hello everyone welcome back to the blue team training series brought to you by hackersploit and linode in this video we're going to be exploring threat detection with wazoo [Music] so let's get started by getting an overview of what we'll be covering in this video all right so we're going to start off by you know getting an introduction to a zoo you know sort of understanding what it is and what it can do and how it works we'll then move on to deploying wazoo and more specifically we'll be exploring the process of deploying it on linux because linux has a cloud template that you can use or a cloud image rather that you can use to easily set up wazoo without having to go through the the complicated installation process because as you learn in a couple of seconds wazoo is built on top of the elk stack and i'll try and explain a little bit as to what that is we'll then take a look at how to set up uh the wazoo agents or a wazoo agent on our on the operating systems that we would like to protect and of course we'll be ending the video by taking a look at how to use wazoo for threat detection response and of course vulnerability detection all right so if you've never heard of wazoo uh i don't blame you but it really is one of the most powerful tools for a security engineer or for the blue team and you'll see why in a couple of minutes all right so the prerequisites are the same as the previous video uh where we covered uh you know how to set up and how to use snort for intrusion detection uh so let's get an introduction as to what wazoo is all right so wazoo is a free and open source platform that is used for threat detection prevention and response it is typically used to protect networks virtualized environments containers and cloud environments so literally any computer or device can be protected with wazoo so in the context of blue team operations wazoo is a sim or a security information event management system you should be familiar with that if you are in the blue team that is used to collect analyze aggregate index and analyze security related data consequently allowing you to detect intrusions attacks vulnerabilities and or malicious activity alright so in the context of blue team operations a seam essentially displays uh you know a ton of data or it essentially aggregates or gets uh data from various sources uh from log files uh from uh it's primarily log files but it gets data from other devices and sensors and it aggregates it and analyzes it and then you know presents that data to the security engineer and uh you know the the way the data is presented is relative to you know you know to a particular security event or a vulnerability or or an attack so the objective of a cm is to essentially tell a security engineer there's something going on on this system uh this is what happened this is where the attack originated from this system suffers from a vulnerability this looks like malicious or suspicious activity etc etc so in this video we'll be focusing on how to use wazoo to monitor security events and identify uh vulnerabilities on the actual systems that we're protecting in this case i'll just be calling them agents now as i say this it's very important to realize or to understand that wazoo has a ton of features which is absolutely fantastic which is why i actually wanted to cover this particular tool all right so this is just a very small list of features that bazoo essentially provides users with or security engineers with so firstly you have security analytics intrusion detection log data analysis file integrity monitor file integrity monitoring vulnerability detection incident response cloud security container security and your you also have regulatory uh compliance so there's a ton of stuff that it offers and i'll i'll be touching upon each of these features but i'll be delving deeper into the actual setup process and how to get everything running sort of giving you an overview of the interface showing you how to essentially view your alerts using a few filters uh so that you essentially become functional with wazoo and understand what's going on on the dashboard so how does wazoo work all right so wazoo consists of the following components you have your agent all right so if you have never if you've never utilized uh you know a client server model when it comes down to vulnerability management an agent is essentially a cross-platform endpoint uh security agent or program that is installed on the system or host that you'd like to monitor so i'll give you an example let's say i want to secure my home network right so that means every device or every computer on my home network i would need to install an agent on it in order to essentially uh you know in order for for me to essentially communicate with the wazoo server which is the next component all right so the wazoo server analyzes the data received from the wazoo agents it processes this data and it matches it against rule sets to identify indicators of compromise and generally speaking security events so for example once if i install the wazoo agent on a windows on a windows system and i configure it to connect to my wazoo server and you know i can just have that agent running on the system if i make any changes like i create a new user or i um or i try and uh you know i just do anything that requires any uh you know administrative privileges that information will be logged as a security event on wazoo and you'll be able to essentially see what's going on and as you can obviously tell this is very important for larger or you know medium to larger large organizations primarily because they have tons of computers uh that they own or the company owns and they would like to know what's going on on those computers they would like to identify uh you know attacks or intrusions and you know that is done through indicators of compromise so again this will make sense as we progress we then have the elastic stack all right so the elastic stack displays and indexes the alerts generated by the wazoo server and provides users with robust data visualization and analysis functionality so if you're not familiar with the elk stack it's uh it's really very simple to understand so the elastic stack or also known as the elk stack is essentially the combination of three open source projects one being elasticsearch logstash and kibana all right so elasticsearch is a search and analytics engine logstash is a server-side data processing pipeline that ingests data from multiple sources simultaneously and of course it then sends it to a stash like elasticsearch kibana lets users visualize data with charts and graphs in elasticsearch so uh wazoo is built on top of the elk stack to facilitate uh as i said uh the actual analytics engine so um elasticsearch handles the analytics logstash handles the actual data processing pipeline and you know essentially gets data from multiple sources simultaneously and uh you know kibana lets you visualize this data in the form of a chart or graph all right so that's the elastic stack also known as the elk stack now one really cool feature of wazoo is that it can also be used to monitor devices like networking equipment that cannot run the wazoo agent so this works by essentially getting these devices like routers they could be specific networking uh you know network devices like firewalls so uh the way you can get this to work is by having them log their data and then essentially transferring those logs or automating the process of having those logs synchronized uh to the actual wazoo server for analysis so you don't really need to install the agent but it is extremely useful for additional functionality um so how does wazoo work so this diagram is from the wazoo website which we will actually be referring to throughout this video because uh their documentation really is fantastic so as you can see right over here you have your wazoo agent this is what you install on the devices that you'd like to protect the wazoo agent consists of various modules and the actual daemon right so the daemon is responsible for encryption module management remote configuration and server authentication and then the modules available are active response command execution configuration assessment cloud security container security log collection malware detection system inventory so all of these modules are used to get all of the relevant information back into the wazoo server for analysis and you might be asking yourself the question why is all of this data important why do we need to uh you know to essentially have a configuration assessment well from the the perspective of a security engineer the configuration assessment module allows you to essentially run a configuration check to identify weaknesses or vulnerabilities that could potentially be exploited by