command array and (optionally) stdin string
#
function Run-Beat-Command {
param( [string]$beat, [array]$command, [string]$stdin)
$exe = "C:\\Program Files\\$beat\\$beat.exe"
$exe_config = '--path.home', "C:\\Program Files\\$beat", '--path.config', "C:\\Program Files\\$beat", '--path.data', "C:\\Program Files\\$beat", '--path.logs', "C:\\Program Files\\$beat\\logs", '-c', "C:\\Program Files\\$beat\\$beat.yml", '-E', "keystore.path='C:\\Program Files\\$beat\\$beat.keystore'"
if (!$stdin) {
& $exe $exe_config $command
} else {
$stdin.Trim() | & $exe $exe_config $command
}
}
################################################################################
# Configure config .yml and keystore for beat in "C:\\Program Files\\$beat"
#
function Configure-Beat {
param( [string]$beat )
cd "C:\\Program Files\\$beat"
Run-Beat-Command $beat @("keystore","create","--force") $null
Add-Content -Path "C:\\Program Files\\$beat\\$beat.yml" -Value $beat_boilerplate
do {
$es_host = Read-Host "Specify the Elasticsearch IP:port (e.g., 192.168.0.123:9200)"
$es_host = $es_host.Trim()
} while (!$es_host)
do {
$kb_host = Read-Host "Specify the Kibana IP:port (e.g., 192.168.0.123:5601)"
$kb_host = $kb_host.Trim()
} while (!$kb_host)
do {
$es_user = Read-Host "Specify the Elasticsearch/Kibana username"
$es_user = $es_user.Trim()
} while (!$es_user)
do {
$es_pass = Read-Host "Specify the Elasticsearch/Kibana password" -AsSecureString
$es_pass_confirm = Read-Host "Specify the Elasticsearch/Kibana password (again)" -AsSecureString
$pwd1_text = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($es_pass))
$pwd2_text = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($es_pass_confirm))
} while ($pwd1_text -ne $pwd2_text)
$es_pass = ([Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($es_pass))).Trim()
Run-Beat-Command $beat @("keystore","add","BEAT_ES_PROTOCOL","--stdin","--force") "https"
Run-Beat-Command $beat @("keystore","add","BEAT_KIBANA_PROTOCOL","--stdin","--force") "https"
Run-Beat-Command $beat @("keystore","add","BEAT_ES_SSL_VERIFY","--stdin","--force") "none"
Run-Beat-Command $beat @("keystore","add","BEAT_KIBANA_SSL_VERIFY","--stdin","--force") "none"
Run-Beat-Command $beat @("keystore","add","BEAT_KIBANA_DASHBOARDS_ENABLED","--stdin","--force") "true"
Run-Beat-Command $beat @("keystore","add","BEAT_KIBANA_DASHBOARDS_PATH","--stdin","--force") "C:\\Program Files\\$beat\\kibana"
Run-Beat-Command $beat @("keystore","add","BEAT_ES_HOST","--stdin","--force") "$es_host"
Run-Beat-Command $beat @("keystore","add","BEAT_KIBANA_HOST","--stdin","--force") "$kb_host"
Run-Beat-Command $beat @("keystore","add","BEAT_HTTP_USERNAME","--stdin","--force") "$es_user"
Run-Beat-Command $beat @("keystore","add","BEAT_HTTP_PASSWORD","--stdin","--force") "$es_pass"
Run-Beat-Command $beat @("keystore","list") $null
$confirmation = Read-Host "Install $beat as a system service (y/n)"
if ($confirmation -eq 'y') {
& "C:\\Program Files\\$beat\\install-service-$beat.ps1"
}
}
################################################################################
# Main
#
function Main {
param( [array]$beats)
$tempdir = New-TemporaryFile
remove-item $tempdir;
new-item -type directory -path $tempdir;
cd $tempdir;
foreach ($beat in $beats) {
cd $tempdir;
Uninstall-Beat $beat
Download-Beat $beat
Configure-Beat $beat
}
cd $Env:Temp;
remove-item $tempdir -Recurse;
}
################################################################################
#
if ($args.count -eq 0) {
Main @("auditbeat","winlogbeat")
} else {
Main $args
}

