Contents

Scalable Security Automation Lab

   Oct 15, 2024     13 min read

Security Automation Homelab: Wazuh, TheHive, and Shuffle Integration

  • Objective: Security Operation Centers (SOC) are commonly centralized units that monitor, prevent, detect, investigate, and repsond to cyber threats on a 24/7 basis.
  • **Common Roles: **SOC Manager, SOC Analyst, SOC Engineers, Incident Responders, Threat Hunters, Forensic Analysts, Vulnerability Analysts, Data Analysts, Threat Intel Analysts, Compliance Specialists,

  • Typical components: SIEM, IDS/IPS, XDR, Firewalls, SOAR, Vulnerability Scanners, Network Monitoring Tools, Log Management, Ticketing, DLP, Active Directory

  • In this lab, we will be using Wazuh as the SIEM and XDR, Shuffle as the SOAR, Virtual Total as an enrichment source for IoCs, and TheHive as a case management platform. Telemetry will be generated from the Wazuh Agent, for this example we will use mimikatz.exe, but there will be a future lab focused on red teaming this blue team environment to see how we can further improve the security stance.

Lab Topology:

Splunk

Telemetry - sensors collect data from equipment, this data is transmitted via a path to designated receiving equipment, which then processes and analyzes the data then present it.

Wazuh Agent & Manager & TheHive

Wazuh Agent - ensure that you check to see which operating systems Wazuh agents support. In this example, I want to use Windows and Wazuh supports all ediitions of Windows 10. Proceeding, you will need to find an .iso file. Also, I will be hosting this iso image in VMWare Workstation Pro 17. I enjoy using all kinds of hypervisors, I noticed this one has 33% market share so I thought it would be worthwhile to use.

  • Sysmon (System Monitor) this Windows system service and device driver will monitor and log system activity to help identify what’s going on within the network. This is a part of Sysinternals, which is owned by Microsoft. The details included will be process creations, network connections, file creation and deletion, file creation time changes, driver and DLL loading, raw disk access, registry events, image load, pipe evens, WMI events. Storage: 128 GB, RAM: 4 GB, Processors: 1. Ensure you later download VMware Tools to add helpful functionalities.

Splunk

  • Download Sysmon > Save sysmonconfig.xml > run PowerShell as admin > verify Sysmon64 is running

Splunk

  • We have a fully functional VM and were able to verify the proper services are running.

Splunk

Wazuh: Security Guard components include the Wazuh Manager / Server, Agent, Indexer, and Dashboard. Agents are installed on endpoints, the Manager receives a variety of data from the agents, indexers is a search engine that stores alerts generated by the Manager. Finally, the Dashbpard provides an interface for user friendly data visualization, analysis, and management.

  • Detection and monitoring of security events

TheHive: Incident Manager allows users to create and manage cases, it consists of TheHive Server, Cortex as an analysis engine to observe analyzers, and Malware Information Sharing Platform (MISP) integrations.

  • MISP is Threat intelligence sharing > Threat Indicators, IoCs, TTPs, Contexual Threat Data » shared IoCs and collective intelligence
  • Virus Total is malware and URL analysis > Files, URLs, Hashes, Analysis Reports » Integrate malware analysis into security workflows via API
  • Cortex is automated analysis and response > Observables (IPs, Hashes), analysis results » automate analysis of security observables
  • TheHive incident response and case management > Incidents, Alerts, Case Details, Evidence » team collaboration and response coordination

Splunk

Digital Ocean this platform is for deploying, managing, and scaling applications. It has an interface that can be used in tandem with a variety of tools to manage the cloud infrastructure efficiently. For the next project I will use Proxmox and will set it up as a red team against this blue team environment.

  • Location: can be your preferred data center location
  • Operating systems: Ubuntu 22.04 LTS » LTS means Long-Term Support, leads to a more stable environment
  • Resources - each droplet must be 8 GB of memory for Wazuh & TheHive
  • Authentication - I chose pasword, but you can select SSH key if you’d like.
  • Droplet - scalable VM that runs on top of virtualized hardware. Each droplet is like an independent server used to host websites, databases, and host applications.

Splunk

  • SSH into the server using the public IP address.

  • Firewall these devices monitor and control incoming and outgoing network traffic based on predetermiend security rules. It acts as a barrier between your trusted internal network and untrusted external networks, such as the internet. If your building has a security guard, when someone unathorized walks into the building, the guard stops them from further proceeding. A firewall will examine data packets and decide whether to allow them through based on security rules. Functions include: packet filtering, stateful inspection, and proxy services.

Splunk

  • In Digital Ocean, perform the same steps for creating TheHive droplet. Ensure the firewall has your ISP issued public IP address in the firewall settings to allow connections to be established.

