Wazuh 101 - Part 1: Getting started with Wazuh, Open Source EDR, presented by Jesse Moore

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

foreign [Music] [Music] nice all right so actually this is just kind of a a sneak peek in what we're the after product is going to be on my screen right now of the waza dashboard but I'm going to tear this down because right now it's on this proxbox server and I'm going to restore it to this uh this thing so uh if you have your own stuff I would suggest making a backup of whatever Ubuntu box you're going to use or server you're going to use for our our waza install but um I will start us off with kind of what waza is and I'll reference wazza's main quick start page and I'll kind of walk through use cases as well so what waza is is as you saw just briefly there is kind of this nice dashboard of connections into devices I can go into that more clearly under the use cases but I think I'm going to go into architecture here real quick so architecture make sure this is nice and big this looks pretty big yeah that's good uh so I'm gonna blow up this picture here and really all you need to know about are it can connect to a was an agent that is that has like filebeat on it and stuff like that that ships over the information back to that pretty dashboard but you can put on desktops and laptops and Cloud infra virtual machines I think containers even we'll we'll look through some stuff and then you got this main thing on this right side which is kind of the waza stuff it's got this too much here really I mean it's like Master node worker nodes okay sure sure and then it's got the dashboard and indexers of course because it's on elastic and all that kind of stuff and then ultimately you see that the dashboard with the users uh primarily I just showed this piece to just say hey you know there's basically it's an elk stack uh that's been wasified for a dashboard and it's got a cool agent that can go to all sorts of things that ships over the log data and other things like incident responses we'll go into that in the use case but um all right let's get back to it so we're gonna go into kind of some other components of this so let me make this bigger so we were just talking about you know the endpoints and the Agents so specifically here's the agent in how it's kind of broken down maybe I can get this a little bigger no I can't that's about as big as it gets um so it's got some cool things like active response being like oh I see a whole bunch of things scanning me from one IP address on multiple ports I'm actively going to put my firewall up on it and that's kind of what the active response piece is then there's like command execution which is it sees some kind of command in it and it respond it does something because of it there's a cool thing called the configuration assessment now what that is utilizing is what they call the center for internet Securities um baselines and it'll actually go ahead and run those baselines against your system and say oh it looks like you have SMB version one on you fail that kind of assessment so that's what configuration assessment is pretty neat this is a new thing this container security I have not seen this or used I mean I have containers but I haven't used it maybe we'll have a container um maybe we'll see this in action later anyways uh it just this is just to show the agent is more than just sending uh it's not it's more than a file beat and just kind of sending stuff over it does much more like here's the file Integrity monitoring it also does so it's like oh is this file the same oh no it changed that kind of thing and then of course it does a lot of collections kind of a big thing that it does and what seems to be a newer thing for it they've got very direct malware detection things like they're like oh you've got a crypto Miner we can find this very specific crypto Miner right um they've been doing that lately which is cool and great and I'm happy that they're they're doing that um there so why I'm a little hesitant there is because uh when I install sysmon on the system I want like the full system on logs and they kind of you got to do a little bit of massaging with their stuff you have to configure it to be like oh when this sysmon log occurs make this awaza alert and let it show up on the dashboard and it's it's not quite like that um I have to use other things like Hulk or whatever that just just throws the whole log into your thing and then you can just cruise through them so that's why I was a little hesitant on that piece uh if people were checking that out I haven't really looked at the system inventory but I mean just having an agent on the box and it knowing you know the OS and a couple other things about it I guess yeah that's that's inventory pretty neat uh so yeah it does do encryption it does use a key to go back to the server that kind of stuff in on the server side you can actually tell you can like disconnect from Agents if you want I won't go too much what's going on over here but just uh think of this as really the dashboard and being able to query it like any other Cabana type scenario the biggest piece was really that that agent is super cool and it has the same Cabana type of dashboard which is also very cool waza does kind of throw their own flavor on it which is nice because they like say hey this thing has related to PCI this kind of things can be related to gdpr and so on and so forth so that's an interesting thing to also see for like compliancy things right they're like hey do you have this kind of monitoring like yes I do and and then speak to that so let me get to the let's see here I want to get to so we can look at the dashboard again but the dashboard is kind of a prettier thing of what we just went over you can do stuff in the cloud so here's like Google here's Amazon here's Office 365. security events is pretty much just the logs that it pulls over uh Integrity monitor that's that file monitor again um all just in a nice Cabana kind of cool view another thing that I I just saw