Intro to Purple Teaming: Min-maxing your logging setup
Adam Hassan / November 2023 (344 Words, 2 Minutes)
Transcript:
Purple Teaming Min-maxing your logging setup
Announcements! UFSIT wins 3rd place Nationally (out of 100+ teams) in DOE Cyberforce WRCCDC Invitation on Dec 2nd
ToC What is purple teaming? Homelab basics Detection Basics Snort YARA Sigma Setting up logging ELK Wazuh Refining your setup MITRE ATT&CK Performing attacks
What is Purple Teaming?
What is a Homelab? Lab environment that you can use to emulate a real environment Can be used to: Practice setting up infrastructure Practice using technologies Practice hacking Practice defending
Honeypotting w/ T-Pot All-in-one honeypot made by T-Mobile Services: http(s) ssh ftp modbus
https://github.com/telekom-security/tpotce
Resources Homelabs https://www.youtube.com/watch?v=xftEuVQ7kY0 Honeypots https://tryhackme.com/room/introductiontohoneypots https://www.lupovis.io/set-up-t-pot-honeypot-in-cloud-in-less-than-30-minutes/ https://www.antisyphontraining.com/live-courses-catalog/active-defense-cyber-deception-w-john-strand/
Homelabbing with VMs Options: Set up VMs with VMware/VirtualBox Use the cloud (Snap Labs) Set up your own infrastructure (Proxmox, OpenStack) Use the UFSIT Purple Team Infra™ (COMING SOON!)
Setting up VMs (DEMO)
Detection Basics
Setting up Logging Linux auditd /var/log/audit/audit.log sysmon /var/log/syslog authorization logs /var/log/auth.log vsftpd logs /var/log/vsftpd.log … Windows C:\Windows\System32\winevt\Logs*.evtx
Logging Primitives Linux Syscalls Watch: File access Process execution (execve) Rules can define what to watch and what specifics/exclusions you want
Windows Event IDs Most things in windows have an event ID for when they are logged Everything is placed into the event viewer
Auditd ( Linux ) rules in /etc/audit/rules.d Example:
Sysmon ( Windows + Linux (?) )
rules in
Snort / Suricata Network detection Network IDS for doing alerts,logs, etc. Based on: Port IP Packet contents Direction …
Dissecting a Rule
YARA File detection Write a rule for detecting static attributes in a binary Based on: Hashes Metadata Strings Bytes Filesize Imports
Dissecting a Rule
Sigma Log detection Looks for strings in logs Based on: Command Line Strings Alerts Log messages Supports False positives
Dissecting a Rule
Resources Snort / Suricata https://www.crowdstrike.com/cybersecurity-101/threat-intelligence/snort-rules/ https://tryhackme.com/room/snort https://suricata.io/learn/public-training/ YARA https://n3nu.medium.com/getting-started-with-yara-a-beginners-guide-to-understanding-and-creating-yara-rules-73bda308fd98 https://www.varonis.com/blog/yara-rules Sigma https://tryhackme.com/room/sighunt https://github.com/SigmaHQ/sigma
Setting up Logging
ELK Elastic Logstash Kibana Logstash stores the data and sends it to the right place Elastic indexes and searches the data Kibana visualizes the data Basis of a lot of logging & alerting platforms Has a free 2-week free trial on the cloud
Wazuh Based on ELK Has advanced alerting and detection Has modules for uploading to VirusTotal Can do active response
Dissecting a Rule
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4688
Resources ELK https://logz.io/learn/complete-guide-elk-stack/ Wazuh https://tryhackme.com/room/wazuhct Suricata https://coralogix.com/blog/writing-effective-suricata-rules-for-the-sta/
Refining your Setup
MITRE ATT&CK Framework Comprehensive knowledge base of tactics and techniques.
Developed to handle cyber threats.
Describes how adversaries penetrate networks and evade defenses.
Atomic Red Team Tool made by Red Canary Lets you run premade attacks on your machine These attacks are based on the ATT&CK Framework This allows you to test if your logging and alerting is detecting everything that it should be
Attacking your systems I love Windows/AD, so let’s do a Windows/AD Attack Something you want to detect: PsExec, WmiExec, SmbExec Learn more from my Attacking Windows/AD slides: https://da.gd/wad
Before we attack - Basics of PsExec
Windows Defender doesn’t detect it!
Resources MITRE https://tryhackme.com/room/mitre Atomic Red Team https://github.com/redcanaryco/atomic-red-team/wiki/Getting-Started
DEMO