  • Fast way to install all neccesary Create a text file > navigate to the /etc directory > use nano to create and edit a file > ctrl + o to save + x to exit and use chmod +x to make an executable > ./script.sh will run it

Splunk

  • If you come across the ‘Daemons using outdated librares’, press enter on dbus.service

  • Dependencies this term refers to extenral components, libraries, modules that a software application requires to function correctly. Example: If you’re making a website, you might need a library to help with animations. If you’re building a game you might need a sound library to add music and sound effects.
  • TheHive: Java, Apache Cassandra (database), Elasticsearch (indexing and searching data), and other utilities (git, curl, wget, pip)…

Cassandra this is the primary database. It’s often used to store alert data, incident data, log data, threat intel, user activity data, configuration data, and vulnerability data. nano /etc/cassandra/cassandra.yaml

  • listen_address - change it to TheHive public IP
  • rpc_address - change it to TheHive public IP
  • seeds - change it to TheHive public IP
  • cluster_name - name of cluster

Splunk

Splunk

Ensure that the status is active (running)

Elasticsearch - search engine: used for indexing and searching large volumes of data in databases such as alerts, cases, and observables. configuration file: nano /etc/elasticsearch/elasticsearch.yml

  • Both .yml and .yaml are the same in terms of functionality, some projects may prefer one over the other, but .yaml is more commonly used

  • cluster name - good idea to give this a different name than the others to avoid confusion
  • node name - uncomment
  • network host - uncomment and change it to TheHive’s public IP
  • http port - uncomment it
  • cluster.initial_master_nodes - uncomment and remove the second node

Splunk

Splunk

TheHive configuration: we must change directory ownership to ensure users and groups have proper access to the /opt/thp file path. chown command is used to change ownership of files and directories. -R will apply the ownership change to the specific directory. Ensure you’re in the right directory before typing in the following command.

Also we will need to edit the config file: nano /etc/thehive/application.conf

Splunk

  • db.janusgraph_hostname - change to TheHive public IP
  • db.janusgraph_cluster-name - change to cluster named on Cassandras config file
  • index.search_hostname - change to TheHive public IP
  • application.baseUrl - change to “https://TheHive_IP:9000”

Splunk

Common errors

When we went to verify that all services (elasticsearch, thehive, and cassandra) are running, it was noticed that elasticsearch failed.

Splunk

journalctl -xe this command will view detailed system logs managed by systemd. Jorunalctl will query and display mesages. -x will provide context for log messages to explain in more detail. -e jumps to the end of the journal to show the most recent log entries first.

Splunk

According to the error, Elasticsearch’s main Java proces (pid=54844) was killed by OOM (out of memory) killer, the device is trying to free up some RAM. Elasticsearch was singled out because its relatively larger.

Splunk

I was looking to connect to TheHive but kept getting an error: ERR_CONNECTION_REFUSED, this tells me to check the service and see if its running, the port is not open. Journalctl was not as helpful to figure out the underlying reason for TheHive startup issues, the command will only show systemd’s view. we should check the /var directory for logs that contain lines marked Error, Exception, or Caused by.

Splunk

Splunk

Had to restart all services, the logs were pointing at Cassandra, JanusGraph could not connect to Cassandra on port 9042, it seems like TheHive’s storage layer was unable to reach Cassandra. When TheHive cannot establish its backend storage connection, it will exit with a failure code as relayed.

Splunk

TheHive web page should now load and you can try the default credentials: username is admin@thehive.local, password is secret

Splunk

Wauh Agent Configuration

  • VMware Tools add functionalities such as time synchronization, automated script execution, secure communication between other devices, driver installation, and performance optimization. To download, VM > VMware tools on top left of VMware. File Explorer > D: > run setup64.exe, this will be to install VMware tools.

  • To generate the code for your agent, you must click add agent in the Wazuh manager dashboard and the code will present iteself. Ensure you double check the dashboard once this service is ran, it should show 1 agent is present.

Splunk

Splunk

ossec.conf file is the primary file for OSSEC, it will define the behavior and settings of both the OSSEC manager and agents. The file is located: /var/ossec/etc/ossec.conf in Linux, and C:\Program Files (x86)\ossec-agent\ossec.conf in Windows. In this case, we want to instruct Wazuh to monitor and collect logs from the Microsoft-Windows-Sysmon/Operational event channel. The loclafile tag defines a new local file or event to be monitored. The location tab specifies where the event channel will be monitored. It points to the Sysmon operational event log. The log format tag indicates that the log format is an event channel, which is used for collecting specific windows event, think Event Viewer. Ensure logging is enabled.