attackers uh in the case of log collection that is pretty much self-explanatory logs are very useful in telling you what's going on on that operating system so if we go back to the example if i install the wazoo agent on a windows system and you know the log collection uh module is enabled and running then that means that pretty much everything from the windows event log is being logged and sent back to the wazoo server for analysis and the windows event log pretty much tells me as a security engineer what's going on on that operating system furthermore and this is very important wazoo just doesn't display all of these logs for you it goes through the actual uh processing engine right and you know all of these events all logs if you will are uh you know matched against uh rule sets and you know if they are uh if they are uh you know found to be malicious or uh you know uh you know if they actually are malicious in a way or are um are actually uh you know referring to or you know in indicating or are indicators of compromise then you know uh that is really all the information that's uh the only information that's being displayed to you so you know we're primarily interested in security events or events you know related to security issues or exploits or malware you get the idea right so as you can see uh on with the wazoo server uh you know this goes the actual uh connection from the bazoo agent comes into the agent connection service that goes into the analysis engine for decoding and rule matching and correlation and enrichment so you know this can be used for threat intelligence vulnerability detection and of course regulatory compliance and then of course you have the actual agent registration service which is only used when you're actually setting up a new agent and you then have of course the raw data events security alerts and uh you know this this goes into elasticsearch so this is the elastic stack whereby you have kibana and you have the elastic search uh you have elasticsearch there so kibana provides us with the actual web user interface uh through the wazoo plugin you have the query language and you can of course create visualizations and and dashboards elasticsearch provides you the search engine data analytics long term storage security alerts etc so it's really very simple to understand in our case let me just head over to the next slide this is the lab environment that i'm going to be using so as i mentioned in the beginning of this uh presentation uh i will be setting up or deploying a wazoo server uh that you know that linux already has a cloud a cloud image for uh that essentially will set up everything for you because as i said the process of setting up with zoo can be quite time consuming and confusing and ideally what i want these videos to be focused on is actual is the actual usage of the tool and you know actually showing you how it works and you know how to navigate around the interface in the case of wazoo so this is going to be set up on the cloud uh as i said that lynnode's a cloud image is essentially an all-in-one deployment whereby you have wazoo running on the elk stack and everything is pretty much good to go all you need to do is just open up lynode uh go ahead and create a new lynode and you you know specify the the actual system resources and you give it a couple of minutes to set up once that is done you can access the actual uh wazoo interface uh directly from your browser so in my internal network i'm going to have the very basic infrastructure here i'm going to have a windows 7 virtual machine or just a windows 7 system it doesn't really matter uh you know how it's deployed and then of course we're going to have a linux server that i'll also host on the cloud but i've just put it in here for the purpose of simplicity and i then have the attacker system uh where you know i'm going to be trying different types of attacks and in this case it's not really going to be necessary but i have already set up a wazoo server for a very important reason that i'll get to in a second now uh any ike if you if you see the zoo icon next to any of these systems then it means that we're going to be installing the agents on them or the wazoo agent on it which means that all of these systems uh the wazoo agent is going to send all the information from these systems back to the wazoo server that's so that we get uh you know uh the actual uh we actually get an idea as to what's going on on these operating systems from the perspective of a of a security engineer all right now let's talk a little bit a little bit about deploying wazoo because as per the official documentation wazoo can be deployed in two ways so you have the all-in-one option or a distributed uh you know infrastructure so as for the all-in-one option this is where by the wazoo server and elk stack are installed and configured on the same system or on the same server that's what we're going for and if you're a beginner i would definitely recommend installing everything on one server now one of the really cool things that wazoo does is it provides users with a pre-built all-in-one ova file or a virtual machine file that you can set up on your local network so if you have virtualbox and you want to try out wizu uh you can download the ova file import it and you'll have wazoo on your network and you can then use it and learn you know uh and learn how to use it on your local network uh and uh you know that is really really very simple you then have the distributed deployment option where each component is set up on a separate server this is typically suitable for large environments for the purpose of scalability so in this case you have you'd have the wazoo server running on its own server you then have the elk stack running on another server and the reason as to why you would want to do this is as i said you know for scalability purposes uh and the fact that you can essentially uh you know you can tweak or fine-tune performance based on your own requirements so in our case because we're only gonna have you know maybe one or two agents we really don't need to use a distribute the distributed model we're going to be using the all-in-one option uh you know that is provided to us by linux so uh just going through what agents are uh wazoo agents are lightweight cross-platform agents that are used for endpoint security and connect uh to the wazoo server and you know consequently send all the logs and all the information back to the wazoo server for uh analysis and of course uh rule matching and you know those are then displayed or you know presented to the security engineer on the actual wazoo web interface if you want to learn more about how to deploy wazoo how to install it you can take a look at the official wazoo documentation repository uh it really is fantastic all right so now that we have an understanding as to what was who is uh its features uh how we can deploy it we can actually get started with the practical demonstration so i'm going to be performing or accessing wazoo so we're going to set up the wazoo server on linux through mykali linux vm as i said you can do this from whatever operating system you want uh you know one of the cool things is that we don't even need to ssh into the wazoo server because once we set the linux up then you know we pretty much have to give it a couple of minutes once it's set up we can then you know get started so let me just switch over to my kali linux vm all right so i'm back on my kali linux vm and as you can see i have set up an ubuntu server that we're going to be installing the wazoo agent on but that's for later and then we have the wazoo production server which i set up and configured already i haven't changed the default settings i've just set up the windows agent so i'm going to be using that particularly node here but you know just to get started let me show you how to create your own wazoo server if you will so i'm just going to click on create here and make sure you're logged into your dashboard just head over and create a new linux and click on marketplace and you can immediately launch the wazoo app directly here so there we are we have wazoo here so you can click on that uh if you have it's i do recommend entering and entering an address for the let's encrypt ssl certificate so if you're setting this up for production then i'm uh of course you're also going to be you know setting up a domain for the wazoo server but uh you know in our case we really don't need to do that so you can enter in an email here so test that test.com because i'm not going to be using this server you can then create a limited sudo user uh and i do recommend doing this so in my case i can just say alexis specified the password for the limited sudo user if you want to use an ssh public key for authentication or an