andrewkroh / auditbeat-apache-struts-demo

Detection of Vulnerabilities with Auditbeat

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Auditbeat Demo for CVE-2017-5638

This demonstrates how the file_integrity module in Elastic's Auditbeat can be used to find machines that have the Apache Struts jar.

Then we exploit the vulnerability in Apache Struts and detect the executions using Auditbeat's auditd module.

Usage

Start Elasticsearch, Kibana, and install the Auditbeat dashboards.

docker-compose up

Start and provision a Debian 9.

vagrant up

The Vagrant machine will have:

  • Auditbeat
  • Tomcat 7
  • Apache Struts Showcase Webapp

Run the exploit.

python exploit.py '/usr/bin/touch your-box-has-been-pwned'

Open Kibana on the host machine.

http://localhost:5601

View Results

Find all Struts Jars

Auditbeat File Integrity Search

See execve syscalls by the tomcat user

Auditbeat Execve Search

About

Detection of Vulnerabilities with Auditbeat


Languages

Language:Shell 83.5%Language:Python 16.5%