00:00:00
I have always wanted to do this for a
00:00:01
video but it's been a little bit
00:00:03
daunting because configuring elk elastic
00:00:06
log stash Cabana this whole structure
00:00:08
and setup for a seam solution or Sim
00:00:10
however you pronounce it can be a little
00:00:12
bit a lot of moving pieces right so I'm
00:00:15
excited I'm stoked I'm super happy to be
00:00:17
able to do this with the help of John
00:00:19
strand's courses his introductory Labs
00:00:21
that are freely available all online
00:00:23
just as a gentle reminder you can always
00:00:25
be jumping into any of John strands and
00:00:27
anti- siphon training and black hills
00:00:29
information security in this awesome
00:00:30
tribe of companies pay what you can
00:00:32
training if you haven't seen it it's
00:00:34
just literally courses education free
00:00:36
training that you can choose the price
00:00:38
tag for but if you take a look they do
00:00:40
have some incredible courses coming up
00:00:42
like their active defense and cyber
00:00:43
deception course and tons and tons more
00:00:46
there's things that you could learn all
00:00:47
about making hackers earn their access
00:00:49
and making them cry when you're wasting
00:00:50
their time doing some great defense in
00:00:52
depth and tons of great stuff from John
00:00:55
strand well he's always putting out a
00:00:56
lot of these pay what you can training
00:00:58
if you haven't registered for these
00:00:59
before you just cruise through it hey
00:01:00
fill out whatever forms you need to but
00:01:02
you get down to the price section look
00:01:04
you can pay the minimum you can pay 50
00:01:05
you can pay 95 but if you want to bring
00:01:07
this down even lower to make it more
00:01:09
accessible for you if you just don't
00:01:10
have the cash it is pay what you can so
00:01:13
for tuition assistance you can click
00:01:15
here and then you'll get a new form
00:01:16
where all of those pricing options go
00:01:19
away and you just register and you sign
00:01:20
up and that's it you can make this
00:01:22
course free accessible to you there are
00:01:24
tons of other pay what you can courses
00:01:26
and it's always worth just taking a look
00:01:27
at what is antiphon training up to what
00:01:29
is black kills information security up
00:01:31
to and hey how can I jump into Wild West
00:01:33
hacking Fest their conference anyway
00:01:35
let's get into their publicly accessible
00:01:37
and free introductory Labs that are part
00:01:40
of these pay what you can courses you
00:01:41
can find them online just on GitHub
00:01:43
strand JS intro labs and in the past
00:01:45
couple of videos we set up a virtual
00:01:47
machine where we've gotten a chance to
00:01:48
play with a lot of these Labs but there
00:01:49
are so many that you can just cruise
00:01:51
through so in this video I want to get
00:01:53
into elk elastic log stash Cabana and
00:01:56
this is a three-part series for their
00:01:58
walkthrough for their write ups of the
00:02:00
labs but I want to cram this all into
00:02:02
one video so look they get into the good
00:02:04
stuff we're setting up a seam and you
00:02:06
could also toggle on rules to alert us
00:02:08
when Defenders are attacking our
00:02:10
organization what tradecraft what ttps
00:02:12
from the miter attack framework and all
00:02:14
are they all up to but this is awesome
00:02:16
you can get started with elk using the
00:02:18
elastic Cloud just 14-day trial doesn't
00:02:21
require a credit card you just need an
00:02:22
email and a password and all we do is
00:02:24
just set up a free account so I'm going
00:02:26
to do it jumping over to this URL this
00:02:28
is all it takes just start your free IC
00:02:30
Cloud trial let me fill out my email
00:02:33
address choose a password and then sign
00:02:35
up with email nice and easy now we can
00:02:37
just cruise through a super simple form
00:02:39
hey I'll just put my name company is
00:02:41
self uh I am new to elastic and I'm more
00:02:44
interested in security I'd like to just
00:02:46
learn more about elastic let's do it all
00:02:48
right now we need to create a new
00:02:50
deployment I can just call mine I don't
00:02:51
know security deployment how about that
00:02:55
uh we could change some of the settings
00:02:56
but I think I'm just fine with the
00:02:57
defaults let's go and create our
00:02:59
deployment and cool oh w we have 150
00:03:01
days left of our trial goodness it's
00:03:03
more than 14 okay now it's doing its
00:03:04
thing it is creating our deployment
00:03:06
doing whatever configuration things that
00:03:07
it needs we could cruise through with
00:03:09
the tour um but I don't really need to
00:03:11
do that I just kind of want to go back
00:03:13
to my deployment um oh shoot and it
00:03:15
showed me credentials can I get back to
00:03:17