ssh key pair then you can say disable root access of ssh or you can select the ssh public key directly from here disregard this if you are not using the actual uh if you're not using lynnote's dns service and of course if you are then you know you can specify the sub domain for the dns record and the actual domain here uh wazoo is set up on ubuntu 20.04 which is fine and then you can select the region closest to you for the purposes of speed and list and latency i can select london for example now this is very very important this is where the resources come into play so let me just head over to the wazoo website because i do want to explain a couple of things so this is the wazoo website it's accessible on wazoo.com and as you can see from the description wazoo is a free open source and enterprise ready security monitoring solution for threat detection integrity monitoring incident response and compliance so um i do recommend taking a look at the documentation here and more specifically under the actual installer in the actual installation guide you can click on requirements and uh you can see uh you know this is um these are the supported linux distributions so you know you have uh an am an ami image for amazon uh aws you have centos debian fedora opensuse oracle red hat and ubuntu any version of ubuntu newer than 14.04 all right one thing i said that you want to keep in mind is the resource consumption so in a distributed deployment both the wazoo serve and elasticstack are installed on separate hosts uh this configuration is recommended for environments that require that require high availability and scalability of the services the wazoo server and elastic stack can can both be installed as a single node or as a multi-node cluster kibana can either be installed on the same node elasticsearch on a dedicated host so the hardware recommendations are provided here so uh if you are setting this up for production based on 100 users they do recommend 8 gigs of ram and four cpu cores however as i said in in our case and in your case if you're only testing a couple of agents then you can use two gigs of ram with one cpu or two gigs of ram with two cpus as specified here so uh you also need to keep in mind that because we're not using a distributed deployment we are using the standard uh in all-in-one deployment here uh you can see that there we are the minimum require the minimum requirements for this type of deployment are four gigs of ram and two cpu cores and of course a 64-bit uh operating system is required so a typical use case for this kind of environment supports around 100 agents so based on uh you know based on that number you can you can essentially identify or determine what what you require in terms of what is required in terms of system resource consumption so uh you know in this case because i'm not going to be setting this up you can use any of these so this is the recommended one the leonard four gigabyte uh the actual uh four gigabyte option here and that also has uh 80 gigs of storage and for a four terabyte transfer limit per month and you also get the network connection here so uh you can then provide it with a name so i can say wazoo test and then specify the password for the root user and that's pretty much it uh i mean if you want to get started this is pretty much it as opposed to actually manually installing uh manually installing wazoo so again if you take a look at the installation instructions if i go into the actual all-in-one deployment and installation methods we can we have an on unattended installation or the step-by-step installation you can see that this is quite uh lengthy so thanks to linux we don't need to go through any of that we just need to set up the parameters here and you can then click on create as i said we're not going to be using this one because i've already set up our zoo server so there we are and there we are so it's actually provisioning so that will take a couple of seconds as i said i'm not using this so i'll just delete that and we'll take a look at the wazoo production one that i set up here so in order to access wazoo you just need to copy the ip unless you uh actually you know configure dns and you have a domain name you can then access it via that domain name or the subdomain that you've set if you if you've not set a domain and you're using this for testing just copy the ip open up a new tab make sure you open up the ip in your browser with the with https as opposed to http the first time you do that you'll be asked to essentially accept or uh you know confirm that these the ssl certificate is not valid as i said in production you want to make sure that you have a valid ssl certificate but after a couple of minutes because wazoo will actually take a couple of minutes to set up because if you try and access it immediately after you set up the lynode you're going to see an error here so give it probably around five minutes to set up so you can go get yourself a cup of a cup of coffee and when you're back you can then open up the ip and of course you now have the actual elastic stack here so this is perfectly normal wazoo is set up on top of the elastic stack as i said so the default credentials are admin and admin which i did not change just to show you that this is the case so in your case just type in admin admin and we'll give this a couple of seconds to load up after which uh you will be taken directly to the kibana um to the kibana dashboard here and it should actually open up wazoo there we are fantastic so it's going to run a couple of checks it's going to check the api and it's going to run a couple of other checks once they're all once those checks are passed it's then going to you know take a couple of seconds to load up and you should have access to wazoo right over here so this is the screen you'll be greeted with in my case you can see i've already added the windows 7 agent so again just disregard that you should have zero agents and zero active agents right so welcome to wazoo so let's uh let's get started with the first step and that of course is to change your default password so uh by default you have the admin user so you can go ahead and reset your password uh because that is recommended you never want an attacker to essentially gain access to wazoo because then you know they pretty much can do whatever they want or you know understand or get an idea as to what uh you know agents you have or what systems are part of the organization so the current password is admin and i can set up a new password here let me just type that in correctly so there we go and i can then hit reset so that's very important uh resource admin is read only let's see why is that failed reset password forbidden message resource admin is read only oh yes i think i know what's causing that issue that's because you actually need to log into the zoo server that you've just set up and you need to modify the file beat configuration file which is in yaml that will allow you to change your credentials so we can just hit cancel here so in order to do that log into your zoo server that you set up on linux via ssh uh you can also do it via they're really cool i'll just open it up here they also have a really cool lish console which will just open it up for you here so in a new window you can access ssh within your browser so uh that'll probably prompt me to log in indeed it's already logged me in so let me just click on that here and some reason that is not expanding um i do not want to do that let me just open it up again and uh there we are so in order to in order to uh to essentially change the admin password just open up the file at c file beats and file beat dot yamo so yml hit enter and as you can see you can change your username and password here all right and you can also customize a few other options but again in this case this is really not required so i'm just going to go ahead and change this or you can um you know what i'm just going to leave it as default because in my case i'm not really using this for production uh but in your case that's how to change it uh once that is done just try logging out and logging back in all right so uh we'll have a notification here this is a pertinent to elastic so uh if you right click on this little sidebar here you can see that you have the wazoo plug-in or wazoo running on top of elastic which makes sense and then of course you have kibana here and at the bottom you have the open distro for elasticsearch where you know you can take a look at the query workbench reporting notebooks alerting anomaly detection trace analytics index management security etc and then of course you have stack management which if i click on it here uh you can take a look at the index patterns uh in this case the index pattern is already configured for wazoo