How To Install Kali Purple With Elastic SIEM

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
this it's called reverse let's open it and it fails right away and right behind me the alert files as you can see let's do it two more times trying to download it Chrome downloads it oh you need fit hello welcome to it security labs and today I'm very excited that we'll be looking at Kali purple a week ago there was a release from off second they said they have a new Kali Linux machine that they just deployed in 2023 so today I'm going to show you how to set it up and end up with elastic seam where we can actually get some alerts in our systems uh monitor some endpoints and also look at how detection works with this new Kali purple device in the future we'll look at other tools but today we'll actually look at just the Kali paper device so to show you what we end up with by the time we're done with this video we end up with these dashboards here where they've added detection to one of the windows machines and will deploy some malware as you can see here I have an alert that fired that says malware was detected how do we do this with Kylie purple how do we set it up that's exactly what this video is all about and you should be able to see some data like this here some events and we explain in what all this is as we set it up but that's pretty much our main goal here is to look at Kali people and do that so the first thing is we go to kylie.org read more information about the release you'll probably see some documentation with some screenshots as you can see this is what we will be having this data right here these screenshots here for elastic Sim so let's go ahead and download I encourage you to read through this but for now just just hit the download button I want to use the ISO and in this case this is the regular Kali you need to scroll down until it says Kali paper if you don't do that you would install the wrong Kali and hit download so this will take a few minutes my download here depending on your speed so it's it's downloading while it's downloading let's go back and see what we'll be working on so here I have some detection what did I do earlier that resulted in this malware detection Outlet let's check it out it happened 10 times I'll click on this alert here what was I doing all right it looks like this day here we had so many critical Outlets named beacon.exe and the explorer.exe were alerting this is when I clicked one in my way I was trying to download it I'm trying to make it run I generated it and of course this kept catching it this is endpoint detection that can happen with Kali paper and I think that a lot of people especially those who are interested in learning will find this very valuable in learning detection in learning offensive security this is paper teaming at its best here and what happened here we detected the malicious file called beacon32.exe it was in the use of vagrance machine so I'll show you a network diagram and at the same time this is what Kali paper looks like once it's done so let's not worry about that for now our download looks like it's almost done let's go to our folder here's our Kali paper disk I'm going to be deploying this in virtualbox all right so our setup is very simple as you can see here you can have your home router you need a Windows 10 computer in this case mine is running uh 24 gigs it is 24 gigs of RAM and I have one terabyte on the hard drive but at least 500 gigs that are free that are dedicated to this lab will help we have Kali purple we have a regular Kali which you can use here then we have a Windows client you don't need the regular car you can use Kali paper for the same attacks but I just happen to have a regular Kali then we have a Windows client that will try to connect to Kali Pepper for defense and detection like I was showing you this is the windows client that will try to attack and see if we can defend and do some investigations so this is a very simple lab running in virtualbox in this case and once we download everything we should have Kali paper ISO we have a Windows machine here we can go and just check quick here as you can see here's 24 gigs of RAM let's check our hard drive in this case I have this external drive here which is a terabyte so 24 gigs a terabyte and a decent CPU that would do it for our lab so now let's go and launch virtualbox which you need to install if you don't have visual box and we'll set the installation of Kali purple I guess we can go here and say Machine new okay the type is going to be Linux Debian 64-bit if it's here and next uh for Ram I want this one to have 12 okay something like that then uh create visual disk next next dynamically allocated uh for storage since I have a terabyte I want this one to have 200 words I want to keep some data you can have the most space you have here the more you can do with this machine I mean I can say create collie pepper right click go to settings storage right here you want to go to let's go here Live CD and click here choose disk file go to your Kali file open now we mounted the ISO file that we downloaded and okay now we power it on normal stat okay so here choose graphical install okay so now we choose English next United States choose your location in American English for me detecting the hard drive right for the name here I'm going to name it Kali Dash purple because I want to make sure that it's different and next the domain is it security lab Dot local you don't need to put a domain here but I have one on the network for the user I like to be it could be any name that we want this is the user that I use in my labs you know you'll see next next password give it a password and the password match is so Color Purple there we go uh my time is Central so choose your own time use entire disk yep all files finish choose yes all right so it's just installing the operating system now this might take a while so I'll pause here so while the installation is happening I want to introduce you to this gitlab page here this is where most of the instructions on Kali paper are and here's how it works they will tell you like here we have over 100 defensive tools such as this today we're focusing on the elastic seam