BOTES Dataset
  • Boss of the SOC (BOTS) Dataset
  • BOTES : Boss of the Elastic SOC
  • BOTES Prerequisites
  • ECS & BOTES
  • BOTES Fields
  • Data Sanitization
  • BOTES Enrichement
    • SIEM : Data enrichment
    • Streaming architecture
    • POC Prerequisites
    • POC Code
    • POC Enhancement
  • Complex Event Processing : SIEM Detection rules
    • POCs Prerequisites
    • CVE 2019-0708 : BlueKeep
Powered by GitBook
On this page

Was this helpful?

Last updated 5 years ago

Note: For this demo, infrastructure is pretty small and simple, there is absolutely no security or reliability functionnalities configured. Don't use those configurations in production.

Demo has been tested on the latest CentOS 8 version (currently 8.0-1905).

Server-side prerequisites

System

Elastic repo

Download and install Elastic public signing key :

Create a new yum repo file and add the following lines :

Java

Installation

Elasticsearch

Installation

Configuration

Modify/add the following lines in Elasticsearch configuration file :

Configure system and Elasticsearch for JVM memory usage :

Then start and enable Elasticsearch :

Logstash

Installation

Configuration

Then start and enable Logstash :

Kibana

Installation

Configuration

Modify/add the following lines in Kibana configuration file :

Then start and enable Kibana :

Zookeeper

Installation

Configuration

Create and add the following lines to Zookeeper configuration file :

Systemd script

Create and add the following lines to Zookeeper systemd script :

Then start and enable Zookeeper :

Kafka

Installation

Configuration

Modify/add the following lines in Kafka configuration file :

Systemd script

Then start and enable Kafka :

Maven

Installation

Flink

Installation

Client-side prerequisites

The following prerequisites apply to clients. It can be configuration or software to collect logs, configuration to make logs more verbose or configuration to make host vulnerable to specifics CVE for the needs of a POC.

Windows

Sysmon

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.

Extract "Sysmon.zip" folder where you want and copy "sysmonconfig-export.xml" in the folder that has been created. (In my case directly in C:\).

Open a CMD as Administrator and launch the following commands to install Sysmon and apply the configuration :

Winlogbeat

Installation

Winlogbeat is a lightweight events shipper provided by Elastic and which can be used to send events to Logstash or/and Elasticsearch for example.

Extract "Sysmon.zip" folder where you want. (In my case directly in C:\)

Open a Powershell as Administrator and launch the following commands to install Winlog beat :

Then go to "Services" and try to start Winlogbeat to validate installation.

Configuration

To configure Winlogbeat, modify the "winlogbeat.yml" file following your need. It's possible to send logs directly to Logstash and/or Elasticsearch, to add Event logs modules/sources, add processors and so on...

winlogbeat.yml configuration example :

With this configuration, Winlogbeat will send logs to Logstash only, include Application, System, Security, Sysmon and TerminalServices-RemoteConnectionManager logs. The processors "add_locale" will also include Timezone in logs.

Linux

Metasploit

Metasploit can be easily installed with the following command :

Then to launch the Metasploit console, use :

Logstash output configuration for Kafka can be downloaded here :

Logstash input configurations for BOTES JSON files can be downloaded on Logstash Configuration section here: .

Download Sysmon on Microsoft website :

For my tests I use the Sysmon configuration from ion-storm GitHub (Forked from SwiftOnSecurity). Sysmon configuration can be downloaded here :

Download Winlogbeat on Elastic website : 

yum -y install epel-release
yum update
yum upgrade

vi nano /etc/selinux/config
#Change SELINUX value to
SELINUX=disabled

systemctl stop firewalld
systemctl disable firewalld

reboot
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
vi /etc/yum.repos.d/elasticsearch.repo