where you have wazoo alerts you also have a zoom monitoring and wazoo statistics you can create your own um your actual your own index pattern if you want uh based on the actual index available so you can see that i can create or define the actual index name and i can specify for example wasu alerts four point uh 4.0 or four point x uh so let's go back into wazoo so i'll just click on it here and uh there's a few things that i need to explain firstly right so again just give it a couple of seconds uh once that is loaded what we want to do is let's click on this drop down here so by default it'll take you to the modules page so these are all the available modules or features if you will so you have under security information management you have security events which is very important that's what we're going to be focusing on so this allows you to browse through your security alerts identify issues and threats in your environment you then have integrity integrity monitor monitoring this uh essentially uh you know shows you alerts related to file changes including permissions content ownership and attributes very very important you then have thread detection and response which is what we're also going to be taking a look at so uh we have vulnerability detection so discover what applications in your environment are affected by well-known vulnerabilities and then you have the miter attack framework here or the mighty attack tactics techniques and procedures so this will display security events from the knowledge base of adversary tactics and techniques used on real world observations so what that means is in the case of the miter attack module is that it you know for example if i if someone compromises a system within my network and they use a particular technique like they try and change or add a new user then this module will essentially identify that particular event and will iden and it will essentially uh link it to a miter tactic uh technique or procedure and will give you that id so you can essentially start uh you know performing threat modeling and you know get a better threat intelligence in regards to what you're dealing with which is also very very useful you then have auditing and policy monitoring where you have policy monitoring where you can verify that your systems are configured according to your security policies baseline this is very important so if you work in an organization then you know that a company has or an organization usually has a security policy that applies to pretty much uh you know employees employees systems email security password security etc and based on the the actual company or organization's security policy for systems uh you can essentially get a hold of that and you can then see how it's doing uh you know against that security policy or actually verify that all the systems uh that you've added or that you're monitoring are in line or in accordance with that security policy you then you can also perform a security configuration assessment this is very interesting or very useful because it allows you to scan your assets as part of a configuration assessment audit you can also perform system auditing again extremely useful so this audit uses behavior monitoring command execution and alerting on access to critical files the area that we'll not be taking a look at because again we're really not interested in that at this point is regulatory compliance where you can essentially test systems uh you know based on the following uh regulations or compliance standards so we have ppcidss uh which is used for you know for uh this is you usually very helpful for organizations that uh you know that essentially store or transmit payment uh or card holder data and of course you have hipaa which is uh you know for companies that are essentially in the health industry gdpr nice 853. uh so really really powerful okay so those are the modules if you click on this drop down here you can see that it'll provide you with the modules directory which we've already accepted which we've already accessed here you then have management this is very important this is where you have the administration section and the status and reports so this is where you have your rules decoders uh cdp lists groups and configurations so under rules this is where it will essentially tell you you can manage your rules so by default you'll get 3148 rules you can manage the rule files so you know there we are you can actually view each of these rule files they're in xml so um this is just a generic template here but if we take a look at a couple of interesting ones like uh cisco ios rules for example uh you can see that uh you know their rules uh set up for a specific types of intrusions or you know security events uh so this is again very very similar to what snot does in regards to intrusion detection the only thing is that wazoo you know visualizes or displays this in a much better way right and yeah so that's rules you can also import files and export the formatted files and you can also take a look at custom rules right so these are this is the localrules.xml file as i said very very similar to how snot works so let's go back to management we've taken a look at rules we then have decoders which i'll not be exploring but this is essentially responsible for decoding uh you know the information that's being sent into wazoo for processing and analysis you then have groups where you can essentially create agent groups so based on your organization i can create a group and say for example linux servers i'll just call it servers here so these are organizational units where you can essentially uh you know assign agents to them based on their role or functionality within an organization so you can see this is the default one here uh this is where i've already added the windows 7 system so i've already configured the agent on it so if i go into files you can see this is essentially you know the list of you can list and see your group files and you can also edit the group configuration so again that's something that's really not important at this point uh so if we go back to management we then have the configuration so this is very important so this is essentially where you can customize wazoo and get it to work the way you want it to work so this configuration file is literally the home of everything like with any tool that runs on linux the conf file is very important so you have your main configurations whereby you know you have global the global configuration the cluster registration service so this is for you know the automatic agent registration you then have alerts and integrations so if you want to see the current alert configuration it's going to open up the oss let me give that a couple of seconds this is oh yeah this is still for alerts so you can essentially uh specify the general alert set uh the general alert settings whereby you can set the minimum severity level to store the alert the minimum severity level to send the alert by email so you can modify that based on your requirements now you might be saying to yourself i can't really modify this however you if you click on json here then you can modify it in json format and you can also do it in xml format i'll get into this in a second and then of course you can configure email alerts which i'll also get to where you can configure the smtp server and the email that you'd like to use uh you know in order for wazoo to send you email notifications or email alerts which is very important for any security engineer uh you then have reports right and in this case the configuration is not available because uh you know you need to customize that yourself so the configuration is sorted into all of these uh segments so for example under system threats and incident response you can see that in my case i've enabled vulnerability detection and by default it's not going to be enabled in your case and then you can specify the interval between the scan executions uh if you click on it you can see that you cannot um you cannot actually modify it so you have to do it either through json or xml and if we actually go back to that i didn't cover one important aspect there and that of course is providers where you can you can see in this case we're using the nvd database so that's just a very basic vulnerability uh you know that's a very basic signature database that's typically used by uh vulnerability scanning tools like openvas or nessus so in order to configure these options i typically write like modifying the entire configuration so this will open it up here in xml format so firstly you have your oss ec or os sec configuration where you can firstly configure you know the json output format you can set that to yes this will make sense in a couple of seconds i recommend leaving that as yes