94
Vagrant/resources/malcolm/scripts/beats/windows_vm_example/Vagrantfile vendored Normal file
View File

@@ -0,0 +1,94 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
unless Vagrant.has_plugin?("vagrant-reload")
raise 'vagrant-reload plugin is not installed!'
end
# hack: https://github.com/hashicorp/vagrant/issues/8878#issuecomment-345112810
class VagrantPlugins::ProviderVirtualBox::Action::Network
def dhcp_server_matches_config?(dhcp_server, config)
true
end
end
Vagrant.configure("2") do |config|
config.vm.box = "StefanScherer/windows_10"
config.vm.network "private_network", type: "dhcp"
config.vm.synced_folder ".", "c:/vagrant_shared", disabled: true
if Vagrant.has_plugin?("vagrant-vbguest")
config.vbguest.auto_update = false
end
config.vm.communicator = "winrm"
config.winrm.username = "vagrant"
config.winrm.password = "vagrant"
config.vm.guest = :windows
config.windows.halt_timeout = 15
# port forward WinRM and RDP
config.vm.network :forwarded_port, guest: 3389, host: 3389, id: "rdp", auto_correct: true
config.vm.network :forwarded_port, guest: 5985, host: 5985, id: "winrm", auto_correct: true
config.vm.provider :virtualbox do |vb, override|
vb.gui = true
vb.customize ["modifyvm", :id, "--memory", 4096]
vb.customize ["modifyvm", :id, "--cpus", 2]
vb.customize ["modifyvm", :id, "--vram", 256]
vb.customize ["modifyvm", :id, "--ioapic", "on"]
vb.customize ["modifyvm", :id, "--nestedpaging", "on"]
vb.customize ["modifyvm", :id, "--pae", "on"]
vb.customize ["modifyvm", :id, "--hwvirtex", "on"]
vb.customize ["modifyvm", :id, "--nested-hw-virt", "on"]
vb.customize ["modifyvm", :id, "--graphicscontroller", "vboxsvga"]
vb.customize ["modifyvm", :id, "--accelerate2dvideo", "on"]
vb.customize ["modifyvm", :id, "--accelerate3d", "on"]
vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
vb.customize ["modifyvm", :id, "--usb", "on"]
vb.customize ["modifyvm", :id, "--usbehci", "on"]
vb.customize ["modifyvm", :id, "--audio", "pulse", "--audiocontroller", "hda"]
end
config.vm.provision "shell", inline: <<-STEP1
New-Item -Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows' -Name CloudContent | Out-Null
New-ItemProperty -Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent' -Name 'DisableWindowsConsumerFeatures' -PropertyType DWORD -Value '1' -Force | Out-Null
New-Item -Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\' -Name 'Windows Search' | Out-Null
New-ItemProperty -Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search' -Name 'AllowCortana' -PropertyType DWORD -Value '0' -Force | Out-Null
Set-ItemProperty 'HKLM:\\SOFTWARE\\Microsoft\\SQMClient\\Windows' CEIPEnable 0 | Out-Null
schtasks /Change /TN 'Microsoft\\Windows\\Customer Experience Improvement Program\\UsbCeip' /Disable | Out-Null
taskkill /f /im OneDrive.exe
C:/Windows/SysWOW64/OneDriveSetup.exe /uninstall
STEP1
config.vm.provision :reload
config.vm.provision "shell", inline: <<-STEP2
Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
choco install -y chocolateygui 7zip.install conemu firefox hackfont putty.install python sublimetext3 sysinternals
$beats = @("auditbeat","winlogbeat","packetbeat","metricbeat")
foreach ($beat in $beats) {
Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/$beat/$beat-oss-7.6.2-windows-x86_64.zip -OutFile $beat-7.6.2-windows-x86_64.zip -UseBasicParsing
Expand-Archive -LiteralPath $beat-7.6.2-windows-x86_64.zip -DestinationPath 'C:\\Program Files'
Remove-Item $beat-7.6.2-windows-x86_64.zip
Rename-Item "C:\\Program Files\\$beat-7.6.2-windows-x86_64" "C:\\Program Files\\$beat"
((Get-Content -path "C:\\Program Files\\$beat\\install-service-$beat.ps1" -Raw) -replace 'ProgramData','Program Files') | Set-Content -Path "C:\\Program Files\\$beat\\install-service-$beat.ps1"
((Get-Content -path "C:\\Program Files\\$beat\\install-service-$beat.ps1" -Raw) -replace ' -path',' --path') | Set-Content -Path "C:\\Program Files\\$beat\\install-service-$beat.ps1"
}
STEP2
["auditbeat","winlogbeat","packetbeat","metricbeat"].to_enum.with_index(1).each do |beat, i|
config.vm.provision "file", source: "./#{beat}.yml", destination: "C:\\Program Files\\#{beat}\\#{beat}.yml"
config.vm.provision "file", source: "../beat_run.py", destination: "C:\\Program Files\\#{beat}\\beat_run.py"
config.vm.provision "file", source: "../beat_config.py", destination: "C:\\Program Files\\#{beat}\\beat_config.py"
config.vm.provision "file", source: "../beat_common.py", destination: "C:\\Program Files\\#{beat}\\beat_common.py"
end
end

