This repo contains the necessary Ansible playbooks and configs to setup the Threat Hunting envirnment for the blog series below.
- Part 1: Intro to Threat Hunting – Setting up the environment
- Part 2: Intro to Threat Hunting – Understanding the attack mindset with Powershell Empire and the Mandiant Attack Lifecycle
- PART 3: INTRO TO THREAT HUNTING – HUNTING THE IMPOSTER AMONG US WITH THE ELASTIC STACK AND SYSMON
COMMON_NAME=<base domain> openssl req -x509 -new -nodes -config conf/tls/openssl.cnf -keyout conf/tls/threatwaffle.key -out conf/tls/threatwaffle.crt
cat conf/tls/threatwaffle.key | docker secret create threatwaffle-tls-key -
cat conf/tls/threatwaffle.crt | docker secret create threatwaffle-tls-crt -
docker-compose pull
➜ ThreatWaffle git:(main) ✗ docker-compose -f docker-compose-swarm.yml pull
[+] Pulling 31/34
⠴ mysql 12 layers [⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀] 0B/0B Pulling 8.6s
⠴ fleet 6 layers [⣿⣿⣿⣿⣦⣿] 60.72MB/90.28MB Pulling 8.6s
⠴ minio 7 layers [⣿⣿⡀⠀⠀⠀⠀] 8.805MB/45.79MB Pulling 8.6s
✔ redis 6 layers [⣿⣿⣿⣿⣿⣿] 0B/0B Pulled 3.5s
⠴ jupyterhub 17 layers [⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿] 0B/0B Pulling 8.6s
docker stack deploy -c docker-compose-swarm.yml threatwaffle
Creating network threatwaffle_jupyter-backend
Creating network threatwaffle_fleet-backend
Creating network threatwaffle_default
Creating config threatwaffle_mysql-fleetdm-config
Creating service threatwaffle_mysql
Creating service threatwaffle_redis
Creating service threatwaffle_minio
Creating service threatwaffle_jupyterhub
Creating service threatwaffle_fleet
docker exec -ti $(docker ps | grep minio | awk '{print $1}') bash
mc config host add myminio http://minio:9000 root <root password>
mc mb myminio/logs-bronze
mc mb myminio/fallback
- Open a web browser to
https://<FleetDM IP addr/FQDN>:8443
cd packer
packer init .
- Start VMs
for i in {500..529}
do
echo "Starting VM ID: $i"
qm start $i
sleep 30
done
- Open a web browser to
https://<FleetDM IP addr/FQDN>:8443
- Login
- Settings > My account
- Select "Get API token"
- Copy token
- Open terminal
export FLEETDM_TOKEN=$(pbpaste)
ansible-playbook -i hosts.ini deploy_windows_domain_controler.yml --extra-vars "fleetdm_host=fleet.hackinglab.local"
ansible-playbook -i hosts.ini deploy_windows_clients.yml --extra-vars "domain_admin_password=packer" --extra-vars "fleetdm_host=fleet.hackinglab.local"
kubectl create ns threatwaffle
- `kubectl create secret generic fleet-tls -n threatwaffle --from-literal=server.key=
kubectl create secret generic mysql -n threatwaffle --from-literal=mysql-password=$(openssl rand -hex 20)
Ansible v2.14.1
Osquery v5.11.0
Windows 10 v1511
Windows Server 2016
Helm v3.13.1
Fleet v4.44.1
Sysmon v15.14
- ansible.windows.win_domain – Ensures the existence of a Windows domain
- ansible.windows.win_hostname – Manages local Windows computer name
- Kolide - Running with systemd
- Ansible reboot a Debian/Ubuntu Linux for kernel update and wait for it
- Setting hostname with Ansible
- Error handling in playbooks
- ansible.builtin.get_url – Downloads files from HTTP, HTTPS, or FTP to node
- unarchive module feature request: allow to extract specific files #27081
- make ansible check if database is present on a remote host
- Error handling in playbooks
- How to Set MySQL Root Password using Ansible
- community.mysql.mysql_info – Gather information about MySQL servers
- community.mysql.mysql_db – Add or remove MySQL databases from a remote host
- community.mysql.mysql_user – Adds or removes a user from a MySQL database
- ansible.windows.win_shell
- community.windows.win_domain_user
- Github - pywinrm
- Story when adding reverse DNS record of Windows with Ansible
- [Feature] dns reverse lookup jinja2 filters?