we want to log alerts do we want to log all no log all json no email notification we can set that to yes you can then configure your smtp server uh who is the email from and the email to and then of course email the actual uh amount of emails to send per hour and uh there we are the agent uh the agent disconnection time so 10 minutes and of course you then have the agent's disconnection alert time which is zero right uh under alerts you can see that's the option that we were able to configure a couple of seconds ago or a couple of minutes ago in the actual configuration um you know in the actual configuration page and then of course right over here you have logging right so you can choose between plain json or plain json for the format of internal logs this is very important so currently it's set to plane i recommend leaving that as is and then of course you have policy monitoring so this is uh is it disabled no so that means it's enabled so it'll check files check trojans yes check dev check sys check process ids yes and check ports yes so leave all of this turn all of this to yes and make sure that this is set to no that is essentially the disabled flag so if you set this to yes then it will disable policy monitoring all right you then have uh the next important one is going to be the os query integration so you have the ability to enable os query because os query is quite important so let me just open up a new tab and i'll open up os query here in a couple of seconds right so os query i'll just wait for this to load up and this will really explain it so performant endpoint visibility so uh os query uh essentially uses basic sql commands to leverage a relational data model to describe a device so uh it essentially allows you to uh you know it essentially allows you to learn more about your data learn more about your device and in the case of our zoo it allows you to make queries uh you know to learn more about the actual system where the agent is installed so if i go back in here the next option i'm going to set that we need to set is the system inventory so uh this is currently enabled and uh the actual name is syscollector so this will essentially uh get all information regarding the system so you can see that will get the hardware information the operating system information network uh packages ports processes etc its ports is currently set to no uh supports all no and yes okay so that's fine uh you then have the database synchronization settings i would recommend leaving that as is all right you then have the vulnerability detector so by default it's going to be set to no so make sure you set this to yes for enable so now the the flag is enabled so make sure enable is set to yes the interval is five minutes that's perfectly fine run on startup yes and then you can specify uh you know whether you want to check for ubuntu os vulnerabilities debian red hat and in the case of windows i've enabled it so uh because i am going to be installing an agent on ubuntu i'm going to say enable yes for ubuntu and we'll also enable this for debian so i'm just going to say enabled yes and this is for ubuntu it's going to again it's going to support all versions of ubuntu from 16.04 all the way to the latest version uh so yeah that's important the next is to aggregate vulnerabilities make sure that's set to yes and you can then specify the actual um the actual age of the vulnerability database that you're using this case the provider name is nvd so you can also get other other providers so you know if i search for for example if i just open up a google search and i say zoo vulnerability providers and give this a couple of seconds you should be able to import your own so let me just see if i can find one that works here so uh yeah within the docs that's why i say always refer back to the docs so this essentially explains how vulnerability detection works um so in the case of ubuntu it uses canonical.com to pull cvs from for ubuntu linux distribution so you can also add that as well so we go back into the actual wazoo configuration here uh you can essentially enable that if you want and then of course that's the end of the vulnerability detector section you then have file integrity monitoring you can set that you can enable it it's enabled by default so this should be set to no and then of course scan on start that is yes and the other option that we would need to configure would be the actual active response which is uh by default enabled which is perfectly okay and yeah that's really what you need to do to get started alright so once that is done you can just hit save and then i would recommend restarting the manager so this will take our zoo offline for a couple of seconds and there we are so changes will not take effect until a restart is performed so you can see it's going to fail all of these checks and this is because it's restarting so i'm just going to reload my page again and it should run the checks the health check again and that should tell us that everything is okay if it isn't then again just give it uh give it a couple of seconds so i'll just refresh that again in this case the api is still down so again just give it a couple of seconds to a couple of minutes uh if you if you want to view the error you can do so you can see the current api the wazoo api is down i can retry that again to see if it's back up there we are so everything's back up now and yeah so that was the management section as i said you can also take a look at status uh the status so if we click on status it tells us that uh we have no permissions uh that's really weird if we go back to management and we click on the actual statistics that should display statistics for us so this is the listener engine yeah so this tells you that network traffic so total number of bytes received events sent to analysis uh d or the analysis daemon message statistics in your case this is all going to be empty until you add a an agent all right so that is uh the actual management tab you then have agents which you should be familiar with at this point that just displays your active agents in this case for some reason it's not displaying it so i'm just going to log out again and log back in uh because i think there's an issue with my cookies all right so i just logged out and logged back in and you can see that in my case because i've already added an agent it's displaying it here so once you add an agent uh this is the page that will be displayed and you'll have all the other agents uh essentially displayed here so it'll display the id the name the ip address the group the os the cluster node the version uh the registration date and of course you then have the status which tells you whether it's alive or whether it's inactive meaning it's either been shut down or there's something wrong with the agent configuration all right so that's agents and then of course you have tools where you can essentially access the api console and a rule set test under security you have the ability to create other users you then have roles policies and roles mapping based on your organization and then of course under settings you have the logs miscellaneous modules so if you click on modules this will show you all the modules installed for zoo so in this case you can see that uh security events is installed integrity monitoring is installed amazon aws is disabled that's perfectly fine uh so this is for the auditing and policy monitoring you can see configuration assessment and automation for the cl the compliance monitoring using scap checks that's disabled uh you can also enable the virustotal module which will essentially generate alerts resulting from virus total analysis of suspicious suspicious files via an integration with the api which is fantastic and you can then enable os query to essentially expose an operating system as a high performance relational database this is really not that important but you also have the ability to set up the docker listener to monitor and collect the activity from docker containers such as creation running starting stopping or pausing events and you of course have your regulatory compliance modules there you then can essentially import some sample data if you want to learn more about how to use it but again that's really not necessary the current settings i would recommend leaving them as the as they are because you know they're really configured uh very well at uh you know to begin with um if we take a look at logs these are all the logs here generated by wazoo so looks like we had a few errors but uh everything's running now and then of course you have the miscellaneous options where you can run the health check and about all right so those are the settings now let's get into agents um and let's talk about deploying a new agent so i can deploy a