• Stars
    star
    281
  • Rank 147,023 (Top 3 %)
  • Language
    Shell
  • License
    GNU General Publi...
  • Created over 4 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Beacon Kibana Executable Report. Aggregates Sysmon Network Events With Elasticsearch and Kibana

BeaKer - Beaconing Kibana Executable Report

Brought to you by Active Countermeasures.


BeaKer visualizes Microsoft Sysmon network data to help threat hunters track down the source of suspicious network connections. The custom dashboard presents which users and executables created connections between two given IPs, how many times they've connected, the protocols and ports used, and much more.

Getting Started

BeaKer_demo

After Sysmon starts sending data to ElasticSearch, Kibana will be ready to go. Filter by a source and destination IP and a time range to view what connections have been made between the two. The Program List will display which executables on the source machine made the connections to the destination. The actual Sysmon logs are displayed lower on the screen where you can investigate the events in greater detail.

How it works

  • Microsoft Sysmon: Logs network connections to the Windows Event Log
  • WinLogBeats: Sends the network connection logs to Elasticsearch
  • Elasticsearch: Stores, indexes, and aggregates the network connection logs
  • Kibana: Displays logs stored in Elasticsearch and provides a user interface for Elasticsearch administration
  • Beacon Dashboard: Aggregates the network connections between two hosts

Installation

BeaKer Server System Requirements

  • Operating System: The preferred platform is x86 64-bit Ubuntu 20.04 LTS. The system should be patched and up to date using apt-get.
    • The automated installer will also support CentOS 7.
  • Processor: Two or more cores. Elasticsearch uses parallel processing and benefits from more CPU cores.
  • Memory: 8-64GB. Monitoring more hosts requires more RAM.
  • Storage: Ensure /var/lib/docker/volumes has free space for the incoming network logs.

BeaKer Agent System Requirements

  • Operating System: Windows x86-64 bit OS
  • Powershell Version: 3+
  • Installed WinLogBeats version must be <= the Elasticsearch version installed on the BeaKer server, but at least the minimum supported wire version for the Elasticsearch version
    • Elasticsearch v8.6.2 supports WinLogBeats 7.17.0 through 8.6.2
    • Elasticsearch v7.17.9 supports WinLogBeats 6.8.0 through 7.17.9

Automated Install: BeaKer Server

Download the latest release tar file, extract it, and inside the BeaKer directory, run ./install_beaker.sh on the Linux machine that will aggregate your Sysmon data and host Kibana.

** Note that existing BeaKer installations must be upgraded to v7.17 before they can be upgraded to v8.x. The automated installer will:

  • Install Docker and Docker-Compose
  • Create a configuration directory in /etc/BeaKer
  • Install Elasticsearch, Kibana, and load the dashboards
  • Set the Elasticsearch superuser password for the elastic account
  • Set the sysmon-ingest user password for connecting WinLogBeats
  • Set up index templates, ILM policy, data streams and ingest pipelines

The beaker script installed to /usr/local/bin/beaker is a wrapper around docker-compose and can be used to manage BeaKer.

  • To stop BeaKer, run beaker down
  • To start Beaker, run beaker up
  • To view the logs of the Elasticsearch container, run beaker logs -f elasticsearch
  • To view the logs of the Kibana container, run beaker logs -f kibana

After running ./install_beaker.sh you should be able to access Kibana at localhost:5601. Note that Kibana is exposed on every network interface available on the Docker host.

Use the elastic account to perform your initial login to Kibana. Additional user accounts can be created using the Kibana interface. The sysmon-ingest user account is not allowed to access Kibana.

The Elasticsearch server will begin listening for connections on port 9200 using HTTPS. It expects Sysmon ID 3 Network Events to be published to:

  • WinLogBeats less than v7.17.9: ES index sysmon-%{+YYYY.MM.dd}
  • WinLogBeats v7.17.9: ES index winlogbeat-%{[agent.version]} via data stream
  • WinLogBeats v8.6.2: Ingest Pipeline winlogbeat-%{[agent.version]}-routing See the embedded winlogbeat.yml file in ./agent/install-sysmon-beats.ps1 for more info.

The easiest way to begin sending data to the server is to use the automated BeaKer agent installer.

Automated Install: BeaKer Agent

The PowerShell script ./agent/install-sysmon-beats.ps1 will install Sysmon and WinLogBeats, and configure WinLogBeats to begin sending data to the BeaKer server.

To install the agent, run the script as .\install-sysmon-beats.ps1 ip.or.hostname.of.beaker.server 9200.