[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
sudo yum install java-1.8.0-openjdk
yum install elasticsearch
sudo vi /etc/elasticsearch/elasticsearch.yml


cluster.name: BOTES
node.name: Glooper
# If you have to change default data path 
# Don't forget to change permissions for data folder
# chown -R elasticsearch:elasticsearch /opt/data/elasticsearch/
path.data: /opt/data/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true
network.host: localhost
http.port: 9200
cluster.initial_master_nodes: ["$Your_Server_IP"]
sudo vi /etc/elasticsearch/jvm.options


-Xms2g
# Xmx must but set no more than 50% of total memory and no more than 32Gb
-Xmx2g
sudo vi /etc/security/limits.conf

# Add the following lines
elasticsearch   soft  memlock   unlimited
elasticsearch   hard  memlock   unlimited


sudo vi /etc/sysconfig/elasticsearch

# Modify the folloing lines
MAX_OPEN_FILES=65535
MAX_LOCKED_MEMORY=unlimited


sudo vi /usr/lib/systemd/system/elasticsearch.service

# Add the following line
LimitMEMLOCK=infinity
systemctl start elasticsearch
systemctl enable elasticsearch
yum install logstash
https://botes.s3-us-west-1.amazonaws.com/botes-logstash-configuration/full-config/output-kafka/output-kafka.conf
systemctl start logstash
systemctl enable logstash
yum install kibana
sudo vi /etc/kibana/kibana.yml


server.port: 5601
server.host: "$Your_Server_IP"
server.name: "BOTES"
elasticsearch.hosts: ["http://localhost:9200"]
# Node can be slow if in Raspberry Pi for example
elasticsearch.requestTimeout: 300000
systemctl start kibana
systemctl enable kibana
cd /opt
wget http://apache-mirror.8birdsvideo.com/zookeeper/stable/apache-zookeeper-3.5.5.tar.gz
tar zxf apache-zookeeper-3.5.5.tar.gz
rm -f apache-zookeeper-3.5.5.tar.gz
ln -s /opt/apache-zookeeper-3.5.5/ /opt/zookeeper

mkdir /opt/zookeeper/logs
mkdir /opt/zookeeper/data

sudo useradd zk -m
sudo usermod --shell /bin/bash zk
sudo usermod -aG sudo zk
sudo chown -R zk:zk /opt/zookeeper/logs/
sudo chown -R zk:zk /opt/zookeeper/data/
vi /opt/zookeeper/conf/server.configuration


tickTime=2000
dataDir=/opt/zookeeper/data
dataLogDir/opt/zookeeper/logs
clientPort=2181
clientPortAddress=localhost
[Unit]
Description=Zookeeper Daemon
Documentation=http://zookeeper.apache.org
Requires=network.target
After=network.target


[Service]
Type=forking
WorkingDirectory=/opt/zookeeper
User=zk
Group=zk
ExecStart=/opt/zookeeper/bin/zkServer.sh start /opt/zookeeper/conf/server.configuration
ExecStop=/opt/zookeeper/bin/zkServer.sh stop /opt/zookeeper/conf/server.configuration
ExecReload=/opt/zookeeper/bin/zkServer.sh restart /opt/zookeeper/conf/server.configuration
TimeoutSec=30
Restart=on-failure


[Install]
WantedBy=default.target
sudo vi /etc/systemd/system/zookeeper.service


[Unit]
Description=Zookeeper Daemon
Documentation=http://zookeeper.apache.org
Requires=network.target
After=network.target


[Service]
Type=forking
WorkingDirectory=/opt/zookeeper
User=zk
Group=zk
ExecStart=/opt/zookeeper/bin/zkServer.sh start /opt/zookeeper/conf/server.configuration
ExecStop=/opt/zookeeper/bin/zkServer.sh stop /opt/zookeeper/conf/server.configuration
ExecReload=/opt/zookeeper/bin/zkServer.sh restart /opt/zookeeper/conf/server.configuration
TimeoutSec=30
Restart=on-failure


