thomaspatzke/elk-detection-lab

Stars
133
Rank 271,798 (Top 6 %)
Language
Shell
Created almost 5 years ago
Updated over 4 years ago

thomaspatzke/elk-detection-lab

thomaspatzke

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

An ELK environment containing interesting security datasets.

ELK Detection Lab

An ELK environment loaded with the following datasets:

Mordor from Roberto Rodriguez @Cyb3rWard0g and Jose Luis Rodriguez @Cyb3rPandaH
EVTX-ATTACK-SAMPLES from Samir Bousseaden SBousseaden
malware-traffic-analysis.net PCAPs from @malware_traffic processed with Suricata.

Thanks to the authors of the datasets as well as:

Shinta Nakano for evtx2es that I used to import the EVTX-ATTACK-SAMPLES dataset.

Prerequisites

You need at least:

a working Docker CE installation with docker-compose
8 GB free disk space
2 GB RAM for a reasonable Elasticsearch performance

Installation

Clone this repository and the dataset submodules with:

git clone --recurse-submodules https://github.com/thomaspatzke/elk-detection-lab.git

Run this command to start the ELK environment and import the datasets:

./elk-detection-lab.sh init

Wait at least until the document count of all winlogbeat-* and filebeat-* indices stops to increase which can take several 10 minutes.

After this was run once, the ELK environment can be started without importing the data again:

./elk-detection-lab.sh run

Usage

Open the local Kibana in your browser.

The Windows log data starts in November 2018 and the field naming follows the ECS scheme and Winlogbeat 7 conventions.

The data created from the malware-traffic-analysis.net PCAPs is located in the index filebeat-* and goes back to 2013. Please adjust the Kibana time range accordingly.

WASE

The Web Audit Search Engine - Index and Search HTTP Requests and Responses in Web Application Audits with ElasticSearch

android-nfc-paycardreader

NFC card reader Android app. Currently reads the german GeldKarte and some credit cards.

logstash-linux

Logstash Configuration for Linux Logs (Authentication, Apache, Mail)

Log4Pot

A honeypot for the Log4Shell vulnerability (CVE-2021-44228).

POODLEAttack

PoC implementation of the POODLE attack

EQUEL

An Elasticsearch QUEry Language

Burp-SessionAuthTool

Burp plugin which supports in finding privilege escalation vulnerabilities

sigma-workshop

Elasticsearch/Kibana environment and log data for Sigma workshop

Clickjacking-Exploit

Clickjacking Proof-of-Concept Exploit

NastyWebHackme

Broken web app intentionally built with pentesting obstacles

Burp-MissingScannerChecks

Collection of scanner checks missing in Burp

BrowserCrasher

Crash browsers with opensource test suites

Demo-ClientsideWebAttacks

Demonstration of some client-side web application vulnerabilities (DOM XSS, Clickjacking) and wrong usage of local storage.

CSRF-Multistep

Framework for building multistep CSRF Proof of Concepts

Burp-Randomizer

Randomize parts of requests with a session handling rule action.

hashextension

Implementation of the hash extension attack

infosec-notebooks

Jupyter notebooks for threat hunting and incident response

AVR-RandomStuff

Some tiny programs I coded for Atmel AVR microcontrollers. Sense&pointless, but possibly useful for someone.

OwnTwitterFilterBubble

Build your Own Twitter Filter Bubble with Deep Learning

ImageSearch

Script collection that makes my photos searchable