79
Vagrant/resources/malcolm/scripts/beats/windows_vm_example/auditbeat.yml Normal file
View File

@@ -0,0 +1,79 @@
# See https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html
# Thanks to "The Windows File Auditing Logging Cheat Sheet" at
# https://www.malwarearchaeology.com/cheat-sheets
# ==============================================================================
auditbeat.modules:
#------------------------------- file_integrity Module -----------------------
- module: file_integrity
paths:
- C:/Program Files
- C:/Program Files/Internet Explorer
- C:/Program Files/Common Files
- C:/Program Files (x86)
- C:/Program Files (x86) /Common Files
- C:/ProgramData
- C:/Windows
- C:/Windows/System32
- C:/Windows/System32/Drivers
- C:/Windows/System32/Drivers/etc
- C:/Windows/System32/Sysprep
- C:/Windows/System32/wbem
- C:/Windows/System32/WindowsPowerShell/v1.0
- C:/Windows/Web
- C:/Windows/SysWOW64
- C:/Windows/SysWOW64/Drivers
- C:/Windows/SysWOW64/wbem
- C:/Windows/SysWOW64/WindowsPowerShell/v1.0
recursive: false
- module: file_integrity
paths:
- C:/Boot
- C:/Perflogs
- C:/Users/All Users/Microsoft/Windows/Start Menu/Programs/Startup
- C:/Users/Public
# todo: wildcards handled?
# - C:/Users/*/AppData/Local
# - C:/Users/*/AppData/Local/Temp
# - C:/Users/*/AppData/LocalLow
# - C:/Users/*/AppData/Roaming
- C:/Windows/Scripts
- C:/Windows/System
- C:/Windows/System32/GroupPolicy/Machine/Scripts/Startup
- C:/Windows/System32/GroupPolicy/Machine/Scripts/Shutdown
- C:/Windows/System32/GroupPolicy/User/Scripts/Logon
- C:/Windows/System32/GroupPolicy/User/Scripts/Logoff
- C:/Windows/System32/Repl
recursive: true
# examples for exclusions if things are noisy
# exclude_files:
# - '(?i)\.blf$'
# - '(?i)\.dat$'
# - '(?i)\.lnk$'
# - '(?i)\.log\w*$'
# - '(?i)\.mum$'
# - '(?i)\.regtrans-ms$'
# - '(?i)\.swp$'
# - '(?i)\.tmp$'
# - '(?i)beat\.(lock|yml(\.new)?|db)$'
# - '(?i)\\(assembly|CatRoot|CbsTemp|databases?|Deleted|diagnostics?|Log(File)?s?|Notifications?|Packages?|Prefetch|schemas?|servicing|Sessions?|SleepStudy|SoftwareDistribution|Tasks?|Temp|tracing|wbem|WinMetadata|WinSAT|WinSxS)\\?'
# - '(?i)cache'
# TODO: system module is apparently only available in the non-OSS basic license :-(
# - module: system
# datasets:
# - host # General host information, e.g. uptime, IPs
# period: 1m
# state.period: 1h
# - module: system
# datasets:
# - process # Started and stopped processes
# period: 1s

