ThreatWaffle

Threat hunting repo for my independent study on threat hunting with OSQuery.

Doorman or Kolide

This repo contains two branches which are Doorman and Kolide. Both are open source OSQuery fleet managers. Koide is used in the master branch.

Setup Windows Domain Controller

Setup domain

0. mv group_vars/all.example group_vars/all
1. Vim group_vars/all and set
   1. base_domain
2. mv group_vars/win_dc.example group_vars/win_dc
3. vim group_vars/win_dc and set:
   1. ad_domain_name(by default set base_domain)
   2. ad_safe_mode_password
4. vim group_vars/windows and set :
   1. asnsible_user
   2. ansible_password
5. vim hosts set:
   1. ip addr for [win_dc]
6. ansible-playbook -i hosts deploy_windows_dc.yml
7. Shutdown and create snapshot

Setup domain user(non-admin)

0. Login into Windows DC
1. Open server manager
2. Select “Tools” then “Active Directory Users and Computers”
3. Select “Users” on the left
4. Select “Acton” then “New User”
   1. User info 2. Enter "Bill" for Firstname 2. Enter "Gates" for Last Name 2. Enter “Bgates” for logon
   2. Password 2. Enter a password for user 2. UNcheck “User must change password at next logon”
5. Shutdown and create snapshot

Setup DNS entrie

0. Open Server Manager
1. Select "Tools" then "DNS"
2. WinDC > Forward Lookup Zone > hackinglab.beer
3. Select "Action" then "New Host(A)"
   1. Enter "graylog" for Name
   2. Enter "" for IP address
   3. Repeat for Kolide

Group policy settings

Enable RDP through firewall

0. Open Group policy manager
1. Right-click "Default Domain Policy"
2. Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile
3. Enable "Allow inbound Remote Desktop exceptions" and set IP addresses to "/"
4. Computer Configuration > Policies > Administrative Templates, Network > Network Connections > Windows Firewall > Domain Profile
5. Enable "Windows Firewall: Allow inbound Remote Desktop exceptions"

Powershell script block logging

0. Computer Configuration > Policies > Administrative Templates -> Windows Components -> Windows PowerShell
1. Enable "Turn on PowerShell Script Block Logging"

Process creation logging

0. Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > > Detailed Tracking
1. Enable for successful "Audit Process Creation"

SMB access via firewall

0. Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security LDAP
1. Right-click "Inbound Rules" and select "New Rule"
   1. Select "Port" for rule type
   2. Select "TCP" for protocol and enter "445" for port
   3. Select "Allow the connection"
   4. Select all profiles
   5. Enter "Allow PSexec" for name

Setup Kolide OSQuery fleet manager

0. openssl rand -base64 32
1. Copy the output from above
2. vim group_vars/kolide and set:
   1. kolide_jwt_key to output from above
   2. Set username and password for Kolide, MySQL
3. vim group_vars/all and set
   1. timezone
   2. fleet_hostname
   3. base_domain
   4. Set information for certificate
   5. Slack (optional)
4. vim hosts
   1. Set management IP address under [kolide]
5. ansible-playbook -i hosts deploy_kolide.yml -u
6. https://<Hostname/IP addr of Kolide>
   1. Setup through Kolide setup

Setup Graylog server

0. vim group_vars/graylog and set
   1. graylog_admin_password
1. vim hosts and set [graylog]
2. ansible-playbook -i hosts deploy_graylog.yml -u superadmin

Deploy OSQuery agents

Initial setup

0. Browse to https://<Hostname/IP addr of Kolide>
1. Select "Add new host" in top right
2. Select "Reveal secret" and copy the string
3. vim group_vars/agents
   1. set osquery_enroll_secret with string from Kolide

Deploy Windows OSQuery agent

** Windows hosts must be WinRM ready for Ansible ** 0. Copy contents of /etc/nginx/ssl/kolide.crt for Kolide server 0. mv conf/agents/certificate.example conf/agents/certificate.crt 0. vim conf/agents/certificate.crt and paste the contents from above 0. mv group_vars/win_agents.example group_vars/win_agents 0. vim group_vars/win_agents and set: 1. ansible_user 1. ansible_password 0. vim hosts 1. Add hosts to win_agents 0. ansible-playbook -i hosts deploy_windows_osquery_agents.yml

Deploy Linux OSQuery agent

0. vim hosts
   1. Add hosts to linux_agents 0.ansible-playbook -i hosts deploy_linux_osquery_agents.yml

Ansible setup - prod

0. vim hosts and set [caldera]
1. mv group_vars/all.example group_vars/all
2. vim group_vars/all and set:
   1. base_domain
   2. caldera_pass
3. Create a DNS entry on your DNS server for {{ caldera_pass }}.{{ base_domain }}
4. ansible-playbook -i hosts deploy_caldera.yml -u

Ansible Kolide OS support

• Ubuntu Server 16.04 64-bit

Resources/Sources

• Kolide github: https://github.com/kolide/fleet/tree/master/docs
• Kolide docs: https://github.com/kolide/fleet/blob/master/docs/infrastructure/adding-hosts-to-fleet.md
• Remote Desktop - Group Policy : http://www.itprotoday.com/management-mobility/q-how-do-i-enable-remote-desktop-connections-windows-7-using-group-policy
• Powershell script block logging - Group Policy: https://docs.microsoft.com/en-us/powershell/wmf/5.0/audit_script
• Process creation auditing - Group Policy: http://www.itprotoday.com/security/understanding-and-enabling-command-line-auditing
• Add SMB Firewall rule - Group Policy: https://4sysops.com/archives/force-remote-group-policy-refresh-with-psexec/

To do:

• Set up Mac OSX deployment for OSQuery
• Docker setup
• Add DNS setup to DC