that these root credentials are shown
00:03:18
only once oh goodness okay uh I guess
00:03:21
I'll just check the frame of the video
00:03:23
maybe and it is still creating the
00:03:25
deployment the video is cruising through
00:03:26
but I have now seen after a little bit
00:03:28
of time the Cabana menu open up in the
00:03:30
navigation so kind of taking a look at
00:03:32
what the lab suggests we should be able
00:03:33
to go ahead and open up Cabana and once
00:03:36
this thing finishes up we can go ahead
00:03:38
and move on with the lab here okay now
00:03:40
this has popped up looks like I have my
00:03:41
cabana instance up and running um I can
00:03:44
edit the configuration I can play with
00:03:47
monitoring the health here copy endpoint
00:03:49
can I just open this oh okay cool yeah
00:03:52
now we're going somewhere new all right
00:03:53
now we've loaded up Cabana seemingly or
00:03:57
we're still in elastic but let me go
00:03:58
ahead and manage deployment and I could
00:04:01
move down to okay Security Management o
00:04:05
fleet Fleet is what I'm looking for that
00:04:07
is what I suggested next in the lab and
00:04:09
we want to be able to add an agent here
00:04:12
so I'm going to go ahead and click on
00:04:13
this add agent button and then adding
00:04:16
elastic agents to your hosts allows it
00:04:18
to collect data and send it to the
00:04:19
elastic stack okay what type of host are
00:04:21
you adding they're controlled by an
00:04:23
agent policy creating new policy to get
00:04:26
started um I realize my face is in the
00:04:28
way uh the Advanced options no I think
00:04:31
that's all just fine I'm going to assume
00:04:34
again totally defaults are good I'll H
00:04:35
create policy and then we'll be able to
00:04:38
allow the other options to enroll in
00:04:39
Fleet and install the elastic agent will
00:04:41
all be done for me cool yep okay
00:04:43
seemingly good we will enroll in Fleet
00:04:45
install the elastic agent on your host
00:04:47
oh okay we will toggle this to Windows
00:04:50
and that should be all good for me I'll
00:04:52
just want to copy this syntax and then
00:04:54
the lab suggests hey we just save this
00:04:56
we just take note of it so we know how
00:04:58
we can go ahead and install this when
00:04:59
the time comes but then we'll move into
00:05:01
part two of this little lab walkthr and
00:05:03
that way we'll be able to actually
00:05:04
install and configure the elastic agent
00:05:06
so let me just open up notepad I suppose
00:05:09
that's fine and I'll paste this in so it
00:05:12
looks like this syntax like the
00:05:14
Powershell code that they give here is
00:05:15
just everything that you need to
00:05:16
actually download the elastic agent
00:05:18
expand the archive like decompress the
00:05:20
zip file and then install the elastic
00:05:23
agent uh I think we could basically skip
00:05:25
over what would be lab number two here
00:05:28
on installing the whole agents so let me
00:05:30
go ahead and copy the syntax and I'll
00:05:31
open up a Windows terminal I'll h
00:05:34
control shift enter on my keyboard so
00:05:36
that I can open this up in the admin
00:05:37
mode I'm going to go and full screen
00:05:39
this and I suppose I will make a
00:05:41
directory for like elastic so at least
00:05:44
this is kind of clean and not just
00:05:45
randomly in my user profile now I'll go
00:05:48
ahead and paste all this in because
00:05:49
there's currently nothing in the path
00:05:51
here and I'll let it download the
00:05:53
elastic agent for me now that that's
00:05:54
done it's going to try and decompress
00:05:56
the zip archive expand archive and
00:05:58
Powershell okay and now it's going to go
00:05:59
ahead and install the agent it says the
00:06:01
elastic agent will be installed in C
00:06:03
program files elastic agent and will run
00:06:05
as a service do you want to continue
00:06:06
let's hit y for yes enter that and let
00:06:09
it do its thing okay it took a little
00:06:11
bit but uh looks like it says
00:06:12
successfully triggered restart on
00:06:13
running elastic agents successfully
00:06:15
enrolled the elastic agent the elastic
00:06:17
agent has been successfully installed
00:06:20
awesome let me clear the screen here
00:06:22
toggling back over to elastic over in
00:06:24
the web browser you can see hey One
00:06:25
agent has been enrolled incoming data is
00:06:27
confirmed and we are ingesting
00:06:29
everything that we need we can click on
00:06:30
that view enrolled agent and here it is
00:06:33
there's my desktop host name now I can
00:06:35
click on this and go take a look at what
00:06:37
is all coming from this here's the last
00:06:39
activity last check-in message agent
00:06:41
policy that we Define the agent version
00:06:43
platform okay so now in the intro laabs
00:06:46
walkthrough we basically just jumped