Event Viewer: Applications and Services Logs > Microsoft > Windows > Sysmon: right click > Properties > utilize full name in ossec.conf

Splunk

Splunk

By enabling these settings we can capture and analyze events generated by Sysmon, such as process creation, network connections, and file changes.

Splunk

Mimikatz

Key functionalities

  • Credential Dumping: extract plaintext passwords, hashes, pins, and Kerberos tickets from memory, allowing retreival of authentication data.
  • Pass the Hash: enables an attacker to authenticate as a user without having the exact plaintext password, allowing lateral movement.
  • Pass the Ticket: capture and utilize Kerberos tickets from a compromised machine, this can enable impersaonation and access to resources.
  • Golden Ticket: grants attackers unrestricted access to domain resources, this is basically an unexpiring admin credential.
  • Pass the Key: using a password hash to request Kerberos tickets, attackers can then authenticate without the original password.

Note: Patch management is essential, it allows an OS to address various known vulnerabilities.

Splunk

Mimikatz is well known at this point in time. After downloading it directly from the main Github page, exclude the Downloads folder from Windows Defender scans. Windows Security > Virus & Threat Protection > Manage Settings > Add or remove exclusions > Add an inclusion

Ensure you extract the zip file, which should be found in the downloads folder.

Enable Wazuh to log everything: we must modify Filebeat’s config file and the ossec.conf file in the Wazuh server, accessible via SSH (22).

Splunk

Wazuh will save all logs in the /var/ossec/logs/archives folder.

Splunk

  • Filebeat forwards and centralizes log data. It is installed as an agent on the server, to monitor the log files, collect events, and forward to Elasticsearch for indexing. In the config file, under filebeat.modules, find archives and next to enabled type true.

Splunk

Indexing logs refers to the process of organizing log data for quicker searches by reducing the amount of data that needs to be scanned during a query. By being more specific with log indexing, it will utilize less resources and it will be easier to nalyze patterns and identify issues. Look out for duplicate log entries, it may show the presense of an existing issue that uses more storage space.

Splunk

rerun Mimikatz on the agent, open Event Viewer > Event ID 1 = Process Create

Splunk

Check Wazuh Manager, there should be hits which shows it caught this event.

Splunk

Create an Alert for Mimikatz

What if the attacker changes the name of this file to something other than Mimikatz? We can create a custom rule to trigger an alert when this happens.

Splunk

Rule creation: Management > Rules > Manage rules files . Wazuh ruleset is a collection of predefined conditions and patterns written in XML forat that the Wazuh manager uses to analyze incoming traffic. This will impact how logs are interpreted and define the criteria for generating alerts when specific events or behaviors are detected. Rules are XML elements, decoders parse and normalize raw log data into a structured format that Wazuh can process. Rule groups allow for organized management and categorization based on their function or type of event being monitored.

Splunk

  • Custom rule IDs start at 100000, in this case, ours will be 100002.
  • The level ranges up to 15, with higher numbers indicating greater severity.
  • For the field name, we specify win.eventdata.originalFileName (which is case sensitive) and use mimikatz.exe as the value.
  • Additionally, we include the MITRE ATT&CK ID T1003, which refers to Creden. Make sure to click save, must restart manager when prompted

Splunk

Splunk

Note we changed the application name from Mimikatz to notepad.exe, notice it was still detected.

Workflow creation using Shuffle

Shuffle is an open source interpretation of SOAR, it’s user friendly interface made automation approachable for those interested to streamline security operations. We need to have Wazuh communicate with Shuffle to streamline alert handling, and with this use VirusTotal to provide us threat intelligence, and integrate with TheHive for case management.

Create a workflow which is a series of automated steps in a particular sequence to perform specific tasks. Workflows consists of apps that perform specific actions within the workflow, triggers that initiate the workflow and can be activated based on time, incoming data, or other conditions, and variables to store information and be reused throughout the workflow for various actions.

Trigger: an alert from SIEM system Enrichment: Use VirusTotal to enrich alert data with additional threat intelligence Detection: check if the alert matches known patterns Response: if a threat is detected, isolate the affected system and notify the security team Verification: perform post-incident analysis to ensure the threat has been mitigated and systems are secure

Additional steps: In order to connect Wazuh with Shuffle you need an integration tag in the ossec.conf file, can be found nano /var/ossec/etc/ossec.conf. In shuffle, integrate the Webhook URI, you will find the URL under parameters.

  • make sure to restart the wazuh-manager after making this configuration change. Then, proceed with rerunning notepad.exe (mimikatz) on the Wazuh Agent host in vmware to create an alert.

  • In shuffle, click start on the Webhook. Select Show executions and there should be some events from Wazuh, let’s confirm the alert is related to mimikatz

Splunk