[Install]
WantedBy=default.target
systemctl start zookeeper
systemctl enable zookeeper
cd /opt
wget http://apache-mirror.8birdsvideo.com/kafka/2.3.0/kafka_2.11-2.3.0.tgz
tar zxf kafka_2.11-2.3.0.tgz
rm -f kafka_2.11-2.3.0.tgz
ln -s /opt/kafka_2.11-2.3.0/ /opt/kafka
vi /opt/kafka/config/server.properties


broker.id=0
listeners=PLAINTEXT://localhost:9092
log.retention.hours=24
zookeeper.connect=localhost:2181
zookeeper.connection.timeout.ms=6000
sudo vi /etc/systemd/system/kafka.service


[Unit]
Description=Apache Kafka server (broker)
Documentation=http://kafka.apache.org/documentation.html
Requires=network.target remote-fs.target
After=network.target remote-fs.target zookeeper.service


[Service]
Type=simple
User=zk
Group=zk
Environment=JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk
ExecStart=/opt/kafka/bin/kafka-server-start.sh /opt/kafka/config/server.properties
ExecStop=/opt/kafka/bin/kafka-server-stop.sh


[Install]
WantedBy=multi-user.target
systemctl start kafka
systemctl enable kafka
cd /opt
wget http://apache.mirrors.ionfish.org/maven/maven-3/3.6.2/binaries/apache-maven-3.6.2-bin.tar.gz
tar xzf apache-maven-3.6.2-bin.tar.gz
rm -f apache-maven-3.6.2-bin.tar.gz
ln -s /opt/apache-maven-3.6.2/ /opt/maven
export M2_HOME=/opt/maven
export PATH=${M2_HOME}/bin:${PATH}
cd /opt
wget http://apache-mirror.8birdsvideo.com/flink/flink-1.9.0/flink-1.9.0-bin-scala_2.11.tgz
tar zxf flink-1.9.0-bin-scala_2.11.tgz
rm -f flink-1.9.0-bin-scala_2.11.tgz
ln -s /opt/flink-1.9.0/ /opt/flink
export FLINK_HOME=/opt/flink/
export PATH=$PATH:$FLINK_HOME/bin
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
https://github.com/ion-storm/sysmon-config/blob/master/sysmonconfig-export.xml
cd C:\Sysmon
Sysmon.exe –accepteula –i sysmonconfig-export.xml
https://www.elastic.co/fr/downloads/beats/winlogbeat
cd C:\winlogbeat-7.4.1-windows-x86_64
set-executionpolicy unrestricted
.\install-service-winlogbeat.ps1
#======================= Winlogbeat specific options ===========================

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security
    processors:
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js

  - name: Microsoft-Windows-Sysmon/Operational
    processors:
      - script:
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

  - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
  
#===================== Elasticsearch template settings ===========================

setup.template.settings:
  index.number_of_shards: 1 
  
#================================ Kibana =========================================

setup.kibana:
  host: "192.168.126.42:5601"
  
#================================ Logstash output ================================

output.logstash:
  hosts: ["192.168.126.42:5044"]
  
#================================ Processors =====================================

processors:
  - add_locale: ~
  - add_host_metadata: ~
  - add_cloud_metadata: ~
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > \ 
msfinstall && chmod 755 msfinstall && ./msfinstall
cd /$YourMetasploitFrameworkLocation/bin/
./msfconsole
  • Server-side prerequisites
  • System
  • Elastic repo
  • Java
  • Installation
  • Elasticsearch
  • Installation
  • Configuration
  • Logstash
  • Installation
  • Configuration
  • Kibana
  • Installation
  • Configuration
  • Zookeeper
  • Installation
  • Configuration
  • Systemd script
  • Kafka
  • Installation
  • Configuration
  • Systemd script
  • Maven
  • Installation
  • Flink
  • Installation
  • Client-side prerequisites
  • Windows
  • Sysmon
  • Winlogbeat
  • Linux
  • Metasploit
BOTES Prerequisites
PreviousPOC EnhancementNextCVE 2019-0708 : BlueKeep
  1. Complex Event Processing : SIEM Detection rules

POCs Prerequisites

This page describe which packages are needed for the CEP POCs, how install and configure them.