SD Lab4: SIEM Daniil Sinelnik

:::success # Lab 4: SIEM ### Name: Daniil Sinelnik ::: ## Part A ### Task 1 - Introduction :::info a. Give a brief explanation of the architecture of your SIEM solution. b. Provide 3 advantages of open source solutions and how do these vendors actually make money? ::: ### A * Wazuh is a free and open-source SIEM (security information and event management) solution. It detects threats in real time, handles incidents, and manages compliance. The architecture of Wazuh has three main parts: * * The Wazuh Manager. This is the central part that collects and analyzes security events from all the agents. It also correlates the events and sends them to Elasticsearch. * * Wazuh agents. These are lightweight apps that collect security data from endpoints and send it back to the Manager. * * Elasticsearch. It stores and indexes all the data collected by the Manager, making it easy to search and analyze. ### B * Cost-effective: Open-source solutions are usually free to use and can significantly reduce an organization's total cost of ownership. * Customizability: Users can modify and customize open-source code to fit their specific needs. * Community support: Open-source projects often have big communities of developers and users who contribute, support, and share information. How open-source vendors make money: * Support and maintenance services: Open-source vendors offer paid support, training, and maintenance to organizations using their products. * Enterprise features: Vendors may sell additional enterprise features or modules not included in the free open-source release as premium add-ons. * Consulting and customisation: Venders can provide consulting services for custom installations, integrations, and optimisations of open-source software for specific uses. * Hosting and cloud: Some open-source venders offer managed hosting or cloud solutions based on their software for a fee. ## Task 2 - Setup Infrasctructure :::info a. Configure a SIEM solution with 3(or more) unique devices. e.g Windows, Linux and a Network device. Can you view log data from each connected device? If yes show this. b. Why specifically are you able to view these logs i.e select two visible logs, explain these logs, and explain why and how you are able to view it on the SIEM. ::: It was problematic to setup the Wazuh server therefore i have decided to use Cloud solution <center> ![image](https://hackmd.io/_uploads/Sk1UnFJaT.png) </center> <center> ![image](https://hackmd.io/_uploads/Syaoou1Ta.png) Linux Agent </center> <center> ![image](https://hackmd.io/_uploads/BJ9J3uyp6.png) Windows Agent </center> And now i have got the logs in the dashboard :::spoiler LOGS WINDOWS ``` { "_index": "wazuh-alerts-4.x-v1-2024.03.01-000001", "_id": "B6sd-40BTRmjXIX0gkIb", "_version": 1, "_score": null, "_source": { "input": { "type": "log" }, "cluster": { "node": "wazuh-manager-master-0", "name": "il9319a6n1y9" }, "agent": { "ip": "10.1.1.14", "name": "DESKTOP-GM2RHGA", "id": "001" }, "data": { "win": { "eventdata": { "subjectLogonId": "0x3e7", "subjectDomainName": "WORKGROUP", "targetLinkedLogonId": "0x0", "impersonationLevel": "%%1833", "authenticationPackageName": "Negotiate", "targetLogonId": "0x3e7", "logonProcessName": "Advapi", "logonGuid": "{00000000-0000-0000-0000-000000000000}", "targetUserName": "SYSTEM", "elevatedToken": "%%1842", "keyLength": "0", "subjectUserSid": "S-1-5-18", "processName": "C:\\\\Windows\\\\System32\\\\services.exe", "processId": "0x2c0", "targetDomainName": "NT AUTHORITY", "targetUserSid": "S-1-5-18", "virtualAccount": "%%1843", "logonType": "5", "subjectUserName": "DESKTOP-GM2RHGA$" }, "system": { "eventID": "4624", "keywords": "0x8020000000000000", "level": "0", "providerGuid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", "channel": "Security", "message": "\"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tDESKTOP-GM2RHGA$\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nLogon