The script will then:

  • Ask for the credentials of the Elasticsearch user to connect with
    • These may be supplied using the parameters ESUsername and ESPassword
    • If using the automated BeaKer Server installer, use sysmon-ingest
  • Download Sysmon and install it with the default configuration in %PROGRAMFILES% if it doesn't exist
  • Ensures Sysmon is running as a service
  • Download WinLogBeat and install it in %PROGRAMFILES% and %PROGRAMDATA% if it doesn't exist
  • Removes any existing winlogbeat configuration files (winlogbeat.yml)
  • Installs a new winlogbeat.yml file to connect to the BeaKer server
  • Ensures WinLogBeat is running as a service

BeaKer Agent uninstall

As an administrator, run the following scripts to uninstall the beaker agent:

  • `C:\Program Files\winlogbeat-7.5.2-windows-x86_64\uninstall-service-winlogbeat.ps1
  • C:\Program Files\Sysmon\Sysmon64.exe -u

Data Collected By Sysmon Per Network Connection

  • Source
    • IP Address
    • Hostname
    • Port
  • Destination
    • IP Address
    • Hostname
    • Port
  • Network
    • Transport Protocol
    • Application Protocol
    • Community ID
  • Process
    • PID
    • Executable
    • Entity ID
  • User
    • Domain
    • Name
  • Timestamp

Developer Information

When cloning the project, ensure that you have cloned the git submodules as well. Either pass --recurse-submodules to git clone when pulling down the project, or run the following commands afterwards:

  • cd BeaKer
  • git submodule update --init --recursive

To generate a new release tarball, run ./installer/generate_installer.sh.

License

GNU GPL V3 © Active Countermeasures ™

More Repositories

1

rita-legacy

Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.
Go
2,500
star
2

passer

Passive service locator, a python sniffer that identifies servers, clients, names and much more
Python
240
star
3

threat-tools

Tools for simulating threats
Python
166
star
4

rita

Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.
Go
97
star
5

threat-hunting-labs

Collection of walkthroughs on various threat hunting techniques
HTML
73
star
6

espy

Endpoint detection for remote hosts for consumption by RITA and Elasticsearch
Go
66
star
7

docker-zeek

Run zeek with zeekctl in docker
Shell
44
star
8

smudge

Passive OS detection based on SYN packets without Transmitting any Data
Python
42
star
9

pcap-stats

Learn about a network from a pcap file or reading from an interface
Python
25
star
10

bro-install

An Installation Script for Bro IDS on Debian Based Systems
Shell
19
star
11

zcutter

Extracts fields from zeek logs, compatible with zeek-cut
Python
17
star
12

devprof

Device profile: Define acceptable amounts of traffic for your devices and see a report of outliers.
Python
16
star
13

sniffer-template

Template for building a packet sniffer
Python
15
star
14

zeek-open-connections

Zeek
12
star
15

ipfix-rita

Collect IPFIX / Netflow v9 Records and Ship them to RITA for Analysis
Go
10
star
16

rita-bl

Real Intelligence Threat Analytics -- Blacklist Database
Go
8
star
17

mongo-diff

A Python script for diff'ing mongo databases
Python
8
star
18

zeekcfg

A node.cfg generator for zeekctl
Go
6
star
19

zeek-log-transport

This script ships logs from Zeek to AC-Hunter
Shell
5
star
20

pi_show

Python script/library for displaying text and graphics on Raspberry Pi PiOled Hat
Python
5
star
21

shell-lib

Shell Scripts Used Across ActiveCM Projects
Shell
5
star
22

certificate-issues

Identifies certificate problems from Zeek ssl log files
Shell
5
star
23

pi_project_installer

A support library and set of scripts to simplify installing software on the Raspberry Pi/Raspbian
Shell
5
star
24

rita-blacklist

Real Intelligence Threat Analytics -- Blacklist Database
Go
5
star
25

mgosec

A Small Helper Library For Securing MongoDB Connections with Golang
Go
4
star
26

bro-rita

A bro plugin for writing log data to MongoDB for use with RITA
C++
3
star
27

safelist-tools

Tools for working with the safelist (formerly whitelist)
Go
3
star
28

docker-ca

A Docker Image For OpenSSL Certificate Authorities (For Testing)
Shell
2
star
29

pcap-resources

Support files and tools for pcap analysis and packet capture
2
star
30

zeek-log-clean

Delete Zeek log files until disk usage is under a given threshold
Shell
2
star
31

save_json_stream

JSON TCP stream importer for RITA and AC-Hunter
Python
1
star
32

DBTest

Managed Integration Testing Dependencies via Docker for Go
Go
1
star
33

bro-rita-test

Compares bro-rita against rita's built in parsing
Shell
1
star
34

bro-mongodb

C++
1
star