Docker Hub [https://hub.docker.com/r/asonger/elastic-detection-cli]


Before continuing, please create the custom python file for JIRA integration by doing the following :

sudo touch /var/ossec/integrations/custom-jira OR as root touch /var/ossec/integrations/custom-jira

For full post please click link:


How I took a issue created by another github user and added value to the original query and helped mold it into a new detection rule. Original Query process where event.module == “powershell” and process.args : ( “powershell.exe”, “Set-Service”, “EventLog”, “Disabled”)

Example Data { “_id”: “89933b5f64737a55c666fd1a7155b02c533e65e040dddfb611d83e563afa6796”, “_index”: “.siem-signals-siemplify-000002”, “_score”: “1”, “_type”: “_doc”, “@timestamp”: “2021–03–31T04:43:10.154Z”, “agent”: { “ephemeral_id”: “af1d7136–94f2–42bd-8ac6-c0c320381735”, “hostname”: “DESKTOP-AL49UOF”, “id”: “41e48758–8b2b-474a-bd22-b0d6356025e2”, “name”: “DESKTOP-AL49UOF”, “type”: “filebeat”, “version”: “7.12.0” }, “data_stream”: { “dataset”: “windows.powershell”, “namespace”: “default”, “type”: “logs” }, “ecs”: { “version”: “1.8.0” }, “elastic_agent”: { “id”: “ebe1c190–9026–11eb-97b7–670157a7fe8c”, “version”: “7.12.0” }, “event”: { “action”: “Provider Lifecycle”, “category”: “process”, “code”: “600”, “created”…


You first begin by looking up API or PowerShell cmdlets that will help assign permissions to a specific mailbox. So for this rule of detecting when a permission is delegated to specific user in the organization.

Add-MailboxPermission [-Identity] -AccessRights <MailboxRights[]> -User [-AutoMapping ] [-Confirm] [-Deny] [-DomainController ] [-GroupMailbox] [-IgnoreDefaultScope] [-InheritanceType ] [-WhatIf] []

So from this you can determined that -AccessRights <MailboxRights[]> is a important parameter that will be used in the detection rule.

EXAMPLE Add-MailboxPermission -Identity “Terry Adams” -User “Kevin Kelly” -AccessRights FullAccess -InheritanceType All

So I decided to go to the Elastic SIEM and see if I can…


DEBIAN Install Wazuh Agent curl -so wazuh-agent.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.1.5-1_amd64.deb && sudo WAZUH_MANAGER=’10.10.10.110' WAZUH_AGENT_GROUP=’default’ dpkg -i ./wazuh-agent.deb

sudo systemctl daemon-reload sudo systemctl enable wazuh-agent sudo systemctl start wazuh-agent

Register Wazuh Agent /var/ossec/bin/agent-auth -m 10.10.10.110

Edit File

nano /var/ossec/etc/ossec.conf

10.10.10.110 …

Restart File

systemctl restart wazuh-agent

WINDOWS Install Wazuh Agent Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.1.5-1.msi -OutFile wazuh-agent.msi; ./wazuh-agent.msi /q WAZUH_MANAGER=’10.10.10.110' WAZUH_REGISTRATION_SERVER=’10.10.10.110' WAZUH_AGENT_GROUP=’default’

Register Wazuh Agent PowerShell Command

&’C:\Program Files (x86)\ossec-agent\agent-auth.exe’ -m 10.10.10.110

Open File and edit

C:\Program Files (x86)\ossec-agent\ossec.conf

Restart

Restart-Service -Name wazuh


OS/Dok Malware Example Lets take a example. If was working and got notification through Cyware social threat feeds and read the following malware research:

  • OS/Dok [https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/]

After reading this research about this threat, I can automatically develop a couple (in “development”) rules for this specific threat [In the real world, I would sandbox the malware to trigger the rules for real], what I’m showing is just the process of the first go around of developing a rule based on malware research.

So this bundle name Truesteer.AppStore …


In this post I will be covering ways of hardening your Microsoft 365 and Azure Active Directory Tenant.

Enable MFA Security defaults make it easier to help protect your organization from these attacks with preconfigured security settings:

  • Requiring all users to register for Azure AD Multi-Factor Authentication.
  • Requiring administrators to perform multi-factor authentication.
  • Blocking legacy authentication protocols.
  • Requiring users to perform multi-factor authentication when necessary.
  • Protecting privileged activities like access to the Azure portal.

Compliance Controls:

  • CSA CCM301; Control DSI-02
  • FedRAMP Moderate; Control IA-3
  • GDPR; Control 6.6.5
  • ISO 27018:2014; Control C.9.4.2, Control A.10.8
  • NIST 800–171; Control 3.5.2
  • NIST 800–53; Control…

This tutorial how to install ELK stack on Docker Containers

Install Docker on Debian-Based Distributions apt update apt install apt-transport-https ca-certificates curl software-properties-common -y echo ‘deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable’ >> /etc/apt/sources.list.d/docker.list curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

apt update apt install docker-ce -y curl -L https://github.com/docker/compose/releases/download/1.20.0/docker-compose-uname -s-uname -m -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose

Pull Elasticstack Image & Prepare git clone https://github.com/elastic/stack-docker /user/share/elastic sysctl -w vm.max_map_count=262144

Set the PWD Environment Variable echo ‘PWD=/usr/share/elastic/’ >> /usr/share/elastic/.env

Create Elasticstack containers docker-compose -f .\setup.yml up

Save the password given at the end

NOTE: The password will only be given this once


This post will breakdown on ways of hardening Active Directory.

Windows Firewall Maintain at least a workstation and server Group Policy Object (GPO) to control the Windows Firewall

Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security

Generally, it is best to limit the following scenarios

  • Workstation-to-workstation communication
  • Server-to-server communication
  • Server-to-workstation communication

At a minimum, consider restrict the following ports where possible

  • Server Message Block (SMB) (TCP/445, TCP/135, TCP/139)
  • Remote Desktop Protocol (RDP) (TCP/3389)
  • Windows Remote Management (WinRM) (TCP/80, TCP/5985, TCP/5986)
  • Windows Management Instrumentation (WMI) (Dynamic/DCOM)
  • Consider setting “Apply local firewall rules” and…

This tutorial will go over how to install and configure Nginx for ELK stack. Install Nginx This provides a guide to adding HTTPS support.

sudo apt-get install -y nginx apache2-utils

Configure Nginx sudo mkdir /etc/nginx/sites-avaiable sudo /etc/nginx/sites-avaiable/touch kibana sudo mousepad /etc/nginx/sites-available/kibana &

paste this: server { listen 80;

server_name 10.0.3.100;

auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.kibana-user;

location / {
proxy_pass http://10.0.3.100:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}

}

Create basic auth file and user sudo htpasswd -c /etc/nginx/.kibana-user admin TYPE YOUR PASSWORD

Activate the kibana virtual host sudo ln -s /etc/nginx/sites-available/kibana /etc/nginx/sites-enabled/

Test…

Austin Songer

Trusted Veteran | Compassionate. Aspiring. Resourceful.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store