new agent and you can do that directly from your actual uh dashboard so if i click on uh zoo here or you know just open that up and click on wazoo i can you know click on total agents and then in your case just click on deploy a new agent now based on the operating system so it could be red hat centos uh ubuntu debian windows or mac os you can select the actual uh operating system of the that's running on the host that you'd like to monitor so in the case of windows because this is very important it'll give you a powershell command that you need to run that will essentially download the wazoo windows agent and then it'll configure it with your uh the ip address option so make sure that you specify your ip address so make sure you copy this value here and replace it here so you know just make sure you replace the ip there and then you can add it to a group you can say default in our case we created the linux service group which is okay and in this case we can select debian ubuntu and this is going to be x86 x64 and this command will essentially get it set up for us right and then you can start the agent using your the actual init system that's installed on your version of ubuntu so in this case we can use system d so we can say sudo system control daemon reload enable wazoo agent and start the wazoo agent so i just wanted to explain one thing in regards to the actual um in regards to installing the windows agent so i would typically not recommend using the powershell command here instead i would recommend if you go back to azure and you click on so if you're on the web page here uh you can click on install wizu and then for the agent just click on windows right that's going to open up another window here and you want the gui option so this is the wazoo agent manager you can download the actual executable from here so there's the windows installer once it's downloaded i'll just switch over to my windows vm and show you how that works so i'm back on the windows vm or windows system under my downloads you can see i have the wazoo agent for windows so that's a setup file just double click on it and go through the installation uh wizard once it's done you will be provided with the wazoo agent manager so this is you can see mine is currently registered so in your case just enter your zoo server ip you don't need to enter the authentication key and then just hit save and then click on manage and you can then click on start stop restart or the status so you can see mine is currently running i can stop it or start it etc right and if you click on view you have the ability to view the logs produced by the windows agent itself and you then have the actual uh configuration for the agent itself so this is also very important it's very similar to the configuration the wazoo configuration file so let me just see if i can zoom in here so you can actually see what's going on so i'll just click on font and i'll just make that 16 there so you can see what's going on so again these are just options pertinent to the agent itself and in the case of windows you know you firstly have the actual um notify time and the time reconnect which is set to 60 seconds so that's set by default the one option that i recommend that you change that could be disabled based on your own system is going to be under uh let's see do we have it under the system inventory no that's not the option there uh yes that is os query right so you can essentially enable os query uh here so you can set that to no if you want to enable it that's if you enable os query on the wazoo server otherwise it's not going to work so yeah that's pretty much all that i would change there and then you can just hit manage and reload so once you do that you should get a connection back from the agent on the wazoo server so let me just switch back to my kali linux vm all right so that is how to set up the windows agent um now we are taking a look at how to set up the linux agent so i'll say x 86 x 64. i'm adding it to linux servers i just need to copy this and then follow the instructions here to start the agent so this will ensure that it runs on system startup so what i'll do here is let me just go back into my linux and i'll click on ubuntu server and i'll just log into the server so this is the zoo server so i'll say ssh root and i'll paste that in there so there's the ip just going to hit yes and provide my password and there we are all right so the first thing i'm going to do is i just want to make sure i update my repositories so sudo apt update update and sudo apt get upgrade that's going to upgrade any packages that need to be upgrade so there we are that's going to upgrade everything so that we are working from a clean slate and we'll give this a couple of seconds all right so the packages are upgraded i'm just going to go back into our zoo now and i'm just going to copy the command that'll essentially download and install the linux or debian agent make sure that the ipa has been set correctly and the group has been set correctly so i'll just switch back over into my terminal paste that in there hit enter that's going to set up the wazoo agent there we are that's done and then of course we can just reload the daemon if you're running on a an ubuntu or debian system that uses init or sysv as the init system then you can specify the csv knit options there so uh what we're going to do here is we're just going to say sudo system control daemon reload so sudo system ctl daemon reload okay and then we're going to say sudo system ctl enable uh wazoo agent.service that's going to enable it on startup and then we need to start it it should be started but we'll just start it so instead of enable we'll now say start and we'll give this a couple of seconds and it should be registered as an agent so if there are no errors here then everything everything should have worked out just fine so there we are and then we can check the status to see if it's running there we are so it's loaded and active fantastic so um let's go back into this page here so that's done so we should get another agent so i'm just going to reload this now and after a couple of seconds to a couple of minutes we should get the call back from the agent or from that system that has the agent running in this case it's the linux system there we are fantastic so we can see that we get all the information related to this particular system we get the actual host name the ip uh the actual group we added it to the operating system and of course the its actual status okay so we can then click on an agent which is what i wanted to showcase now now when you click on an agent and this is very important this is information displayed pertinent to a particular agent right so you're going to have this little toolbar at the top that will allow you to cycle through you know various dashboards that give you information related to security events integrity uh integrity monitoring uh sca system auditing vulnerabilities might attack and if you click on more here then you know you can essentially access the regulatory compliance options as well uh you then you can see uh right now it looks like it's performed a scan already but let's get started firstly with the security events because that's the dashboard so you can see that right now do we have any security events it looks like there are a couple of security events very interesting so in this case uh the actual agent id filter is set to 002 which is very important so the the filt option is important because it allows you to select a particular agent so if i click on filter and say agent dot id and which you can also use the ip if you want so i can say if add the agent id is uh 101.001 which is the windows system zero zero two is the linux system zero zero zero is the actual uh zoom manager server that we set up on linux so we don't want that but yeah you have the ability to set up your own filters in this case the filter is set correctly so the dashboard will display the alert groups evolution so in this case you can see we have some ssh alerts invalid logins authentication fails syslog nsca so these are color these are color coded uh you can also uh you know specify the actual time uh in regards to what you want displayed you know with uh when you're talking about security events so right now it's showing the last 24 hours which is perfectly fine and at the top at the top here you'll have the total amount of events uh level 12 or above alerts are set to zero authentication failures have been set to 12 which is interesting and authentication success which i guess was us and then at the bottom you have the top five alerts and top five rule groups and of course you then have the top five pci dss at requirements at the bottom here you have your security alerts right now the awesome thing about this