Place: InTheForest(cyber security) company
Computer: Personal notebook(server) & Personal tabbook(host)
Created Date: 2020/08/04
Last modified date: 2020/08/25
Author: SeokMin Lee
URL: https://github.com/leesk212/Sysmon-EL-Python_PyQt/
Sysmon logs in the window environment are received from a computer in another environment through winlogbeat through Logstash, and then repositioned in Elasticsearch and displayed in PyQt.
PS> .\sysmon.exe -i [sysmonconfig-export.xml]
PS> .\sysmon.exe -c [update_sysmonconfig-export.xml]
-
Download: https://www.elastic.co/kr/downloads/beats/winlogbeat
-
Setting winlogbeat.yml for sending Sysmon logs
winlogbeat.event_logs:
- name: Microsoft-Windows-Sysmon/Operational
output.logstash:
# The Logstash hosts
hosts: ["Ubuntu_IP:5000"]
index: winlogbeat
PS> .\winlogbeat.exe -c .\winlogbeat.yml
PS> .\install-service-winlogbeat.ps1
PS> start-service winlogbeat
$ git clone https://github.com/deviantony/docker-elk.git
$ sudo docker-compose build
- Disable some functions of X-pack
$ vim ./elasticsearch/config/elasticsearch.yml
cluster.name: "docker-cluster"
network.host: 0.0.0.0
discovery.type: single-node
$ vim ./logstash/config/logstash.yml
http.host: "0.0.0.0"
xpack.monitoring.elasticsearch.hosts: [ "http://elasticsearch:9200" ]
$ vim ./logstash/pipeline/logstash.conf
input {
beats{
port => 5000
}
}
output {
elasticsearch {
hosts => "elasticsearch:9200"
user => "usernmaet"
password => "password"
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
# sudo docker-compose up
Basic port 5000: Logstash TCP input 9200: Elasticsearch HTTP 9300: Elasticsearch TCP transport 5601: Kibana
# sudo docker-compose down
$ wget https://www.python.org/ftp/python/3.7.4/Python-3.7.4.tgz
$ tar xvfz Python-3.7.4.tgz
$ cd Python-3.7.4
$ ./configure
$ make
$ sudo make install
$ python3 -V
$ sudo apt-get install idle-python3.7
$ idle-python3.7
$ git clone https://github.com/leesk212/Sysmon-EL-Python_PyQt.git
$ cd Sysmon-EL-Python_PyQt/Code/
$ python3 main.py
Timeline
local -> git connected
whitelist 함수 정의 및 구현
- Upload Reference
- server에서 client의 값이 들어오지 않을때
- network 상태가 이전 상태와 같은지 확인
- network 상태가 같다면 ip의 변동이 있는지 확인
- network 상태가 바뀌었다면 winlogbeat.yml의 ip를 확인
- Upload ui file
- Update Whitelist 이외의 layout 구현 완료
- Error 찾는중 1번 실행은 잘 되지만 clear이후 2번실행은 값이 변하지 않는 것이 발견됌
- Abnormal Tab idea구상
- Abnormal Tab layout 구현 완료
- Abnormal .hwp file open 잡기 가능
- Sysmon - EL - PyQt5 구현 완료
Reference(CLICK)
- install python3.7: https://somjang.tistory.com/entry/PythonUbuntu%EC%97%90-Python-37-%EC%84%A4%EC%B9%98%ED%95%98%EA%B8%B0
- docker Sysmon-ELK: https://github.com/choisungwook/malware/tree/master/01%20blue%20team/sysmon/01%20elk%EC%84%A4%EC%B9%98%2B%EC%97%B0%EB%8F%99
- Docker, ELK: https://judo0179.tistory.com/60
- Docker, ELK: https://github.com/deviantony/docker-elk
- winlogbeat: https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat_87.html
- ubuntu18 고정 IP 설정: https://www.manualfactory.net/10455