65
Vagrant/resources/malcolm/scripts/beats/windows_vm_example/metricbeat.yml Normal file
View File

@@ -0,0 +1,65 @@
# See https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-reference-yml.html
# ==============================================================================
metricbeat.config.modules:
path: ${path.config}/conf.d/*.yml
reload.period: 10s
reload.enabled: false
metricbeat.max_start_delay: 10s
metricbeat.modules:
#------------------------------- System Module -------------------------------
- module: system
period: 30s
metricsets:
- cpu # CPU usage
- memory # Memory usage
- network # Network IO
- process # Per process metrics
- process_summary # Process summary
- uptime # System Uptime
- diskio # Disk IO
enabled: true
processes: ['.*']
process.include_top_n:
enabled: true
by_cpu: 10
by_memory: 10
cpu.metrics: ["percentages"]
core.metrics: ["percentages"]
- module: system
period: 1m
metricsets:
- filesystem # File system usage for each mountpoint
- fsstat # File system summary metrics
enabled: true
- module: windows
metricsets: ["perfmon"]
enabled: true
period: 10s
perfmon.ignore_non_existent_counters: false
perfmon.group_measurements_by_instance: true
perfmon.queries:
- object: "Process"
instance: ["svchost*", "conhost*"]
counters:
- name: "% Processor Time"
field: time.processor.pct
format: "float"
perfmon.counters:
- instance_label: processor.name
instance_name: total
measurement_label: processor.time.total.pct
query: '\Processor Information(_Total)\% Processor Time'
- module: windows
metricsets: ["service"]
enabled: true
period: 60s

90
Vagrant/resources/malcolm/scripts/beats/windows_vm_example/packetbeat.yml Normal file
View File

@@ -0,0 +1,90 @@
# See https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-reference-yml.html
# ==============================================================================
# packetbeat.exe requires Npcap (https://nmap.org/npcap/#download) to be installed
#------------------------------- network device ------------------------------
packetbeat.interfaces.device: 0
packetbeat.interfaces.type: pcap
packetbeat.interfaces.snaplen: 65535
#------------------------------- flows ---------------------------------------
packetbeat.flows:
enabled: true
timeout: 30s
period: 10s
#------------------------------- transaction protocols -----------------------
packetbeat.protocols:
- type: icmp
enabled: true
- type: amqp
enabled: true
ports: [5672]
- type: cassandra
enabled: true
ports: [9042]
- type: dhcpv4
enabled: true
ports: [67, 68]
- type: dns
enabled: true
ports: [53]
include_authorities: true
include_additionals: true
- type: http
enabled: true
ports: [80, 8080, 8000, 5000, 8002]
- type: memcache
enabled: true
ports: [11211]
- type: mysql
enabled: true
ports: [3306,3307]
- type: pgsql
enabled: true
ports: [5432]
- type: redis
enabled: true
ports: [6379]
- type: thrift
enabled: true
ports: [9090]
- type: mongodb
enabled: true
ports: [27017]
- type: nfs
enabled: true
ports: [2049]
- type: tls
enabled: true
ports:
- 443 # HTTPS
- 993 # IMAPS
- 995 # POP3S
- 5223 # XMPP over SSL
- 8883 # Secure MQTT
- 9243 # Elasticsearch
#------------------------------- monitored processes -------------------------
packetbeat.procs.enabled: true
packetbeat.ignore_outgoing: false

43
Vagrant/resources/malcolm/scripts/beats/windows_vm_example/winlogbeat.yml Normal file
View File

@@ -0,0 +1,43 @@
# see https://www.elastic.co/guide/en/beats/winlogbeat/master/winlogbeat-reference-yml.html
# also see some of these excellent cheat sheets for Windows logging:
# https://www.malwarearchaeology.com/cheat-sheets
# ==============================================================================
#------------------------------- event logs ----------------------------------
winlogbeat.event_logs:
- name: AMSI/Operational
- name: Application
ignore_older: 72h
- name: ForwardedEvents
tags: ["forwarded"]
- name: Internet Explorer
- name: Microsoft-Windows-LSA/Operational
- name: Microsoft-Windows-PowerShell/Admin
- name: Microsoft-Windows-PowerShell/Operational
- name: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
- name: Microsoft-Windows-Windows Defender/Operational
- name: Microsoft-Windows-Windows Defender/WHC
- name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
- name: Microsoft-Windows-WMI-Activity/Operational
- name: OpenSSH/Admin
- name: OpenSSH/Operational
# TODO: the Security and Sysmon modules are apparently only available in the non-OSS basic license :-(
# - name: Security
# processors:
# - script:
# lang: javascript
# id: security
# file: ${path.home}/module/security/config/winlogbeat-security.js
# - name: System
# - name: Windows PowerShell
# - name: Microsoft-Windows-Sysmon/Operational
# processors:
# - script:
# lang: javascript
# id: sysmon
# file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js