-
Notifications
You must be signed in to change notification settings - Fork 144
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
d1c8cc5
commit da323c6
Showing
3 changed files
with
98 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -12,9 +12,9 @@ Use the correct collector: | |
|
||
**Examples**: | ||
|
||
* use [BloodHoundAD/AzureHound](https://github.com/BloodHoundAD/AzureHound) (more info: [Cloud - Azure Pentest](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#azure-recon-tools)) | ||
* Use [BloodHoundAD/AzureHound](https://github.com/BloodHoundAD/AzureHound) (more info: [Cloud - Azure Pentest](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#azure-recon-tools)) | ||
|
||
* use [BloodHoundAD/SharpHound.exe](https://github.com/BloodHoundAD/BloodHound) - run the collector on the machine using SharpHound.exe | ||
* Use [BloodHoundAD/SharpHound.exe](https://github.com/BloodHoundAD/BloodHound) - run the collector on the machine using SharpHound.exe | ||
```powershell | ||
.\SharpHound.exe -c all -d active.htb --searchforest | ||
.\SharpHound.exe -c all,GPOLocalGroup # all collection doesn't include GPOLocalGroup by default | ||
|
@@ -24,12 +24,12 @@ Use the correct collector: | |
.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100 -d active.htb | ||
.\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23 | ||
``` | ||
* use [BloodHoundAD/SharpHound.ps1](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1) - run the collector on the machine using Powershell | ||
* Use [BloodHoundAD/SharpHound.ps1](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1) - run the collector on the machine using Powershell | ||
```powershell | ||
Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public | ||
Invoke-BloodHound -CollectionMethod All -LDAPUser <UserName> -LDAPPass <Password> -OutputDirectory <PathToFile> | ||
``` | ||
* Collect more data for certificates exploitation using Certipy | ||
* Use [ly4k/Certipy](https://github.com/ly4k/Certipy) to collect certificates data | ||
```ps1 | ||
certipy find 'corp.local/john:[email protected]' -bloodhound | ||
certipy find 'corp.local/john:[email protected]' -old-bloodhound | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
# Elastic EDR | ||
|
||
> Elastic EDR (Endpoint Detection and Response) is a component of Elastic Security designed to address cybersecurity threats at the endpoint level. It plays a crucial role in preventing, detecting, and responding to cyber threats like ransomware and malware. | ||
* [peasead/elastic-container](https://github.com/peasead/elastic-container) - Stand up a simple Elastic container with Kibana, Fleet, and the Detection Engine | ||
|
||
|
||
## Setup | ||
|
||
* First, you need `docker` and the `docker-compose` plugin | ||
```ps1 | ||
# Add Docker's official GPG key: | ||
sudo apt-get update | ||
sudo apt-get install ca-certificates curl | ||
sudo install -m 0755 -d /etc/apt/keyrings | ||
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc | ||
sudo chmod a+r /etc/apt/keyrings/docker.asc | ||
# Add the repository to Apt sources: | ||
echo \ | ||
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ | ||
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ | ||
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null | ||
sudo apt-get update | ||
# Install docker from apt | ||
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin | ||
``` | ||
|
||
* You might want to grant the `docker` right to the default user | ||
```ps1 | ||
sudo groupadd docker | ||
sudo usermod -aG docker $USER | ||
``` | ||
|
||
* Install the requirements for the elastic scripts | ||
```ps1 | ||
apt-get update | ||
apt-get install jq git curl | ||
``` | ||
|
||
* Clone the project | ||
```ps1 | ||
git clone https://github.com/peasead/elastic-container | ||
cd elastic-container | ||
``` | ||
|
||
* Edit `.env` to set the credentials and activate rules | ||
```ps1 | ||
ELASTIC_PASSWORD="changeme" | ||
KIBANA_PASSWORD="changeme" | ||
STACK_VERSION="8.11.2" | ||
WindowsDR=1 | ||
LICENSE=trial # enable the platinum features | ||
``` | ||
|
||
* Download the images and run the containers | ||
```ps1 | ||
chmod +x ./elastic-container.sh | ||
./elastic-container.sh start | ||
``` | ||
|
||
* Access the Elastic EDR interface at https://localhost:5601 | ||
* Fleet > `Add agent` | ||
* Enroll in Fleet (recommended) | ||
* Copy Windows PowerShell one-liner and append the `--insecure` flag if you are using untrusted certificates | ||
```ps1 | ||
powershell Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-7.15.1-windows-x86_64.zip -outfile elastic-agent-7.15.1-windows-x86_64.zip | ||
Expand-Archive -Path elastic-agent-7.15.1-windows-x86_64.zip -DestinationPath C:\ElasticAgent | ||
C:\ElasticAgent\elastic-agent-7.15.1-windows-x86_64\elastic-agent.exe install -f --fleet-server-es={{ fleet_server_es }} --fleet-server-service-token={{ fleet_token }} --fleet-server-policy={{ fleet_policy }} | ||
``` | ||
|
||
* Fleet > Integrations > Elastic Defend | ||
* Switch `Prevent` to `Detect`, to keep the execution running | ||
* Enable these features to collect more data | ||
``` | ||
windows.advanced.memory_protection.shellcode_collect_sample | ||
windows.advanced.memory_protection.memory_scan_collect_sample | ||
windows.advanced.memory_protection.shellcode_enhanced_pe_parsing | ||
``` | ||
|
||
* Destroy the containers | ||
```ps1 | ||
./elastic-container.sh destroy | ||
``` | ||
|
||
|
||
## References | ||
|
||
* [The Elastic Container Project for Security Research - Andrew Pease, Colson Wilhoit, Derek Ditch - 1 March 2023](https://www.elastic.co/security-labs/the-elastic-container-project) | ||
* [Cyber Security Lab Basics - Installing EDR in Malware Development Lab - AhmedS Kasmani](https://www.youtube.com/watch?v=1luhjL7TN9U) | ||
* [Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection - IppSec - 10 oct. 2022](https://youtu.be/Ts-ofIVRMo4) |