ThreatWaffle

Threat hunting repo for my independent study on threat hunting with OSQuery.

Doorman or Kolide

This repo contains two branches which are Doorman and Kolide. Both are open source OSQuery fleet managers. Koide is used in the master branch.

Setup Windows Domain Controller

Setup domain

mv group_vars/all.example group_vars/all
Vim group_vars/all and set
1. base_domain
mv group_vars/win_dc.example group_vars/win_dc
vim group_vars/win_dc and set:
1. ad_domain_name(by default set base_domain)
2. ad_safe_mode_password
vim group_vars/windows and set :
1. asnsible_user
2. ansible_password
vim hosts set:
1. ip addr for [win_dc]
ansible-playbook -i hosts deploy_windows_dc.yml
Shutdown and create snapshot

Setup domain user(non-admin)

Login into Windows DC
Open server manager
Select “Tools” then “Active Directory Users and Computers”
Select “Users” on the left
Select “Acton” then “New User”
1. User info 2. Enter "Bill" for Firstname 2. Enter "Gates" for Last Name 2. Enter “Bgates” for logon
2. Password 2. Enter a password for user 2. UNcheck “User must change password at next logon”
Shutdown and create snapshot

Setup DNS entrie

Open Server Manager
Select "Tools" then "DNS"
WinDC > Forward Lookup Zone > hackinglab.beer
Select "Action" then "New Host(A)"
1. Enter "graylog" for Name
2. Enter "" for IP address
3. Repeat for Kolide

Group policy settings

Enable RDP through firewall

Open Group policy manager
Right-click "Default Domain Policy"
Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile
Enable "Allow inbound Remote Desktop exceptions" and set IP addresses to "/"
Computer Configuration > Policies > Administrative Templates, Network > Network Connections > Windows Firewall > Domain Profile
Enable "Windows Firewall: Allow inbound Remote Desktop exceptions"

Powershell script block logging

Computer Configuration > Policies > Administrative Templates -> Windows Components -> Windows PowerShell
Enable "Turn on PowerShell Script Block Logging"

Process creation logging

Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > > Detailed Tracking
Enable for successful "Audit Process Creation"

SMB access via firewall

Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security LDAP
Right-click "Inbound Rules" and select "New Rule"
1. Select "Port" for rule type
2. Select "TCP" for protocol and enter "445" for port
3. Select "Allow the connection"
4. Select all profiles
5. Enter "Allow PSexec" for name

Setup Kolide OSQuery fleet manager

openssl rand -base64 32
Copy the output from above
vim group_vars/kolide and set:
1. kolide_jwt_key to output from above
2. Set username and password for Kolide, MySQL
vim group_vars/all and set
1. timezone
2. fleet_hostname
3. base_domain
4. Set information for certificate
5. Slack (optional)
vim hosts
1. Set management IP address under [kolide]
ansible-playbook -i hosts deploy_kolide.yml -u
https://<Hostname/IP addr of Kolide>
1. Setup through Kolide setup

Setup Graylog server

vim group_vars/graylog and set
1. graylog_admin_password
vim hosts and set [graylog]
ansible-playbook -i hosts deploy_graylog.yml -u superadmin

Deploy OSQuery agents

Initial setup

Browse to https://<Hostname/IP addr of Kolide>
Select "Add new host" in top right
Select "Reveal secret" and copy the string
vim group_vars/agents
1. set osquery_enroll_secret with string from Kolide

Deploy Windows OSQuery agent

** Windows hosts must be WinRM ready for Ansible ** 0. Copy contents of /etc/nginx/ssl/kolide.crt for Kolide server 0. mv conf/agents/certificate.example conf/agents/certificate.crt 0. vim conf/agents/certificate.crt and paste the contents from above 0. mv group_vars/win_agents.example group_vars/win_agents 0. vim group_vars/win_agents and set: 1. ansible_user 1. ansible_password 0. vim hosts 1. Add hosts to win_agents 0. ansible-playbook -i hosts deploy_windows_osquery_agents.yml

Deploy Linux OSQuery agent

vim hosts
1. Add hosts to linux_agents 0.ansible-playbook -i hosts deploy_linux_osquery_agents.yml

Ansible setup - prod

vim hosts and set [caldera]
mv group_vars/all.example group_vars/all
vim group_vars/all and set:
1. base_domain
2. caldera_pass
Create a DNS entry on your DNS server for {{ caldera_pass }}.{{ base_domain }}
ansible-playbook -i hosts deploy_caldera.yml -u

Ansible Kolide OS support

Ubuntu Server 16.04 64-bit

Resources/Sources

Kolide github: https://github.com/kolide/fleet/tree/master/docs
Kolide docs: https://github.com/kolide/fleet/blob/master/docs/infrastructure/adding-hosts-to-fleet.md
Remote Desktop - Group Policy : http://www.itprotoday.com/management-mobility/q-how-do-i-enable-remote-desktop-connections-windows-7-using-group-policy
Powershell script block logging - Group Policy: https://docs.microsoft.com/en-us/powershell/wmf/5.0/audit_script
Process creation auditing - Group Policy: http://www.itprotoday.com/security/understanding-and-enabling-command-line-auditing
Add SMB Firewall rule - Group Policy: https://4sysops.com/archives/force-remote-group-policy-refresh-with-psexec/

To do:

Set up Mac OSX deployment for OSQuery
Docker setup
Add DNS setup to DC

djm300 / ThreatWaffle