Awesome

CS6324 Project

Detecting and classifying attacks in a Linux environment

Running

Create the network for the system to run on sudo docker network create alertnet

Increase the max mem count sudo sysctl -w vm.max_map_count=262144

Start up the Honeypot and Elastic Stack sudo docker-compose -f base.yml up

You need to generate logs before you can create an index. Do this by logging in to the honepot by: ssh root@127.0.0.1 -p 2222

When the stack comes up, login to Kibana http://127.0.0.1:5601 Username: elastic Password: changeme

Create an index logstash-*

Start up ElastAlert sudo docker-compose -f alert.yml up

Testing a rule

List containers

sudo docker ps

Grab container ID for elast alert

Attach to container

sudo docker exec -it containerid /bin/sh

Rules found in /opt/elastalert/rules

Config found at /opt/elastalert/config.yml

Run rule

python -m elastalert.test_rule --config config.yaml <rule_path>

MITRE Attack Matrix

https://attack.mitre.org/wiki/Linux_Technique_Matrix

Rule Alerting

ElastAlert will write back alerts to index: elastalert_status with the _type: elastalert with all information the Alert provides. As such, we created a custom alert, MITREAttack to put this information into ElasticSearch.

To use the MITREAttack alert, the following keys should be used.

alert: "elastalert_modules.custom_alerts.MITREAttack"
attack_tactic:
attack_name: 
attack_id:

Nick's Straight Forward Rules

User enumeration

cat /etc/passwd

cat */????wd

Group enumerate

cat /etc/group

System Enumeration

uname -a

User Privilege enumeration

sudo -l

Miscellaneous Find Commands

Search for setuid binaries

Search for writable directories

See: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Further reading: WAF bypassing (Nick will look for link)