ThreatWaffle

This repo contains the necessary Ansible playbooks and configs to setup the Threat Hunting envirnment for the blog series below.

• Part 1: Intro to Threat Hunting – Setting up the environment
• Part 2: Intro to Threat Hunting – Understanding the attack mindset with Powershell Empire and the Mandiant Attack Lifecycle
• PART 3: INTRO TO THREAT HUNTING – HUNTING THE IMPOSTER AMONG US WITH THE ELASTIC STACK AND SYSMON

Docker

1. COMMON_NAME=<base domain> openssl req -x509 -new -nodes -config conf/tls/openssl.cnf -keyout conf/tls/threatwaffle.key -out conf/tls/threatwaffle.crt
2. cat conf/tls/threatwaffle.key | docker secret create threatwaffle-tls-key -
3. cat conf/tls/threatwaffle.crt | docker secret create threatwaffle-tls-crt -
4. docker-compose pull

➜  ThreatWaffle git:(main) ✗ docker-compose -f docker-compose-swarm.yml pull
[+] Pulling 31/34
 ⠴ mysql 12 layers [⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀]      0B/0B      Pulling                                                                                                                                 8.6s
 ⠴ fleet 6 layers [⣿⣿⣿⣿⣦⣿] 60.72MB/90.28MB Pulling                                                                                                                                        8.6s
 ⠴ minio 7 layers [⣿⣿⡀⠀⠀⠀⠀] 8.805MB/45.79MB Pulling                                                                                                                                       8.6s
 ✔ redis 6 layers [⣿⣿⣿⣿⣿⣿]      0B/0B      Pulled                                                                                                                                         3.5s
 ⠴ jupyterhub 17 layers [⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿]      0B/0B      Pulling                                                                                                                       8.6s

1. docker stack deploy -c docker-compose-swarm.yml threatwaffle

Creating network threatwaffle_jupyter-backend
Creating network threatwaffle_fleet-backend
Creating network threatwaffle_default
Creating config threatwaffle_mysql-fleetdm-config
Creating service threatwaffle_mysql
Creating service threatwaffle_redis
Creating service threatwaffle_minio
Creating service threatwaffle_jupyterhub
Creating service threatwaffle_fleet

1. docker exec -ti $(docker ps | grep minio | awk '{print $1}') bash
2. mc config host add myminio http://minio:9000 root <root password>
3. mc mb myminio/logs-bronze
4. mc mb myminio/fallback

Init FleetDM

1. Open a web browser to https://<FleetDM IP addr/FQDN>:8443

Packer

1. cd packer
2. packer init .
3. Start VMs

for i in {500..529}
do
   echo "Starting VM ID: $i"
   qm start $i
   sleep 30
done

Ansible

Init

1. Open a web browser to https://<FleetDM IP addr/FQDN>:8443
2. Login
3. Settings > My account
4. Select "Get API token"
5. Copy token
6. Open terminal
7. export FLEETDM_TOKEN=$(pbpaste)

Domain controller

1. ansible-playbook -i hosts.ini deploy_windows_domain_controler.yml --extra-vars "fleetdm_host=fleet.hackinglab.local"

Windows clients

1. ansible-playbook -i hosts.ini deploy_windows_clients.yml --extra-vars "domain_admin_password=packer" --extra-vars "fleetdm_host=fleet.hackinglab.local"

Helm

1. kubectl create ns threatwaffle
2. `kubectl create secret generic fleet-tls -n threatwaffle --from-literal=server.key=
3. kubectl create secret generic mysql -n threatwaffle --from-literal=mysql-password=$(openssl rand -hex 20)

Supported version

• Ansible v2.14.1
• Osquery v5.11.0
• Windows 10 v1511
• Windows Server 2016
• Helm v3.13.1
• Fleet v4.44.1
• Sysmon v15.14