00:06:48
over what would be part two and now we
00:06:50
can move on to part three where we're
00:06:52
chatting about what data we might ingest
00:06:54
into elastic and they say look by
00:06:56
default Windows logs are not ideal
00:06:59
because it's just kind of aorus Borg of
00:07:01
whatever actually comes through for it
00:07:02
and some things might not actually be
00:07:04
audited by default so to get logs that
00:07:06
are more readable and useful we can use
00:07:08
and we should be using cismon by the way
00:07:11
you'll practically like never ever find
00:07:12
a client organization and environment
00:07:14
that is actually using in as deployed
00:07:16
cismon but when you do if you do it's
00:07:18
awesome we can follow this link to
00:07:20
download sysmon it is part of the tool
00:07:23
sets that are created by Mark rosovich
00:07:25
let me open this up in a new tab here I
00:07:27
can scroll down and click the download
00:07:28
cismon and now I do have that zip
00:07:30
archive once more let's move back to our
00:07:33
uh administrative Powershell window and
00:07:35
move into the downloads directory oh
00:07:38
forgive me that should be downloads and
00:07:40
I know look yeah I could probably do
00:07:41
this all in one command but I just like
00:07:43
typing CD over and over again uh so
00:07:45
let's get our cismon doz file that I see
00:07:47
there let's go ahead and expand archive
00:07:50
just as we saw in the elastic agent
00:07:52
syntax to go ahead and extract this ZIP
00:07:55
archive and now we should have a sysmon
00:07:57
directory as we do so let's move in into
00:07:59
that directory and I have the cismon 64
00:08:03
that we probably want to run on our
00:08:04
64-bit architecture we can go ahead and
00:08:07
run our cismon 64.exe failed to start
00:08:10
the service the operation completed
00:08:12
successfully what does that
00:08:13
mean uh what does the lab suggest okay
00:08:16
they uh end up using cismon on its own
00:08:18
Tac I Tac n and accept Ula is Tac I to
00:08:22
install is there like a tack H for help
00:08:24
yeah okay cool okay the usage we can
00:08:26
install with cismon Tac I what is n was
00:08:30
that even a thing uh it doesn't seem to
00:08:32
be anymore anyway so let me use that
00:08:35
cismon 64 Tac I cismon is already
00:08:39
registered uninstall cismon before
00:08:41
reinstalling okay so we're good like
00:08:43
it's just doing its thing right now can
00:08:44
I get
00:08:45
service oh yeah yeah yeah okay there is
00:08:47
64bit uh cismon running as a service so
00:08:51
I'm assuming all is good and now that
00:08:53
cismon is running on our system we need
00:08:54
to configure our elastic agent to
00:08:56
configure and gather these logs sign
00:08:58
into your account navigate back to
00:08:59
Cabana move into Fleet and then check
00:09:01
out the Integrations as to what agents
00:09:04
might be pulling stuff in then we can
00:09:05
add the integration for Windows and then
00:09:08
toggle on the button for sysmon uh let's
00:09:10
go try it out so back in Cabana as part
00:09:13
of our elk stack we'll move over to
00:09:15
Fleet and I don't see any Integrations
00:09:19
oh oh oh oh if we go into agent policies
00:09:22
you can click in on the policy that
00:09:24
you've defined and now the Integrations
00:09:26
is there let me see if I can add
00:09:28
integration and I'm going to assume I
00:09:30
would be able to browse for Windows
00:09:33
there's a whole lot of entries here uh
00:09:34
let me just go and search for it let me
00:09:35
search for Windows here we go click on
00:09:38
Windows I just want to scroll down into
00:09:40
this overview does it actually give me a
00:09:41
little bit more like sysmon specifically
00:09:44
I don't know let's try it let me just
00:09:45
add Windows there we go and uh
00:09:48
integration name is Windows one
00:09:49
forwarded Powershell Powershell
00:09:51
operational oh syst one operational okay
00:09:53
perfect I think all of this looks good
00:09:55
we can add it to existing hosts with the
00:09:57
agent policy one and let me click the
00:09:59
bottom right button that my face is in
00:10:00
the way save and continue save and
00:10:02
deploy changes I'm good with that okay
00:10:05
Windows one integration added now our
00:10:07
agent policy one has system integration
00:10:09
and windows perfect uh let me go take a
00:10:12
look back at our Fleet let's check our
00:10:14
agents and we should see that it is
00:10:16
working with the windows integration and
00:10:18
can pull from uh sysmon just as well now
00:10:22
it says Hey play around on the computer
00:10:23
that has the elastic agent installed
00:10:25
move files around create file Start
00:10:26
program make a few Google searches this
00:10:28
will generate some LS to ensure we have
00:10:30
syst on logs reaching our Cloud after
00:10:32