is you're going to see that they're going to have the actual time column the the miter tactics or techniques in this case and then the tactic and the description the level and the rule id okay so in this case we can see that there it looks like there was an attempt to log in as a non-existent user if we click on the miter technique here it will actually display that and tell you what it's what it pertains to so in this case you can see credential access so adversaries may use brute force techniques to attempt to access accounts when passwords are known so okay so you can start to see how this is useful now because it it's essentially telling you what's going on however if you click on this little drop down this will give you more information regarding this particular security alert so in this case we're not really interested in the uh you know in these top options here we're interested in the actual uh might id which is provided us here and then you know it tells us the log here interesting so it looks like we have our first security event and you know to be fair to be honest guys this is real this is actually real i'm not kidding about uh i haven't performed this attack it looks like this user performed it and you know we can take a look at the time here they performed it if we take a look at that here it should actually tell us the time at the top but either way it tells us um you know that this was performed on the following date at 5 59 all right and the user was uh cata z now whatever that is uh but that is very interesting so it looks like this server has been or you know really has uh has actually gone through a brute force attack which is absolutely insane indeed it has so you can see the cynthia here so it's coming from uh localhost yeah that's correct and disconnected so we click on page five um [Music] these are all cves let's click on the last page here if we click on this one here we can see that these are just uh security alerts yeah these are not relevant but we can essentially if we click on the level we can essentially display them from the highest so these are already cvs because the vulnerability detection option was enabled but it looks like there are cvs that affect this linux server very interesting so we can see that the cve here is cv2021 yeah this is very mod this is a you know quite a modern cve here or vulnerability uh if you click um on the rule description that should display it here so this is we can actually perform research on this if we click on the rule id that will tell you more about this particular rule right so in this case this is part of the vulnerability detector and it'll give you more information regarding this particular vulnerability so it is critical interesting so um you know if we go back a step which is what we wanted to do or we could just go back into agents and then click on the linux agents once again so i'll click on it here and this is the main dashboard right so it looks like our system is actually being attacked which is so insane to think uh that this is happening live without me even uh scripting this which is actually kind of cool so uh yeah the the point i was trying to make is you can actually see that's increased so this server is actively being attacked which i'll get to in a second right and there's only been one successful authentication here so if we click on that here you can see that this was was this us i believe it could have been us i'm not really sure uh because the actual date configuration on the server is different in my time here so yeah that but that's very interesting so you know i'll just get rid of this filter here and we can take a look at the security uh alerts displayed here so this looks like it's uh the latest one so let's take a look at what user they tried to log in as this time so eli it actually looks like the servers are getting attacked quite a lot which is very very interesting i wonder if that's the case for this particular for the actual zoom manager which is very interesting so you know if i go back into the actual uh dashboard here uh or rather if i go into modules and i click on security events and i can uh get rid of that filter because i don't want to um can i get rid of that filter i'm not really sure because if i click on events here this will display the all of the events i'll get to that in a second but yeah uh let me just go back into my agents for a second because there's something i wanted to highlight that i didn't so i'll go into we have taken a look at security events right so the dashboard displayed here as i said we've already gone through that but you can see that based on the color coding if you know you can uh you can customize that if you want but yeah there is a brute force an active brute force going on here uh and it's getting that log from the actual uh auth log on the linux system so under var log auth.log which is kind of scary so ibrahim looks like he's trying to gain access pretty crazy stuff right so as i was saying you can also click on the events tab which will essentially just display the events without any visualization so give this a couple of seconds and you can see that uh you know you can also sort these based uh you know on uh you can sort them and essentially you know sort them based on ascending or descending values uh if they are if there is a value but you can see we have all of the actual security events being displayed here and uh yeah so it looks like this is a brute force attack so in you know because of the miter module we pretty much know what the attacker is doing so this is where threat intelligence comes into place and this is where you learn about attacks which is actually fantastic you know i i really didn't script this because we're going through a real-time attack now so i'm going to show you how we can defend against this attack so um let's uh so that's events which i've already talked about you can also add other available fields here so for example i can add all available fields that might be uh useful in this case uh so you know i don't really see one here but we can also add the geolocation so i can add that there and this is going to add it to the columns and in this case uh there we are looks like we actually see that yeah they're performing a brute force from different countries very interesting very interesting we're learning more about our attacker in this case it looks like they failed to log in as let's see what user did they use here so that's the actual rule rule id uh failed to use uh ftp one user okay very interesting um okay so yeah that's essentially the actual uh events page i'm just gonna go back into localhost here and that's the linux system which you can rename on the linux system itself you then have integrity monitoring so this essentially allows you to again as it says perform integrity integrity monitoring i can't even spell that correctly but if you click on inventory uh this will give you an inventory as it says here of all the files on the system so you can essentially search for one and then under events this will tell you whether a file has been changed etc so i'll give you an example of this here so i'm currently on the linux server that's currently under attack if i open up h top here we can see that resource consumption is fairly minimal but if i say netstat a and tp let me just install that so sudo apt-get install net tools and just give this a couple of seconds and i say netstat antp we can see yep the ftp there is another oh boy oh boy yeah looks like someone else is logged onto the system oh my goodness well that's unknown uh i say who yeah there's only one user logged on which is me but there is another connection established that is very interesting and that is on port 22. the ip address is different here established that's the wazoo agent that's very interesting really really interesting so what we can do to stop this brute force is by going back into our configuration here uh under management and configuration and we want to modify the configuration and we're going to add an active response rule because as i said wazoo actually has incident response or intrusion prevention if you will so yeah under here i'm just going to add a new line so i'm just going to say active response and that's the syntax there fantastic so we can then say command and we'll also require so what we want to do is we can say firewall drop let's see firewall drop um and because this is on linux so that's the command there so firewall drop we can then say location uh sorry location uh let me see if i can type that in correctly location and we'll leave this as is for now because we still need to fill that information in we then need the rules id so when a rule is triggered then this comes into play and then we need a timeout so the timeout we can set you know