Lab Setup #
1 windows host for the agent 1 ubuntu Desktop 22.04 for the containers
links: (Official repo) https://github.com/peasead/elastic-container
Installation #
install docker and docker-compose-plugin
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
# Install docker from apt
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
add our user to the docker group
sudo groupadd docker
sudo usermod -aG docker user
install the requirements
apt-get update
apt-get install jq git curl
clone the repo
git clone https://github.com/peasead/elastic-container
cd elastic-container
Edit the enviroment variables in .env
ELASTIC_PASSWORD="changeme"
KIBANA_PASSWORD="changeme"
STACK_VERSION="8.15.3"
WindowsDR=1
LICENSE=trial # enable the platinum features
download and run
chmod +x ./elastic-container.sh
./elastic-container.sh start
after it finishes we can login inside the kibana dashboard and we can check the current container status
Adding the agent #
we go to the fleet server tab > add agent here we retrieve the command that need to be launched from the powershell prompt in our windows host
$ProgressPreference = 'SilentlyContinue'
Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.15.3-windows-x86_64.zip -OutFile elastic-agent-8.15.3-windows-x86_64.zip
Expand-Archive .\elastic-agent-8.15.3-windows-x86_64.zip -DestinationPath .
cd elastic-agent-8.15.3-windows-x86_64
.\elastic-agent.exe install --url=https://172.30.71.180:8220 --enrollment-token=TOKEN --insecure
at this point we will se that our new host appears in the agent tab to be sure that the kibana interface is receiving the logs we need to check the data streams
Endpoint Policy #
We can than modify the EDR integration policy that if we choose the trial license will unlock also the platinum features. At this point we can choose if we want only to detect or prevent malware and all this fun stuff. At the bottom we can click Show advanced settings and enable this features We can then go inside Security > alerts > manage rules > filter tags for windows os and check that all the rules have been activated
Disable Telemetry #
We can then head to Stack Management > kibana > advanced settings > global settings and disable usage collection
Sysmon + winlogbeat #
Download and run sysmon on the windows host
Invoke-WebRequest -Uri https://download.sysinternals.com/files/Sysmon.zip -OutFile Sysmon.zip
Expand-Archive .\Sysmon.zip -DestinationPath .
Invoke-WebRequest -Uri https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -OutFile ./sysmonconfig.xml
.\Sysmon.exe -accepteula -i .\sysmonconfig.xml
download winlogbeat from the site Download Winlogbeat | Ship Windows Event Logs | Elastic | Elastic
Expand-Archive .\winlogbeat-X-windows-x86_64.zip -DestinationPath .
mv .\winlogbeat-X-windows-x86_64 'C:\Program Files\winlogbeat'
cd 'C:\Program Files\winlogbeat\'
.\install-service-winlogbeat.ps1
then we can modify the winlogbeat.yml file
###################### Winlogbeat Configuration Example ########################
# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.reference.yml file from the same directory contains
# all the supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html
# ======================== Winlogbeat specific options =========================
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: Microsoft-Windows-Windows Defender/Operational
- name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
- name: System
- name: Security
- name: Microsoft-Windows-Sysmon/Operational
- name: Windows PowerShell
event_id: 400, 403, 600, 800
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106
- name: ForwardedEvents
tags: [forwarded]
- name: Microsoft-Windows-WMI-Activity/Operational
event_id: 5857,5858,5859,5860,5861
# ====================== Elasticsearch template settings =======================
setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
# ================================== General ===================================
# ================================= Dashboards =================================
# =================================== Kibana ===================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:
host: "192.168.100.3:5601"
protocol: "https"
