Skip to content

Home

Jump to bottom
Spencer Heywood edited this page Sep 25, 2019 · 5 revisions

Welcome to the active-threat-hunting wiki!

Tool Listing:

Elastic Stack: Elasticsearch, Logstash and Kibana.

Elastic's Beats: Elastic's log shippers.

Elastalert: Open source alerting tool for Elastic Stack.

Kolide Fleet: Centralized OSQuery Fleet Server

Kolide Launcher: Kolide's pre-packaged OSQuery agent.

Getting Started:

Most of the valuable parts of the active-threat-hunting repository are in the ansible directory and the subdirectories contained within. The playbooks have been tested frequently before being published, but if a bug is encountered or a question arises feel free to open an issue on this Github repository.

DISCLAIMER: This repository is for learning and is not following best practices for security. In production the deployment methods in this repository should be modified for each organization for security. Specifically, please don't save your usernames/passwords in the inventory file of each respective playbook. Use Ansible's vault or Ansible Awx for a native way.

Setting up Ansible:

To get started, it would be best to deploy a virtual machine to test the playbooks against (the playbooks have been tested against Ubuntu but most should work on CentOS/RHEL as well).

The machine for running the Ansible playbooks can just be a MacOS, Linux or Windows machine (through WSL) with Ansible installed. The following page has more information on installing Ansible:

Install Ansible Package on Control Node

Refer to the following page to set up an Ubuntu Server to be managed by Ansible:

Configuring an Ubuntu Server To Be Managed By Ansible

Refer to the following page to set up a Windows machine to be managed by Ansible:

Configuring Windows To Be Managed By Ansible

Clone the Repository:

Once Ansible has been configured, git clone the active-threat-hunting repository on the Ansible control node:

git clone https://github.com/heywoodlh/active-threat-hunting.git && cd active-threat-hunting

As stated above, most of the relevant tools for active-threat-hunting are available in the ansible/blue-team-tools directory.

General Workflow for Deploying a Tool/Running a Playbook:

  1. cd into the directory of the tool you'd like to deploy. As an example, we'll use the Elastic Stack:

cd ansible/blue-team-tools/elk

Each directory containing playbooks has a README.md file associated with it with information specific to each playbook. There will also be an inventory file that will need to be edited. There will also be a playbook (ending in .yml) with the name of the application to deploy (i.e. elk.yml).

  1. Edit the inventory file to match the desired values. If a separate Windows deployment is possible, edit the existing win_inventory file (if it doesn't exist we expect to only deploy the tool/application on Linux).

Note: the default inventory file always expects that an SSH key has been deployed on the remote host and that passwordless sudo is possible. If this is not the case, modify the inventory file based on your needs.

  1. Install dependencies:

ansible-galaxy install -r requirements.txt

  1. Run the playbook:

ansible-playbook -i inventory playbook.yml

Refer to the playbook's README's post-installation instructions for what to do after the installation completes.

Clone this wiki locally