you've created some log activities you
00:10:33
can navigate to Cabana discover well
00:10:36
okay uh let me get back to I suppose our
00:10:40
little command line here let's just fire
00:10:42
up the calculator of course that normal
00:10:45
operations can I run like who am I I
00:10:47
don't know if that'll do anything um I
00:10:49
don't know should I just open up word
00:10:51
pad how about that is that going to run
00:10:53
is it in the path how do you access word
00:10:55
pad Powershell probably just didn't know
00:10:57
where the heck it was whatever uh so so
00:10:59
hopefully we have some Sison log events
00:11:01
now I think uh Sison process start is
00:11:04
just one when you've created a process
00:11:07
uh the event ID for cismon is one so if
00:11:09
we navigate back to Cabana move into the
00:11:12
Discover dashboard set the source to
00:11:14
logs then we can look at the time
00:11:16
constraint for today uh let me go back
00:11:19
to the little hamburger menu and let's
00:11:21
go to discover let's set our uh data
00:11:24
view source to logs we'll set this to
00:11:28
today as it is is good and now I need to
00:11:30
go figure out and find what Fields would
00:11:33
be worthwhile to search for uh our agent
00:11:36
name is probably worth while because I
00:11:38
want to get the things from our desktop
00:11:41
good and if I put this in the documents
00:11:43
view then it'll actually show it with
00:11:44
the timestamp uh can I get any specific
00:11:48
like process names that are started we
00:11:51
have a vent action that might be worth
00:11:53
adding okay not a whole lot of entries
00:11:55
there DNS queries interesting O process
00:11:58
create process create
00:12:00
that is good that's got to be an event
00:12:02
ID that comes with that right okay event
00:12:04
ID let me add this a lot of those are
00:12:07
empty even on process create so that's
00:12:09
dumb are there any processes that we can
00:12:12
run oh even Powershell stuff though that
00:12:14
could be
00:12:15
worthwhile process O Okay process
00:12:18
command line let me add this okay now
00:12:20
can I see us trying to run oh yeah I can
00:12:23
here's my word pad excellent here's who
00:12:25
am I as I just type those in the command
00:12:27
line and Cal check it out here's us
00:12:30
trying to run
00:12:31
cismon oh the lab actually says you can
00:12:34
set a filter on your data to limit the
00:12:36
results just to Sison data that can be
00:12:37
done by setting the data stream. datet
00:12:40
field for windows. cismon operational uh
00:12:43
okay we can try that okay so add filter
00:12:47
um we wanted data stream. dat set is and
00:12:52
then windows. syston operational right
00:12:56
let's add filter Okay cool so it was
00:12:58
looking at the same sort of stuff we
00:12:59
were looking at just a moment ago and
00:13:01
check it out there is our process create
00:13:03
word pad who am I in Cal nice so if we
00:13:07
wanted to filter that even more I think
00:13:09
we could do like uh what is it it's win
00:13:12
log event ID can be uh colon one right
00:13:18
so it's setting to a value of one and
00:13:21
that should be the I don't I don't want
00:13:24
an and I just want that please can I do
00:13:27
that go filter yeah okay so now we're
00:13:30
only getting the process create and you
00:13:32
can see cismon you can see uh elastic
00:13:35
stack and the agent coming together that
00:13:37
is super duper cool and that can help us
00:13:39
do some further analysis with an elk and
00:13:42
that is that that is three of the kind
00:13:45
of written GitHub free Labs part of the
00:13:47
introductory courses of John strand
00:13:49
anti- siphon training Black Hills
00:13:50
information security all of their pay
00:13:52
what you can courses and really really
00:13:54
cool that we finally just got an
00:13:55
opportunity to spin up elk because now
00:13:57
we can do a little bit more of that you
00:13:59
know sweet stuff detection engineering I
00:14:01
don't know tracking around in an EDR and
00:14:03
a seam to see what logs are happened
00:14:04
where when and how all the stuff that
00:14:06
can help you for your job and like the
00:14:09
real world in the industry I hope that's
00:14:11
pretty cool I hope that is actually
00:14:12
tactical uh information security
00:14:14
education so hey check out Black Hill
00:14:17
information security antiphon training
00:14:18
pay what you can courses all the
00:14:19
incredible stuff that John Str is up to
00:14:21
and thank you so much for watching this
00:14:22
video hope it was fun hope you learned
00:14:24
something new hope we had a great time
00:14:25
together and I'll see you in the next
00:14:26
video like comment subscribe become a
00:14:28
member become a member of the channel
00:14:29
that really really helps support all the
00:14:31
stuff that we're doing here thanks again