- DEMYSTIFYING THE KOLIDE FLEET API WITH CURL, PYTHON, FLEETCTL, AND ANSIBLE
- Checking if a File Exists in Ansible
- Check if a given service name exist or not and its status with NSSM API
- ansible.windows.win_get_url
- community.windows.win_unzip
- How do I get a variable with the name of the user running ansible?
- community.crypto.get_certificate
- How to Enable Remote Desktop (RDP) Remotely?
- PowerShell Logging: Recording and Auditing all the Things
- Greater Visibility Through PowerShell Logging
- Windows Command Line Auditing
- Set-GPPrefRegistryValue
- Set-Content: The PowerShell Way to Write to a File
- How to Add Computers to a Domain Using PowerShell
- How to set primary and secondary DNS server addresses with PowerShell
- Powershell – Could not create SSL/TLS secure channel
- Using Variables
- How To Install and Secure Redis on Ubuntu 18.04
- How To Install MySQL on Ubuntu 20.04
- How to Set MySQL Root Password using Ansible
- CptOfEvilMinions/Kolide-Docker
- DEMYSTIFYING THE KOLIDE FLEET API WITH CURL, PYTHON, FLEETCTL, AND ANSIBLE
- osquery/osquery.flags
- Deploy Fleet on Kubernetes
- helm/bitnami/mysql
- helm/bitnami/redis
- x509v3_config
- SETTING UP KOLIDE AND OSQUERY WITH CLIENT CERTIFICATES FOR MUTUAL TLS (MTLS)
- tools/osquery/in-a-box/docker-compose.yml
- GETTING STARTED WITH FLEETDM
- fleet/spec/enroll_secret
- SwiftOnSecurity/sysmon-config
- Winlogbeat quick start: installation and configuration
- Download Winlogbeat
- 15 Ways to Bypass the PowerShell Execution Policy
- IR TALES: THE QUEST FOR THE HOLY SIEM: SPLUNK + SYSMON + OSQUERY + ZEEK
- sysmonconfig.xml
- Nginx Deployment with Helm
- helm/bitnami/nginx
- Exposing an External IP Address to Access an Application in a Cluster
- Exposing TCP and UDP services
- answer_files/10/Autounattend.xml
- Getting this Packer Errors when assigning variable values in source block
- Variables not loading from *.auto.pkrvars.hcl files if no defaults in HCL
- packer-windows/scripts/disablewinupdate.bat
- Enabling PowerShell remoting fails due to Public network connection type
- Appendix A: KMS Client Setup Keys
- scripts/bios/autounattend.xml
- GOAD on proxmox - Part2 - Templating with packer
- How to format numeric variable in Terraform
- Terraform For Loop – Expression Overview with Examples
- providers/Telmate/proxmox
- How to set timeout for terraform apply?
- Beats input plugin
- Disable monitoring not working? #65
- additional_settings force_path_style config option ignored #180
- Using environment variables
- Configuring Logstash for Docker
- Dockerhub - logstash
- Using Logstash to Send Directly to an S3 Object Store
- S3 output plugin
- k8s-logstash-configuration
- Storing Logstash output into Minio
- Logstash s3 output wrote format logstash s3 input doesn't understand
- How to logstash if field equals value assign other field value?
- Recommended RAM ratios for ELK with docker-compose
- Can I delete the message field from Logstash?
- ECS in Logstash
- _jsonparsefailure issue with version 8.8.2 not present with 7.17.11 #15204
- Osquery module
- Run Filebeat on Docker
- Implement Filebeat as SideCar to export logs to Elastic