Information:\r\n\tLogon Type:\t\t5\r\n\tRestricted Admin Mode:\t-\r\n\tVirtual Account:\t\tNo\r\n\tElevated Token:\t\tYes\r\n\r\nImpersonation Level:\t\tImpersonation\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tSYSTEM\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E7\r\n\tLinked Logon ID:\t\t0x0\r\n\tNetwork Account Name:\t-\r\n\tNetwork Account Domain:\t-\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x2c0\r\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\t-\r\n\tSource Network Address:\t-\r\n\tSource Port:\t\t-\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tAdvapi \r\n\tAuthentication Package:\tNegotiate\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\"", "opcode": "0", "systemTime": "2024-03-01T17:43:46.1882149Z", "version": "2", "eventRecordID": "32762", "threadID": "7140", "computer": "DESKTOP-GM2RHGA", "task": "12544", "severityValue": "AUDIT_SUCCESS", "processID": "748", "providerName": "Microsoft-Windows-Security-Auditing" } } }, "manager": { "name": "wazuh-manager-master-0" }, "rule": { "mail": false, "pci_dss": [ "10.2.5" ], "level": 3, "hipaa": [ "164.312.b" ], "tsc": [ "CC6.8", "CC7.2", "CC7.3" ], "groups": [ "windows", "windows_security", "authentication_success" ], "description": "Windows logon success.", "nist_800_53": [ "AC.7", "AU.14" ], "gdpr": [ "IV_32.2" ], "firedtimes": 21, "mitre": { "technique": [ "Valid Accounts" ], "id": [ "T1078" ], "tactic": [ "Defense Evasion", "Persistence", "Privilege Escalation", "Initial Access" ] }, "id": "60106", "gpg13": [ "7.1", "7.2" ] }, "@index_name": "wazuh-alerts", "location": "EventChannel", "id": "1709315027.19595", "decoder": { "name": "windows_eventchannel" }, "timestamp": "2024-03-01T17:43:47.417Z" }, "fields": { "timestamp": [ "2024-03-01T17:43:47.417Z" ] }, "highlight": { "cluster.name": [ "@opensearch-dashboards-highlighted-field@il9319a6n1y9@/opensearch-dashboards-highlighted-field@" ], "agent.id": [ "@opensearch-dashboards-highlighted-field@001@/opensearch-dashboards-highlighted-field@" ] }, "sort": [ 1709315027417 ] } ``` ::: :::spoiler LOGS LINUX ``` { "_index": "wazuh-alerts-4.x-v1-2024.03.01-000001", "_id": "Gqsk-40BTRmjXIX0XEIH", "_version": 1, "_score": null, "_source": { "predecoder": { "hostname": "lab4-VirtualBox", "program_name": "systemd", "timestamp": "Mar 1 21:51:17" }, "cluster": { "node": "wazuh-manager-master-0", "name": "il9319a6n1y9" }, "agent": { "ip": "10.1.1.11", "name": "lab4-VirtualBox", "id": "002" }, "data": { "uid": "0", "dstuser": "lab4(uid=1001)" }, "manager": { "name": "wazuh-manager-master-0" }, "rule": { "mail": false, "pci_dss": [ "10.2.5" ], "level": 3, "hipaa": [ "164.312.b" ], "tsc": [ "CC6.8", "CC7.2", "CC7.3" ], "groups": [ "pam", "syslog", "authentication_success" ], "description": "PAM: Login session opened.", "nist_800_53": [ "AU.14", "AC.7" ], "gdpr": [ "IV_32.2" ], "firedtimes": 5, "mitre": { "technique": [ "Valid Accounts" ], "id": [ "T1078" ], "tactic": [ "Defense Evasion", "Persistence", "Privilege Escalation", "Initial Access" ] }, "id": "5501", "gpg13": [ "7.8", "7.9" ] }, "@index_name": "wazuh-alerts", "decoder": { "parent": "pam", "name": "pam" }, "full_log": "Mar 1 21:51:17 lab4-VirtualBox systemd: pam_unix(systemd-user:session): session opened for user lab4(uid=1001) by (uid=0)", "input": { "type": "log" }, "location": "/var/log/auth.log", "id": "1709315478.8727", "timestamp": "2024-03-01T17:51:18.159Z" }, "fields": { "timestamp": [ "2024-03-01T17:51:18.159Z" ] }, "highlight": { "cluster.name": [ "@opensearch-dashboards-highlighted-field@il9319a6n1y9@/opensearch-dashboards-highlighted-field@" ], "agent.id": [ "@opensearch-dashboards-highlighted-field@002@/opensearch-dashboards-highlighted-field@" ] }, "sort": [ 1709315478159 ] } ``` ::: Both of the logs shows that accounts was successfully