I'm not focusing on anything else other than elasticseam but what they tell you is uh here's Kali paper ISO so you'll notice that we have different versions here this was confusing for me the first time I was like wait a second I thought I'm just dealing with one apparently if you want any of these Color Purple tools some of them are not installed by default for example this installation.txt here will be for Carly if I have it this will install the elk stack that we need to do so we can automate this process by converting this whole thing here into a bash script and it's a very simple process that's what I did but I'll walk you through how we can do it once our installation is done we need to copy and paste all these commands follow them step by step and we'll end up with an elastic seam that works so we saw kibana we install other dependencies and we also enroll kibana into elasticseam and then um enable https very simple steps and we'll do that once our installation is complete right here so let's see have it finished and once it finishes we'll sign in and look around okay so after a while you'll see that the installation finishes and you need to reboot and once you restart you need to sign in with the credentials that you created this is a first look at Kali paper and so we should look at some tools that are in there and it might take a second here all right there we go Carly purple so it looks like a regular Kali right in the menu here the only thing that's different is we now have to identify protect detect respond and recover methods here other than that everything else that in normal Kylie Linux installation has will be here so what are these identify uh protect detect these are tools that are usually used for defensive Solutions and we're not going to focus on a lot of them today we want to make sure that we install the elastic seam but in the future we have a whole series here this is first video on color purple and I'm showing you how to install the first two so one to open our terminal you know also like to open a browser okay let's go to the gitlab for Kali paper find our instructions this is an installation.txt for the elksim so we like to copy and paste all these step by step just doing this copy paste you really don't have to think too much about it so become root now paste all those instructions from the gitlab the first part so yours will not exist all right once we get the first part here converts to a single node in this case we want to run that in that just do both we are installing the Excel elastic seam this is just an automated way of doing it and we have all the instructions we need then install kibana so what I would do is for kibana I'll do the phase two here and paste all right yours will be different mine is saying Cuban is already there so once you run these two next we're going to Echo this server.host you can change it if you want but we just use whatever is there all right and then um ensure that garlic paper is only mapped to this in Etsy host in order for keyboard interface so I'm going to my Etsy host right now let's use Nano this is antsy hosts so I put the IP address of my Kali Linux and I put Kali Dash paper this stuff here so you need to find out what is the IP address of your Kali by going file new IPA this is mine that's what is here you put yours and then the Kali paper name all right so that's what this line was talking about now and I'll check the status of kibana will that enabled elastic and kibana so let's make sure that kibana is actually work running all right coupon is running let's search check for elastic stage elastic search is running cool next what do they want us to do so we finished online 27 here now let's see in Rocky Banner to do that generation token oh this is going to be fun to clear the screen right it's giving me an error let's see why okay it's because I already ran each earlier so that's fine you need to run yours it'll work then open a browser navigate to the IP address the IP address that we need to navigate to is going to be the IP address of your Kali not that one so go to http 192. no all right so we go there use HTTP first because you don't have any passwords but it's asking me for a password here so I have elastic and I think I have a password somewhere let me find my password okay so the password was given to us during installation you can reset this password as well if you wanted to but now I'm getting in it's first time you you get in here you have look something like this like hey what you want to do that's fine but for now we know that we can sign in um open browser enter the elastic password paste the token from above which you can if you get asked for a token paste the token that was given to you above here you can generate the verification code by running this command here but you're saying hey uh give me a verification code uh if Kevin isn't being configured yet restart a new code otherwise you can safely ignore this message okay I already have a verification code but you can verify uh get a verification code this way all right next you can enable https the best way to do this is to literally copy this whole string here and paste it in your Kali so copy that just go here and paste and hit enter then finish by going back copy these told you this could be a bash script and hit enter all right so those are the instructions on setting up Kali paper so now you now have a fully functional Kali paper with a kibana instance this is not the end of it if you have any issues during the installation make sure that you follow the instructions carefully from here they're pretty straightforward everything that you need is in this document but now that we have a working one how do we use this to monitor a host that's where we get paid so click on security all right you might want to go and say get started add security Integrations right here we're going to create a profile for our Windows machine so our goal here is to monitor our Windows machine let me show you right here we want to monitor this for any malicious attacks so make this into a full Sim so we will add an agent here so now we're setting up our seam to make sure that it can do that so let's put security search for