BeaKer - Beaconing Kibana Executable Report

Brought to you by Active Countermeasures.

BeaKer visualizes Microsoft Sysmon network data to help threat hunters track down the source of suspicious network connections. The custom dashboard presents which users and executables created connections between two given IPs, how many times they've connected, the protocols and ports used, and much more.

Getting Started

After Sysmon starts sending data to ElasticSearch, Kibana will be ready to go. Filter by a source and destination IP and a time range to view what connections have been made between the two. The Program List will display which executables on the source machine made the connections to the destination. The actual Sysmon logs are displayed lower on the screen where you can investigate the events in greater detail.

How it works

• Microsoft Sysmon: Logs network connections to the Windows Event Log
• WinLogBeats: Sends the network connection logs to Elasticsearch
• Elasticsearch: Stores, indexes, and aggregates the network connection logs
• Kibana: Displays logs stored in Elasticsearch and provides a user interface for Elasticsearch administration
• Beacon Dashboard: Aggregates the network connections between two hosts

Installation

BeaKer Server System Requirements

• Operating System: The preferred platform is x86 64-bit Ubuntu 20.04 LTS. The system should be patched and up to date using apt-get.
  • The automated installer will also support CentOS 7.
• Processor: Two or more cores. Elasticsearch uses parallel processing and benefits from more CPU cores.
• Memory: 8-64GB. Monitoring more hosts requires more RAM.
• Storage: Ensure /var/lib/docker/volumes has free space for the incoming network logs.

BeaKer Agent System Requirements

• Operating System: Windows x86-64 bit OS
• Powershell Version: 3+
• Installed WinLogBeats version must be <= the Elasticsearch version installed on the BeaKer server, but at least the minimum supported wire version for the Elasticsearch version
  • Elasticsearch v8.6.2 supports WinLogBeats 7.17.0 through 8.6.2
  • Elasticsearch v7.17.9 supports WinLogBeats 6.8.0 through 7.17.9

Automated Install: BeaKer Server

Download the latest release tar file, extract it, and inside the BeaKer directory, run ./install_beaker.sh on the Linux machine that will aggregate your Sysmon data and host Kibana.

** Note that existing BeaKer installations must be upgraded to v7.17 before they can be upgraded to v8.x. The automated installer will:

• Install Docker and Docker-Compose
• Create a configuration directory in /etc/BeaKer
• Install Elasticsearch, Kibana, and load the dashboards
• Set the Elasticsearch superuser password for the elastic account
• Set the sysmon-ingest user password for connecting WinLogBeats
• Set up index templates, ILM policy, data streams and ingest pipelines

The beaker script installed to /usr/local/bin/beaker is a wrapper around docker-compose and can be used to manage BeaKer.

• To stop BeaKer, run beaker down
• To start Beaker, run beaker up
• To view the logs of the Elasticsearch container, run beaker logs -f elasticsearch
• To view the logs of the Kibana container, run beaker logs -f kibana

After running ./install_beaker.sh you should be able to access Kibana at localhost:5601. Note that Kibana is exposed on every network interface available on the Docker host.

Use the elastic account to perform your initial login to Kibana. Additional user accounts can be created using the Kibana interface. The sysmon-ingest user account is not allowed to access Kibana.

The Elasticsearch server will begin listening for connections on port 9200 using HTTPS. It expects Sysmon ID 3 Network Events to be published to:

• WinLogBeats less than v7.17.9: ES index sysmon-%{+YYYY.MM.dd}
• WinLogBeats v7.17.9: ES index winlogbeat-%{[agent.version]} via data stream
• WinLogBeats v8.6.2: Ingest Pipeline winlogbeat-%{[agent.version]}-routing See the embedded winlogbeat.yml file in ./agent/install-sysmon-beats.ps1 for more info.

The easiest way to begin sending data to the server is to use the automated BeaKer agent installer.

Automated Install: BeaKer Agent

The PowerShell script ./agent/install-sysmon-beats.ps1 will install Sysmon and WinLogBeats, and configure WinLogBeats to begin sending data to the BeaKer server.

To install the agent, run the script as .\install-sysmon-beats.ps1 ip.or.hostname.of.beaker.server 9200.

The script will then:

• Ask for the credentials of the Elasticsearch user to connect with
  • These may be supplied using the parameters ESUsername and ESPassword
  • If using the automated BeaKer Server installer, use sysmon-ingest
• Download Sysmon and install it with the default configuration in %PROGRAMFILES% if it doesn't exist
• Ensures Sysmon is running as a service
• Download WinLogBeat and install it in %PROGRAMFILES% and %PROGRAMDATA% if it doesn't exist
• Removes any existing winlogbeat configuration files (winlogbeat.yml)
• Installs a new winlogbeat.yml file to connect to the BeaKer server
• Ensures WinLogBeat is running as a service

BeaKer Agent uninstall

As an administrator, run the following scripts to uninstall the beaker agent:

• `C:\Program Files\winlogbeat-7.5.2-windows-x86_64\uninstall-service-winlogbeat.ps1
• C:\Program Files\Sysmon\Sysmon64.exe -u

Data Collected By Sysmon Per Network Connection

• Source
  • IP Address
  • Hostname
  • Port
• Destination
  • IP Address
  • Hostname
  • Port
• Network
  • Transport Protocol
  • Application Protocol
  • Community ID
• Process
  • PID
  • Executable
  • Entity ID
• User
  • Domain
  • Name
• Timestamp

Developer Information

When cloning the project, ensure that you have cloned the git submodules as well. Either pass --recurse-submodules to git clone when pulling down the project, or run the following commands afterwards:

• cd BeaKer
• git submodule update --init --recursive

To generate a new release tarball, run ./installer/generate_installer.sh.

License

GNU GPL V3 © Active Countermeasures ™