recently I saw this virus total if you have like the API key it'll like do submit things to virustol which looks super cool ah vulnerable container I'll check that out sponger uh we will check that out sorry I didn't want to ruin your flow I ended up ruining it anyway my bad dude it's all good it's all good I'm glad this you know you had a container I'm down to I use that I haven't seen that container before so cool thanks man yeah and all right so yeah so I'm gonna kind of get out of this dashboard thing we kind of went over it um without it being a dashboard um I want to go into the architect but mostly what you need to have for it to even start going so this will be good for tonight tonight we want to know about you know how we're going to install this kind of uh servers so then that we can create either agents for Windows or Linux or containers or whatever and then then throw the agent onto whatever machine we want so that we can monitor it and tune it if we want but mostly so that we can just gather all the logs for tonight we can do other things in another part 2 Series so here we are the quick start page so Hardware requirements all right so it looks like and for us you know we're not going to go over our 25 agents so we'll be good at you know uh eight gigs of RAM and 50 gigs of storage so hopefully that's low enough for others to follow along with on their own Ubuntu box Ubuntu Server So speaking of operating systems I guess it doesn't doesn't have to be Ubuntu it can be sentos uh it looks like these versions it looks like it does support 2204 Sean and then I think I'm doing it in on 2004 tonight on Ubuntu a browser I guess you just find that out when you open up the dashboard and it doesn't display correctly um interesting I don't see Edge on here but I use this is what this is I use Edge uh for my stuff so interesting it's not compatible but whatever it kind of is um oh yeah it does say other chromium-based browsers might also work but the old internet 11 explorers not supported gotcha gotcha Okay cool so really um that's kind of that's kind of it really so the next step would just let's just go into creating this thing and getting our feet wet so let me minimize this let me well this is probably gone now let me refresh that that's probably gone yep that's gone don't need that anymore um cool so the first thing is uh for me I gotta make sure that I have something so if I go in here I see I have let's see Hardware I already removed the iso so you can't see what Ubuntu version it is but anyways let's just make sure that this has been rolled back looks like this has been rolled back I'm gonna just grab the IP really quick so it looks like it's 46. that's good to know so uh that's pretty much the last I'm going to see of that screen for a while so I use for my Remote Management mostly is this remote desktop manager free uh that you can go and get uh places um online uh yeah it's just just type in that and you'll find it so what I'm going to use is this and so basically I would just create a new RDP session I would name it like up here then I would give it its IP address which there's 46 just like we need I know that the username is server admin because that's how I created the Ubuntu box uh the first user name on it is server admin and then I put the password in as some secret password that no one should ever know just joking it's super easy you'll probably see it later um and then I'm just gonna say okay it would have been created and then I can open this session get on the box hopefully everybody is on their box as I can see it's 46 so that's great so the first thing I would do and and hopefully everybody does it is pseudo apt update minus y and and upgrade minus y um so hopefully there's not too much of this that's gonna happen so while that is updating I am going to pull up the resource the quick start resource that everyone should also be going to so let me copy that put it in our Meetup text so someone can easily click on that we'll roll it up to the top and you want to go to the part that says install waza and go ahead and click on this copy piece on the right oh you got to make sure you have curl too by the way so like let's say okay what does this say uh 157s can be upgraded um maybe I won't upgrade just yet but I did update so uh sudo apt install curl so make sure you have Cur what dpk was interrupted you must manually run okay sometimes this happens so I'm glad this went through this pseudo dpkg space minus mice configure space minus a um sometimes you got to do that I'll even put that in um the chat but yeah sometimes you gotta do this piece I'm not exactly sure why [Music] it usually takes not that long so while that's doing that I can go back to our Quick Start copy that again just in case oh okay uh anybody else having problems right now Sean I think you're following along Marco hmm yeah nice and it looks like mine just cleared up okay cool cool all right so yeah again copy that uh I just right click on mine oh did I not do the hang on I'm Gonna Cancel that out Ctrl C and uh make sure to get pseudo apt install curl okay so it's in and then let's go ahead and run this it'll run for a while not too long really so let me go back here really at the end of all all the installation it's gonna come up with saying hey do this right here oh um basically go to your browser go to your IP address and you should be able to use admin as the user and then it'll it'll paste your password on the log and so you'll have to grab that password it's only going to be um right there on the console so um oh see a sponger um it's you should grab that and put it in somewhere like a password manager or something because you will not be able to get back in if you don't have that password so let's go back it looks like starting was a indexer so we're almost there pretty close pretty close and while that continues to go I'm going to fill some time with some after activities uh maybe later we can take a peek at something that waza did an article on this is how to detect active directory attacks with