The SIEM (security information and event management) implementation for research / CTF usage as an alternative to a full blown ELK / winlogbeat etc setups. The main purpose of the tool is to evaluate the optimal logs volume and malicious patterns sufficient to detect common TTPs, which is often the problem of full size SIEM.
Current functionality includes:
- Aggregating and alerting on suspicious Windows Secuity and Sysmon events (check Client/collector.ps1 for details).
- Logging and monitoring SSH logon attempts on Linux (Client/ssh_logins_psiem.py)
- Falco alerts visualization
- Functional web interface to work with received logs, grouped by the event type with the host filtering, appropriate date range, hiding false positives and many more.
- Various detection rules are currently supported. Check
Tweaking alerts
section for details.
- Ensure you have docker and docker-compose installed.
- Run from the PocketSIEM folder:
sudo docker-compose up -d
- View the log to get the
admin
password:
cat services/server/pocketsiem.log | grep password
- Login to the website with
admin
user and obtain client JWT by visiting/token
- Download Sysmon
- Install
Sysmon64.exe -i Client\sysmonconfig.xml
- Amend the
$url
to your API server IP / Address inClient\collector.ps1
- Fill in the generated JWT value.
- Add the user to the
Event Log Readers
group:
net localgroup "Event Log Readers" YOUR_USER /add
- Give the user read permissions to the Security registry hive regedit -> Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security -> Right click on Security -> Permissions -> Add your user
- Create scheduled task to periodically run
Client\collector.ps1
. From command line might be quicker:
SCHTASKS /CREATE /SC HOURLY /TN "PocketSIEM" /TR "powershell.exe -w hidden C:\Path\Client\collector.ps1"
Configure Falco on your host.
Alternalively execute falco-psiem.sh
from the Client folder. Check the script contents to understand what it does and consult Falco documentation for the setup parameters.
To send SSH logon attempts from your hosts:
- Execute
ssh-psiem.sh
from the Client folder.
Although the server will work with embedded SSL keys one may want to generate own pair. One way of doing that is to use Let's Encrypt with the registered domain for that.
sudo snap install certbot --classic
sudo certbot certonly --register-unsafely-without-email --agree-tos -d mydomain.com
Copy generated SSL keys and certificates in services/nginx/certs
folder. Run the following commands providing your domain name:
export MYDOMAIN=mydomain.com
sudo cp /etc/letsencrypt/live/$MYDOMAIN/privkey.pem services/nginx/certs/key.pem
sudo cp /etc/letsencrypt/live/$MYDOMAIN/fullchain.pem services/nginx/certs/cert.pem
For testing purposes, it is possible to use own generated certificate. To generate the self-signed pair:
cd services/nginx/certs
openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365
Several rule files are maintained by the project. The simple rules list stored here services/server/detect/rules/rules_simple.txt
aiming to detect malicious patterns in the process command line, created files, registry modifications and other log details fields.
Feel free to add or remove patterns. Star *
means both strings should be in the log details to raise an alert. %
is an antipattern to exclude. Example:
- '.exe*.dll,%rundll32'
Here if any .exe
file is executed with .dll,
pattern in the parameters, the alert will be raised, unless the executable is rundll32
In this example we are catching the technique when dlls are executed with renamed rundll32.