security which one did I use in elastic okay let's use the elastic defend one click on that add elastic defend come on I'll name this one windows defend there's the description and it's asking us okay select configuration we just say this is traditional for new hosts um Windows policy you can name it whatever you want Collective Sim log and seven continue so we're saving and continuing right elastic defend integration has been added elastic agent to your host so I can click here and say add elastic agent to my host so yes my defend I can enroll in Fleet or I can run Standalone uh Fleet is the easiest one but for now um you know what let's add a fleet server how hard can it be hey the fleet server he's awfully similar to a centralized host so let's put it on this same machine and copy that open the terminal okay then we paste that right here let's see if we will be able to get there right we're installing Fleet server so once fully servers installs the one in the back here should tell us you see where it says confirm connection it should tell us whether or not the connection worked if our Fleet server works correctly from here so let's let it finish right so it looks like mining is already installed or finished my flick server is working now as you can see my Kali paper is showing is healthy now I can say add an agent to this Fleet server uh it says what type of force are you adding I'm adding a Windows saying this one then um enroll in Fleet recommended it's a Windows machine so I'm I'm adding a Windows agent two policy we need to make sure that we check that one later so now it says um if you do that you need to run this so we need to copy that let's go to our Windows machine and sign into this and then copy this and paste in in our Windows machine it's easier that way so inside of our Windows machine here if we refresh this we should be able to sign into your sim and then click add agent what kind of agent is it agent policy one two I guess this oh wait a second yeah this one is system check two uh let's say check three okay we would like to deploy this Windows policy with elastic defend and Windows system choose windows I will copy this search for Powershell just open regular partial and paste that from here into Powershell and as you can see it's downloading it's doing all the work once it's done doing this it's expanding the archive give me some time while this is happening in the back here if you scroll down it's listening for the agent to come in but of course we go back here once this is done expanding we'll do the installation okay so once it's done it's um expanding we have one final command here this one might fail do you want to install this as a service for now let's stop it I'll tell you why want to rerun that command with dash dash insecure because if you run it the way it was um the uncertificate is not that valid so it puts the insecure flag there that way it guarantees that it runs now say yes this will copy all the files from here into the elastic agent folder and also start the service still listening for events after the agent is done you should see that some events that are confirmed and confirmed the incoming data okay so as you can see one agent has been enrolled now it's confirming that we actually have incoming data and once it confirms it the agent should show up right here right so as you can see our agent is showing up in the back there it says healthy but it's still confirming some data here that's fine so we know that we have successfully enrolled in agents so if I come back here this is the machine is running the windows policy logs so let's go to that policy as you can see here we have the windows defend and system let's go to check windows defend and on Windows defend here we have detect and prevent let's prevent it from even downloading malicious um files let's save the integration then now let's go ahead and make sure that we deploy that to our agent and let's test our agent to see if it actually works so we're going to go to our malicious Kali right so here is my uh refshells.com I would like to generate a ratio using Ms Venom let's copy let's just copy this Okay so copy paste it here it's going to be right there reverse.exe okay so we now have our reverse.xe here let's host it okay so we're hosting a bit file on a bed Kali Linux machine now let's go back to our victim machine okay so if we go to our shell here so we're hosting a malicious file from here you know Kali code reverse.exe that we just generated if we try to even download it using the browser on our victim let's go here and say click download see and you try to open it oh right away elastic security prevented reverse.exe so that alert should show up in our dashboard a couple times okay let's do it one more time make sure that we'll try to download this it's called reverse let's open it and it fails right away and right behind me the alert files as you can see let's do it two more times trying to download it Chrome downloads it oh and it fails and elastic security is catching us okay now we gotta wait five minutes or so okay let's go to our Outlets scroll down to security and alerts there we go this is all us clicking on that reverse file and this was Firefox trying to open it so as you can see here we now have an outlet that says hey by the way uh we saw a file trying to go to downloads code reverse and who started this Firefox was I was using Firefox not Google Chrome so the downloads folder it was removed by elasticsecurity so now we know we have a working Kylie pipple okay so we know that this works because we're getting all these alerts here but the most important thing is nothing executed on our V2 machine which is really good so we can safely say uh elastic Sim on Kylie pepper is working if you want something like this please follow along like I was doing you might run into issues but if you have any questions please let me know otherwise thanks for being here and I hope to see you in the next video on elasticseam
Info
Channel: I.T Security Labs
Views: 20,258
Rating: undefined out of 5
Keywords:
Id: tD5fRwHRygY
Channel Id: undefined
Length: 27min 1sec (1621 seconds)
Published: Mon Mar 20 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.