Elastic EDR Lab Setup

Create Elastic EDR lab with Enterprise features

  ·   6 min read

Lab Setup #

1 windows host for the agent 1 ubuntu Desktop 22.04 for the containers

links: (Official repo) https://github.com/peasead/elastic-container

Installation #

install docker and docker-compose-plugin

sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
# Install docker from apt
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

add our user to the docker group

sudo groupadd docker
sudo usermod -aG docker user

install the requirements

apt-get update
apt-get install jq git curl

clone the repo

git clone https://github.com/peasead/elastic-container
cd elastic-container

Edit the enviroment variables in .env

ELASTIC_PASSWORD="changeme"
KIBANA_PASSWORD="changeme"
STACK_VERSION="8.15.3"
WindowsDR=1
LICENSE=trial # enable the platinum features

download and run

chmod +x ./elastic-container.sh
./elastic-container.sh start

img

after it finishes we can login inside the kibana dashboard and we can check the current container status

Adding the agent #

we go to the fleet server tab > add agent here we retrieve the command that need to be launched from the powershell prompt in our windows host

$ProgressPreference = 'SilentlyContinue' 
Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.15.3-windows-x86_64.zip -OutFile elastic-agent-8.15.3-windows-x86_64.zip 
Expand-Archive .\elastic-agent-8.15.3-windows-x86_64.zip -DestinationPath . 
cd elastic-agent-8.15.3-windows-x86_64 
.\elastic-agent.exe install --url=https://172.30.71.180:8220 --enrollment-token=TOKEN --insecure

at this point we will se that our new host appears in the agent tab to be sure that the kibana interface is receiving the logs we need to check the data streams

img

Endpoint Policy #

We can than modify the EDR integration policy that if we choose the trial license will unlock also the platinum features. At this point we can choose if we want only to detect or prevent malware and all this fun stuff. At the bottom we can click Show advanced settings and enable this features We can then go inside Security > alerts > manage rules > filter tags for windows os and check that all the rules have been activated

img

Disable Telemetry #

We can then head to Stack Management > kibana > advanced settings > global settings and disable usage collection

Sysmon + winlogbeat #

Download and run sysmon on the windows host

Invoke-WebRequest -Uri https://download.sysinternals.com/files/Sysmon.zip -OutFile Sysmon.zip
Expand-Archive .\Sysmon.zip -DestinationPath .
Invoke-WebRequest -Uri https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -OutFile ./sysmonconfig.xml
.\Sysmon.exe -accepteula -i .\sysmonconfig.xml

download winlogbeat from the site Download Winlogbeat | Ship Windows Event Logs | Elastic | Elastic​

Expand-Archive .\winlogbeat-X-windows-x86_64.zip -DestinationPath .
mv .\winlogbeat-X-windows-x86_64 'C:\Program Files\winlogbeat'
cd 'C:\Program Files\winlogbeat\'
.\install-service-winlogbeat.ps1

then we can modify the winlogbeat.yml file

###################### Winlogbeat Configuration Example ########################
# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.reference.yml file from the same directory contains
# all the supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html
# ======================== Winlogbeat specific options =========================
winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: Microsoft-Windows-Windows Defender/Operational
  - name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
  - name: System
  - name: Security
  - name: Microsoft-Windows-Sysmon/Operational
  - name: Windows PowerShell
    event_id: 400, 403, 600, 800
  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106
  - name: ForwardedEvents
    tags: [forwarded]
  - name: Microsoft-Windows-WMI-Activity/Operational
    event_id: 5857,5858,5859,5860,5861 
# ====================== Elasticsearch template settings =======================
setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false
# ================================== General ===================================
# ================================= Dashboards =================================
# =================================== Kibana ===================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:
  host: "192.168.100.3:5601"
  protocol: "https"
  ssl.verification_mode: none
# =============================== Elastic Cloud ================================
# ================================== Outputs ===================================
# Configure what output to use when sending the data collected by the beat.
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["192.168.100.3:9200"]
  # Protocol - either `http` (default) or `https`.
  protocol: "https"
  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "!QAZ2wsx"
  ssl.verification_mode: none
  # Pipeline to route events to security, sysmon, or powershell pipelines.
  pipeline: "winlogbeat-%{[agent.version]}-routing"
# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~

test it

.\winlogbeat.exe test config -c .\winlogbeat.yml -e

run it

.\winlogbeat.exe setup -e

if you dont wanna use the elastic user the setup its much longer check https://www.elastic.co/guide/en/beats/winlogbeat/current/feature-roles.html at this point we can run and enable the service with