waza they have a part one and a part two uh the notable pieces of this is their detecting DC sync attacks golden ticket attacks Kerberos attacks all real like you should be detecting those kind of attacks kind of things uh past the hash attacks and if you pull out the main uh DC's uh password database the ntds.dit file so very cool uh it it runs you through you can go ahead and it's like hey this is the Quick Start it'll talk about here this is you know you need sysmon here's the config file download it we'll tell you how to you know put it wherever run this very specific command so you install the the config uh and then on the actual system you have to run you have to look at this OS set config on the agent on the on the box uh and then just make sure that it's grabbing the the sysmon stuff and then of course you have to restart the waza so everything just knows what it's doing and just add one one thing on the server side of waza uh which is you just copy this whole thing and this is kind of the thing that I mentioned earlier where I was like uh there's it doesn't take all the system logs and alerts it only takes like the ones it creates for itself so this is what I meant like like you have to create very specific things to say hey this ID hey we wanted to do this uh it's part of this rule ID it's yeah it's very specific and it's a good thing it's a good thing um and then you have to restart the manager on the server side and then just start attacking uh it and it goes into hey this is the exact commands this and that so let's go back to seeing where we are with oh my it's still kind of oh wait starting service all right we've got some stuff moving great great great great great good good well while that is doing that I'm gonna sneak over to my enzable area and I was playing around with um using ansible to deploy the waza agent so sudo Nano Playbook we'll do win SA so basically I'm like hey only on Windows things copy this file that I want to send over to my windows thing which is going to be the waza agent make it go in the public folder for users right because I don't know what users is over there but I do know public is then go ahead and oh is this oh it doesn't really scroll very well all right and then I don't think you need to set the location I just have that from some other experiment but anyways run this script and basically I make it run a windshield command and say hey run the command prompt K I think is exit after this thing runs uh use Powershell no profile no interactive uh do the execution policy whatever bypass probably or unrestricted uh yeah unrestricted and then use this file and that's the that waza agent and then that agent will run although didn't I no I used a different script but anyways so that's the ansible peace that it runs a script but the script is in this files area for insible it has kind of be in the same directory so you got to do some CD files or actually I'll just do yeah I'll just do LS files uh I don't know what it's called so I'll just do that okay so it's invoke win was that agent so instead of that let's take a peek at what looks like inside cool so inside there's just like three commands so basically I'm saying hey run this you'll see this later this is the the agent sleep about 10 seconds and then start the waza service and then that's when everything will call back um okay back to the server let's go back to the server so back to the server here we are um let's get back to the waza up here we are okay so it spits out the username admin and it spits out the password so again need to put this somewhere because that just doesn't um it doesn't stay around so we're gonna go ahead and go to the browser uh let's pick a new one new browser https 192.168.0.46 I think I think okay cool yep yep I know not secure uh deal with that later okay so username admin um this was from a different time yeah you can have my password I don't care um no what did this do invalid username or password he was wrong maybe it used the I don't know for some reason that got all messed up anyways so this is what you'll see in the beginning it's kind of checking a bunch of things checking the API checking the index pattern uh checking all these things um which is very important we want these check box because if there's any of these are red it's a problem um yeah it's a sometimes it's a call out to support problem um which is okay because they've got a slack Channel you can go to uh and ask them those things I was about to say we get support what kind of yeah um kind of do no mine mine worked by the way oh perfect great how about Marco I was concerned about working I did it very nice very nice it's awesome cool well great great so the next thing I'll do then let's go ahead and just pull over the waza really quick I'll show you so in Slack they've got a waza channel and they have a community this community they're like hey I have an issue like everybody's like helping each other out here super great super technical and this announcement's always great too this is when they're like hey we're doing a new thing like hey we're now detecting these bad things in active directory hey we do this now all these cool things but the big takeaway to this is they have a community that you can ask questions so definitely take part in that all right so now we're back to the dashboard let's add an agent so really nice they just have it right here right front and center add agent so click on that button and you have a choice you can do uh Red Hat since OS uh Ubuntu Debian Windows or Mac so for me today I'm doing windows so I select that uh then it's it it's asking hey what's your waza server well it's not localhost it's 192.168.0.46 as we had before right up there um assign a group default is fine for right now install enroll agent blah blah blah I'm not going to even pay attention to any of this but here's the thing I mentioned earlier with invoke web request so this is a Powershell script that will be thrown on the Windows box to install the waza agent and then at the very end you have to do this