logIn. ## Task 3 - Use Cases :::info a. Demonstrate how to block malicious IP addresses from accessing web resources on a web server. To do this ,you will set up your web servers on select endpoints within your infrastructure, and try to access them from an external endpoint. LAB4 SIEM 2 b. Simulate a brute force attack against your infrastructure and demonstrate how you would detect the attack on each of the devices within your infrastructure. Are you able to detect the attack? If not, ensure you are able to. c. Demonstrate how you would use the SIEM to detect existing CVEs within devices in your infrastructure. i.e vulnerability detection. Ensure you remediate at least 1 vulnerability on each device and prove this in an updated scan. ::: I decided to use `Hydra` to apply bruteforce to agents via `ssh` connection. And i can see that it was done many authorization attemtps in windows. After that i have started the agents itself and seen many vulnerabilities. To reduce that amount of vulnerabilities i have installed the patch on Linux. Meanwhile on Windows it's done almost the same, but via `Windows Update Manager`. Bruteforcing: <center> ![image](https://hackmd.io/_uploads/B1XaQcyaa.png) ![image](https://hackmd.io/_uploads/S1P6XqyTp.png) Linux </center> <center> ![image](https://hackmd.io/_uploads/ByaCm5Jpa.png) Windows </center> While on Linux i was using the following commands: ``` sudo apt-get update sudo apt-get upgrade ``` After i have installed patches on both VM's, it produced me following: <center> ![image](https://hackmd.io/_uploads/r14sz51p6.png) Linux </center> <center> ![image](https://hackmd.io/_uploads/rk5RGqkT6.png) Windows </center> ## Task 4 - SIEM :::info 1. Get a sample of the Sysjoker malware and infect any single chosen endpoint. Utilize Osquery with your SIEM in other to detect this malware. 2. Get a sample of the whispergate malware. Utilize YARA or Virustotal with your SIEM in other to detect and remove this malware. Here, there will be no need to run the malware on the endpoint before you can detect and mitigate it. ::: To install `OSquery` i have used the following commands: ``` export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys $OSQUERY_KEY sudo add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main' sudo apt-get update -y sudo apt-get install osquery -y ``` <center> ![image](https://hackmd.io/_uploads/By6fv9ya6.png) config for Osquery </center> After that i have downloaded SysJoker. Ran and verified that it shows the logs. <center> ![image](https://hackmd.io/_uploads/rJLD391a6.png) </center> Here is that i have ran Osquery <center> ![image](https://hackmd.io/_uploads/r1Zi0ckpp.png) </center> Logs from dashboard :::spoiler LOG { "_index": "wazuh-alerts-4.x-v1-2024.02.21-000001", "_id": "L2C4140BeLRpBbfHAQo5", "_version": 1, "_score": null, "_source": { "input": { "type": "log" }, "cluster": { "node": "wazuh-manager-master-0", "name": "il9319a6n1y9" }, "agent": { "ip": "10.1.1.11", "name": "lab4-VirtualBox", "id": "002" }, "manager": { "name": "wazuh-manager-master-0" }, "rule": { "firedtimes": 2, "mail": false, "level": 5, "groups": [ "osquery" ], "description": "osquery error message", "id": "24001" }, "@index_name": "wazuh-alerts", "location": "osquery", "decoder": {}, "id": "1708721166.0", "timestamp": "2024-03-01T17:51:18.159Z", "full_log": "E0224 00:46:06.809621 9813 init.cpp:520] osqueryd Pidfile check failed: Pidfile::Error::Busy" }, "fields": { "timestamp": [ "2024-03-01T17:51:18.159Z" ] }, "highlight": { "cluster.name": [ "@opensearch-dashboards-highlighted-field@il9319a6n1y9@/opensearch-dashboards-highlighted-field@" ], "agent.id": [ "@opensearch-dashboards-highlighted-field@002@/opensearch-dashboards-highlighted-field@" ], "rule.groups": [ "@opensearch-dashboards-highlighted-field@osquery@/opensearch-dashboards-highlighted-field@" ] }, "sort": [ 1708721166886 ] } :::