ssl.verification_mode: none
# =============================== Elastic Cloud ================================
# ================================== Outputs ===================================
# Configure what output to use when sending the data collected by the beat.
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["192.168.100.3:9200"]
# Protocol - either `http` (default) or `https`.
protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: "elastic"
password: "!QAZ2wsx"
ssl.verification_mode: none
# Pipeline to route events to security, sysmon, or powershell pipelines.
pipeline: "winlogbeat-%{[agent.version]}-routing"
# ================================= Processors =================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
test it
.\winlogbeat.exe test config -c .\winlogbeat.yml -e
run it
.\winlogbeat.exe setup -e
if you dont wanna use the elastic user the setup its much longer check https://www.elastic.co/guide/en/beats/winlogbeat/current/feature-roles.html at this point we can run and enable the service with
Set-Service -Name "winlogbeat" -StartupType automatic
Start-Service -Name "winlogbeat"
Get-Service -Name "winlogbeat"
sysmon logs can be found in the event viewer
EDR Exceptions #
rules > shared exception list > create
Useful commands #
connect to a running container
docker exec -it -u root ecp-elasticsearch bash
change default switch ethernet ip of hyperv
netsh interface ip set address name="vEthernet (Default Switch)" static 172.30.64.1 255.255.240.0 none
destroy container
./elastic-container.sh destroy
status dei container
./elastic-container.sh status
stop container
./elastic-container.sh stop
clear log
./elastic-container.sh clear
uninstall agent
C:\"Program Files"\Elastic\Agent\elastic-agent.exe uninstall
enable nested virtualization on hyper-v
Set-VMProcessor -VMName 'Malware Lab' -ExposeVirtualizationExtensions $true
run the windows docker container https://github.com/dockur/windows for the windows machine
docker run -it --rm -p 8006:8006 -p 3389:3389 --device=/dev/kvm --cap-add NET_ADMIN --stop-timeout 120 --network=elastic-container_default dockurr/windows
to clean powershell history
Remove-Item (Get-PSReadlineOption).HistorySavePath.ConsoleHost_history.txt
or delete file in %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.tx and restart the powershell session
Errors encountered winlogbeat #
Exiting: error loading template: failed to check data stream: 403 Forbidden: {"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:admin/data_stream/get] is unauthorized for user [winlogbeat] with effective roles [ingest_admin,kibana_admin,winlogbeat_setup] on indices [winlogbeat-8.15.3], this action is granted by the index privileges [view_index_metadata,manage,all]"}],"type":"security_exception","reason":"action [indices:admin/data_stream/get] is unauthorized for user [winlogbeat] with effective roles [ingest_admin,kibana_admin,winlogbeat_setup] on indices [winlogbeat-8.15.3], this action is granted by the index privileges [view_index_metadata,manage,all]"},"status":403}
{"log.level":"error","@timestamp":"2024-11-01T08:22:02.296-0700","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.handleError","file.name":"instance/beat.go","file.line":1360},"message":"Exiting: failed to create new event log: failed in processor.javascript: failed to open file C:\\Program Files\\winlogbeat/module/security/config/winlogbeat-security.js: open C:\\Program Files\\winlogbeat/module/security/config/winlogbeat-security.js: The system cannot find the path specified.","service.name":"winlogbeat","ecs.version":"1.6.0"}
Exiting: failed to create new event log: failed in processor.javascript: failed to open file C:\Program Files\winlogbeat/module/security/config/winlogbeat-security.js: open C:\Program Files\winlogbeat/module/security/config/winlogbeat-security.js: The system cannot find the path specified
Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://172.30.71.180:9200: 401 Unauthorized: {"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [elastic] for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\", charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"unable to authenticate user [elastic] for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\", charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}},"status":401}]
"log.level":"error","@timestamp":"2024-11-01T07:58:19.440-0700","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.handleError","file.name":"instance/beat.go","file.line":1360},"message":"Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://172.30.71.180:9200: Get \"https://172.30.71.180:9200\": x509: certificate signed by unknown authority]","service.name":"winlogbeat","ecs.version":"1.6.0"}
Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://172.30.71.180:9200: Get "https://172.30.71.180:9200": x509: certificate signed by unknown authority]
References #
https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/elastic-edr/#setup https://otterhacker.github.io/Malware/EDR/Elastic%20EDR.html
elastic docs