net start was a service for it to actually call back so let me copy this command in I'm going to be a little crazy and I'm gonna just go Um sudo Nano I'm just go file up and I'm just gonna take that and put it here I think oh yeah so this still has 46 I think everything's the same and we don't send over the key in the beginning so I think I could run this exact thing because I had the server okay cool let's try it why not all right so um ansible endsable Playbook uh Playbook Windows was uh uh oh yeah what are we gonna put it on we're gonna put it on a Windows machine so I say windows waza so let me cancel out of there and do a pseudo Nano host and it looks like I only have one windows it's 10 it's number 18 in here so let me go what is this one Windows 10 uh Powershell uh I actually don't care if it's admin or not I just want to know if it's a IP config there we go ipconfig okay so this is 18. okay cool so that's 18. this is the Box we're gonna put an agent on all right cool so let's go back to ansible that's the Box we're gonna put it on it's going to be in Windows uh this nose inside here inside that yaml so pseudo Nano um playback win yaml in here under Host Windows so it knows to go to that other file under windows and use that IP address that's how this Playbook knows what to do just an FYI so let's do ansible Playbook um Playbook win go so it's going to run through the ansible Playbook it says hey I'm using I'm doing this play I'm gathering the facts I'm going to give you the IP address if I could connect to the system and what I didn't say what I did do that you don't know about so you connect to the system it's green it's good so I went over here and I actually ran this script that does winrm type stuff configurations for ansible and then I I ran win RM quick config and I made it so that anything can connect to it through WS man through winrm basically so that's the only thing that I I didn't show us doing but it's right here this is what I did um so back to ansible and it looks like okay cool it copied over the single file that's fantastic that's that Powershell I wanted to run on the system so if I go over here whoops if I go over here and I go like I showed you in the code I showed you like under user so we go to this computer full drive users we go public and I said it was in public somewhere see it sent it over here invoke win and that did it today to sit no two six uh oh hang on let's uh let's make sure things are going ah it said it changed so it said it did a thing so let's let's check the dashboard let's check the dashboard did it do a thing don't make my cool ansible not cool man yes so cool come on I see you back there why is it like taking forever here let me just click on here we go Let me refresh just to make sure you know I'm not I'm not for nobody so like let's say I had all right cool so we have one active Windows 10 PC on 18 just like we kind of looked at uh and it knows it's window 10 PC because that's what the computer name is by the way that's what it's pulling so this is like we talked about inventory sure so it's got the computer name it's got the IP it's got the agent version it's got the operating system right here um and they got some other things too oh it looks like I could try to do did it really try to do that CIS Benchmark on it nice it did do it so yeah I was doing those kind of things but back to the what's cool about ansible is if I put in that host a file a whole bunch of you know your flute of Windows 10s that were already configured with uh basically these two things and a user account that could get to them um then you could basically put Enzo ball all right not ansible you put Wasa on all the things really fast so really that that was it that this is my presentation to install it to kind of show off ansible a little bit to do some Automation and um we could move this into another part two kind of thing where we actually you know do things and and look for things in the logs uh but I'm going to show real quick uh the discovery dashboard that you kind of reminds you of Cabana so here it is there's the alerts here's the Cabana type looking stuff and of course you can you know filter through all these things to look for things so yeah with that uh does anybody have any questions comments concerns yeah I want to bring something up I I think this is pretty awesome I definitely would love to get another follow-up on this if possible I think um you know a lot of folks that are trying to get into cyber security they may not have access to the expensive paid for software that does uh that kind of simulates almost like what you'd be like in a sock um or on a red team or blue team as well um so I think this is really valuable this is free as open source it's got a lot of Cool Tools um so yeah I'd love to get you back in here right on yeah absolutely and and to that point you know proxbox is also free and uh it's only running on my like uh Dell desktop workstation T 550 or something that's like I don't know maybe like 10 years old um but uh yeah and it's like here here's the uh summary I think I have what is this not very many gigs of RAM right 59 49 gigs of RAM 12 CPUs is that is that your that's pretty that's a pretty small hard drive we got in there you know it's got more RAM than you got hard drive space oh hard drive uh well kind of so like I have multiple um ones so I have this one which is a terabyte two terabytes of data which is my main one and then yeah you're seeing like these other funky local ones that are a little different um yeah that's a whole talk in and of itself how how proxbox works and uh the different views a box box uh talk will be awesome too I I I'm a big fan of proxbox so I use at my lab um and I think if sharing that because I think I honestly think VMware is pretty limited what you can do with it um especially the free version um and especially since they've kind of got rid of like the old vsphere client and sticky with that that web GUI that they got now which is not very good so I think um showcasing like some open source