References

Ansible

• ansible.windows.win_domain – Ensures the existence of a Windows domain
• ansible.windows.win_hostname – Manages local Windows computer name
• Kolide - Running with systemd
• Ansible reboot a Debian/Ubuntu Linux for kernel update and wait for it
• Setting hostname with Ansible
• Error handling in playbooks
• ansible.builtin.get_url – Downloads files from HTTP, HTTPS, or FTP to node
• unarchive module feature request: allow to extract specific files #27081
• make ansible check if database is present on a remote host
• Error handling in playbooks
• How to Set MySQL Root Password using Ansible
• community.mysql.mysql_info – Gather information about MySQL servers
• community.mysql.mysql_db – Add or remove MySQL databases from a remote host
• community.mysql.mysql_user – Adds or removes a user from a MySQL database
• ansible.windows.win_shell
• community.windows.win_domain_user
• Github - pywinrm
• Story when adding reverse DNS record of Windows with Ansible
• [Feature] dns reverse lookup jinja2 filters?
• DEMYSTIFYING THE KOLIDE FLEET API WITH CURL, PYTHON, FLEETCTL, AND ANSIBLE
• Checking if a File Exists in Ansible
• Check if a given service name exist or not and its status with NSSM API
• ansible.windows.win_get_url
• community.windows.win_unzip
• How do I get a variable with the name of the user running ansible?
• community.crypto.get_certificate

Windows

• How to Enable Remote Desktop (RDP) Remotely?
• PowerShell Logging: Recording and Auditing all the Things
• Greater Visibility Through PowerShell Logging
• Windows Command Line Auditing
• Set-GPPrefRegistryValue
• Set-Content: The PowerShell Way to Write to a File
• How to Add Computers to a Domain Using PowerShell
• How to set primary and secondary DNS server addresses with PowerShell
• Powershell – Could not create SSL/TLS secure channel
• Using Variables

FleetDM/Kolide/Osquery

• How To Install and Secure Redis on Ubuntu 18.04
• How To Install MySQL on Ubuntu 20.04
• How to Set MySQL Root Password using Ansible
• CptOfEvilMinions/Kolide-Docker
• DEMYSTIFYING THE KOLIDE FLEET API WITH CURL, PYTHON, FLEETCTL, AND ANSIBLE
• osquery/osquery.flags
• Deploy Fleet on Kubernetes
• helm/bitnami/mysql
• helm/bitnami/redis
• x509v3_config
• SETTING UP KOLIDE AND OSQUERY WITH CLIENT CERTIFICATES FOR MUTUAL TLS (MTLS)
• tools/osquery/in-a-box/docker-compose.yml
• GETTING STARTED WITH FLEETDM
• fleet/spec/enroll_secret

Sysmon/Winlogbeat

• SwiftOnSecurity/sysmon-config
• Winlogbeat quick start: installation and configuration
• Download Winlogbeat
• 15 Ways to Bypass the PowerShell Execution Policy
• IR TALES: THE QUEST FOR THE HOLY SIEM: SPLUNK + SYSMON + OSQUERY + ZEEK
• sysmonconfig.xml

Helm

• Nginx Deployment with Helm
• helm/bitnami/nginx
• Exposing an External IP Address to Access an Application in a Cluster
• Exposing TCP and UDP services

Packer

• answer_files/10/Autounattend.xml
• Getting this Packer Errors when assigning variable values in source block
• Variables not loading from *.auto.pkrvars.hcl files if no defaults in HCL
• packer-windows/scripts/disablewinupdate.bat
• Enabling PowerShell remoting fails due to Public network connection type
• Appendix A: KMS Client Setup Keys
• scripts/bios/autounattend.xml
• GOAD on proxmox - Part2 - Templating with packer

Terraform

• How to format numeric variable in Terraform
• Terraform For Loop – Expression Overview with Examples
• providers/Telmate/proxmox
• How to set timeout for terraform apply?

Logstash

• Beats input plugin
• Disable monitoring not working? #65
• additional_settings force_path_style config option ignored #180
• Using environment variables
• Configuring Logstash for Docker
• Dockerhub - logstash
• Using Logstash to Send Directly to an S3 Object Store
• S3 output plugin
• k8s-logstash-configuration
• Storing Logstash output into Minio
• Logstash s3 output wrote format logstash s3 input doesn't understand
• How to logstash if field equals value assign other field value?
• Recommended RAM ratios for ELK with docker-compose
• Can I delete the message field from Logstash?
• ECS in Logstash
• _jsonparsefailure issue with version 8.8.2 not present with 7.17.11 #15204
• Osquery module
• Run Filebeat on Docker
• Implement Filebeat as SideCar to export logs to Elastic

Minio

• How to run MinIO as a Docker Container
• docs/docker/README.md

JupyterHub

• basic-example/docker-compose.yml