Set-Service -Name "winlogbeat" -StartupType automatic
Start-Service -Name "winlogbeat"
Get-Service -Name "winlogbeat"

sysmon logs can be found in the event viewer

EDR Exceptions #

rules > shared exception list > create

img

Useful commands #

connect to a running container

docker exec -it -u root ecp-elasticsearch bash

change default switch ethernet ip of hyperv

netsh interface ip set address name="vEthernet (Default Switch)" static 172.30.64.1 255.255.240.0 none

destroy container

./elastic-container.sh destroy

status dei container

./elastic-container.sh status

stop container

./elastic-container.sh stop

clear log

./elastic-container.sh clear

uninstall agent

C:\"Program Files"\Elastic\Agent\elastic-agent.exe uninstall

enable nested virtualization on hyper-v

Set-VMProcessor -VMName 'Malware Lab' -ExposeVirtualizationExtensions $true

run the windows docker container https://github.com/dockur/windows for the windows machine

docker run -it --rm -p 8006:8006 -p 3389:3389 --device=/dev/kvm --cap-add NET_ADMIN --stop-timeout 120 --network=elastic-container_default dockurr/windows

to clean powershell history

Remove-Item (Get-PSReadlineOption).HistorySavePath.ConsoleHost_history.txt

or delete file in %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.tx and restart the powershell session

Errors encountered winlogbeat #

Exiting: error loading template: failed to check data stream: 403 Forbidden: {"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:admin/data_stream/get] is unauthorized for user [winlogbeat] with effective roles [ingest_admin,kibana_admin,winlogbeat_setup] on indices [winlogbeat-8.15.3], this action is granted by the index privileges [view_index_metadata,manage,all]"}],"type":"security_exception","reason":"action [indices:admin/data_stream/get] is unauthorized for user [winlogbeat] with effective roles [ingest_admin,kibana_admin,winlogbeat_setup] on indices [winlogbeat-8.15.3], this action is granted by the index privileges [view_index_metadata,manage,all]"},"status":403}

{"log.level":"error","@timestamp":"2024-11-01T08:22:02.296-0700","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.handleError","file.name":"instance/beat.go","file.line":1360},"message":"Exiting: failed to create new event log: failed in processor.javascript: failed to open file C:\\Program Files\\winlogbeat/module/security/config/winlogbeat-security.js: open C:\\Program Files\\winlogbeat/module/security/config/winlogbeat-security.js: The system cannot find the path specified.","service.name":"winlogbeat","ecs.version":"1.6.0"}
Exiting: failed to create new event log: failed in processor.javascript: failed to open file C:\Program Files\winlogbeat/module/security/config/winlogbeat-security.js: open C:\Program Files\winlogbeat/module/security/config/winlogbeat-security.js: The system cannot find the path specified

Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://172.30.71.180:9200: 401 Unauthorized: {"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [elastic] for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\", charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"unable to authenticate user [elastic] for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\", charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}},"status":401}]

"log.level":"error","@timestamp":"2024-11-01T07:58:19.440-0700","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.handleError","file.name":"instance/beat.go","file.line":1360},"message":"Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://172.30.71.180:9200: Get \"https://172.30.71.180:9200\": x509: certificate signed by unknown authority]","service.name":"winlogbeat","ecs.version":"1.6.0"}
Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://172.30.71.180:9200: Get "https://172.30.71.180:9200": x509: certificate signed by unknown authority]

References #

https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/elastic-edr/#setup https://otterhacker.github.io/Malware/EDR/Elastic%20EDR.html

elastic docs