tools like this would be pretty cool yeah it's really how I do my like red team blue team kind of stuff and and figure out okay this is what we need to do for some configuration to help defend um or help someone configure something it's yeah I don't know what I would do without it really uh probably pay a lot of money well cool so code blue should we put this on the Windows 10 machine then your chat GPT ransomware and see if wazza catches it oh yeah yeah I'd have to make sure it's uh well quarantined off I don't know how uh quarantined off it is you could set up a host based firewall on the VM um that can like you can just say no outbound anywhere you can just toggle it on and off which is pretty cool you just say drop and then you just do everything yeah oh you gotta know the I don't know the interface um it's probably the br01 or something anyways yeah you see that for next time if you want yeah next time um because yeah the other part is is I'm actually so with RDP like using this kind of stuff so if you have some kind of thing going on in RDP where here let me show what I mean in properties if you have local files local resources and you you have hard drives all of a sudden you're now this machine is now connected to other machines so like see look at this like if I ran that ransomware oh my gosh and if it traversed all my other stuff not good but yeah for like things like this I should totally like make this not a thing and then as soon as I do that this should go away hang on refresh oh boy hang on maybe I have to do the whole thing it's weird all right oh I'm still oh it's probably because I'm already peed in it's still the same session so hang on let me just close it and then create a new session uh with the new local resources and then now yeah so now it's not there now it can't get to me I don't think I don't know what's on my network I might be able to get there anyways yeah there's some things that need to be done I can't just run stuff all of a sudden uh on that machine uh unfortunately so cool great well uh this has been fun uh I appreciate everyone coming out and listening to this uh if you want to know more just you know hit me up in Discord and we can do some other things or if you you know have some good ideas for part two we can come up with something and make scenarios up uh and and do that thanks Jesse it was very nice I'm so excited to use this on my network yeah how's that going for you did it actually work with your arm yes it works perfectly oh nice nice it worked on my windows man I'm already like looking at it I have a score of 32 on my CIS benchmark great amazing yeah yeah this is this is I I'm stoked to what they did to this they did a really good job adding a lot of like adding this dashboards like I said before like the only way I I've interacted with was it was when it was osec and I was forced to use like Alien Vault dashboard which is complete garbage compared to this this is uh very streamlined so yeah I'm gonna definitely be playing around with this personally uh maybe even my own my network my own home network here yeah and just a forewarning um you know you're looking at this you're like oh my gosh like am I getting like you know defense evasion happening is persistent privilege escalation happening you know you're like ah all these things so what you got to keep in mind with this is Windows logs are very vague and when they write rules they're trying to like you know get close enough so a lot of these are kind of benign right they're not quite what they appear to be if you if that makes sense yeah definitely yeah so like if I go here if I go into the actual box and pull up Powershell uh as administrator maybe no not oh geez I just did it like three times okay this is good everybody be safe never be admin I'm talking to you code blue29 always has this I'm not focusing yeah I was just showing how there's a UAC prompt and should should always do that not just be straight admin in hint code blue 29 from here previous presentation messing with you uh all right so in Event Viewer if you just look at the logs they're just so vague they're just so like oh what does that actually mean and so you could think it's really hard for some monitoring software to be like yeah what does that mean and then try to translate it into their own product which that's what was this trying to do it's trying to translate it into its own product so what I've found is a lot of people are like am I being attacked is there a privileged escalation happening it's like oh no not really it's just how vague uh it just it casts a wide net and catches a bunch of stuff and some of the stuff is benign like this is what is this valid account is the miter uh technique and then the tactic defense evasion persistent privilege escalation initial access uh okay but what is this let's see it's a 63 40 which is maybe it's a security auditing is it just a log on yeah 4624 is just a logon um yeah so I guess you can think of it it is authentication success it is a persistence sure uh privilege escalation I don't know about that um I I guess yeah if you just create an account you can log in with it in other accounts it could be considered that right logging in that's an initial access um just having somebody's username and password and logging in with them is defense evasion oh what's that yeah you gotta read between the lines um on these things um see how easy privilege escalation is that's right it's super easy we hunt admins um but yeah the best thing to do is is yeah go through like one of these how to detect action directory attacks with waza and just go through the thing and then see what the attacks are and then being able to help tune this for it yeah so that's where probably like using Atomic red team and doing all those attacks and figuring out how that looks and making uh alerts based off of that

Info

Channel: Null:404 Cyber Security

Views: 21,427

Rating: undefined out of 5

Keywords:

Id: 0XAFewziv5I

Channel Id: undefined

Length: 39min 49sec (2389 seconds)

Published: Tue Feb 21 2023