to maybe timeout uh let's see timeout i actually believe i know where that other session came from uh that was probably from the lish terminal which i should have actually known the timeout we can set to maybe a thousand seconds or ten thousand seconds uh but yeah that's how to add an active response or to add you know an incident response rule based on a particular intrusion so before we do that uh if i click on let me just go back into this here so i'll open that up in a new tab because i need to identify more information here i'll just get rid of that for now this is really weird it keeps on running the checks here but i'll just go back into agents and we'll click on the this one here by the way i actually just want to see whether that whether they we know we still have anyone logged in let me just confirm something here because i couldn't have wished for a better demo of this year so ubuntu server if i open up the lish console and i say yes this is still not displaying anything else so let's start a antp uh yeah so it looks like um that comes from okay so we have the wazoo agent that's fine on port 22 there's that ip and yeah okay so i say who now that is very very interesting okay if we take a look at the earlier results we could see that we had another ssh session or that was the attack i'm guessing but there was an established session here that was unknown very interesting that was coming from the same ip address huh oh that that actually looks uh the foreign address is right over here right uh so that's the forum that sorry that's the local address this is the foreign address right so this one here and this one here are anomalies uh either way um we can see that uh that's very interesting password uh let's try and log in and let's see if that's actually logged because the who command should display that huh that's not uh letting me log in i'm just gonna say root okay yeah so that worked out fine um so i'll say who again and yeah so you can see the other session but if they did log in successfully i should have seen that because if there was a successful authentication attempt we would have been able to see it from wazoo again anyway so yeah i clicked on my agent here so we're going to security events it should tell me whether there was a successful authentication attempt so authentication success that looks you know about right here so let's look at this one here this is the earlier one where the login root route yeah that's with pam that makes sense yeah and we have another one here does it also display the actual ip so the agent ip the manager name um if i click on this here okay yeah so so that looks good either way in order for us to block these types of attacks what i was looking for if i go back into the linux agent here and i click on security events and we click on this right over here what we're looking for is the rule id right so the rule id is five seven one zero okay so we know that now uh so we want to set the rule id to five seven one zero and we can then set the location to local location where do we want to do that uh the actual the agent that reported that event i think that's what we need to specify so the agent agent name is localhost i'm not sure if that will work because the last time i did this i know you could specify the ip address here let's actually see if this works okay so i'm going to save this and then going to restart the manager here and we can get rid of that window there and let's see if this actually works so yeah i'll give that a couple of seconds to restart the manager all right so i've restarted the manager and we click on this here now uh you can see that yeah in terms of the miter uh card that's being displayed the top tactics look like credential access we also have a few previous ones that's very interesting let's click on that tactic here so the technique here so that's a pam session yeah okay so that makes sense privilege escalation defensive agent what did we do there is this the same thing yeah that's still pam uh they're using the pam module for authentication oss okay so that looks fine now persistence do we do anything yeah that's still uh the the actual authentication there right so we're going to security events um let's wait on this to load up we can see here it's still under attack i want to see if the rule that we've set up is actually active so that's for the brute force attack we can see that this is still being performed and the user is jacob or whatever that name is so let's actually see whether this is working right so um the only way to test it is to sort off uh i'm just going to if i say who here one more time i just want to make sure i close up the lish session and let me just exit and you know i can try and ping that target so instead of saying ssh we can ping it and let's see because i'm running this from another network or from another external ip um okay so i also want to see if that is actually noted okay so let's try and say ssh actually i want to try and log in with another user to simulate a brute force attack which i can do with hydra but i'm not going to do that now so test hit an incorrect password hit an incorrect password there again huh okay let's see it should actually tell me that authentication failed if it hangs like this then it means there's something going on or that actually did work so let me just terminate that again yep looks like it works looks like that defense rule or that reactive rule works okay so fantastic so that's active response so that's how to respond to an attack let me just refresh this here boy we still have a lot to talk about uh but it's good that we actually went uh you know out of our way to see how to do that um so let's see let's see let's see how many authentication failures have there been um attempt to log in as a non-existent user was that us no that's oracle um no that is done [Music] interesting interesting um let's see we should have our attempt here our attempt being logged here there we are so that's test uh i think the attack should cool down now so the only way we'll know that is let's see whether they're because i know the ip addresses are changing but based on what we specified you know that should actually work yeah so that looks like it's stuck at 209 was this still the oracle user the only way we'll know whether this has worked is you know if we just go ahead and continue with what i wanted to cover right okay so let's click back on our agent here and we talked about you know the the actual security events but uh yeah let's move on to integrity integrity monitoring which i was actually covering um and then so yeah there's nothing yet uh on the events uh if we modified or created a new user can i actually log in again yeah that's blocked uh the only way to help people to gain access now is through the lish so let me open that up here and uh okay cool so if i say who now oh boy i keep on typing that same command again and again um how can i get rid of that window here doesn't allow me to disable that interesting so if i just hit enter because if i hit ctrl l and hit enter that doesn't do anything there so let me just open that up again so we'll give this a couple of seconds so if i say who uh yeah so this is currently us um okay netstat antp if i try and modify a file like for example the um let's see if i try and change maybe if i say let's see cat etsy password if i create another user so i can say user add we can say m and i can then add a test user so actually let's not do that let's go for a very hard user so i'll say zeus so use add m zeus and the shell is bin bash and then we'll say user mod uh we can just say password or create a password for that user so password uh zeus and i'll just say actually i don't want any simple password so um there we go okay so that should actually be logged uh you know that actually should be logged under the um this is the configuration page it should be logged here under integrity integrity monitoring so again if we go back to our modules there we are and we click on system auditing there this is going to add the following there um if we actually let's let's go back a step here because i know that uh what i wanted to showcase is going to be actually that's under the actual main page here apologies for that uh right so the system auditing audit users behavior monitoring command execution and alerting on access to critical files okay okay so that means that if anyone tries anything funny then we'll be able to see that okay so let's go back into total into our agents here and uh we'll click on security events ah looks like we have a few attempts there okay okay so i don't know whether that's still being blocked okay but i think that's another ip so it's going to reduce it i guess um but you know we can customize that based on on our own parameters it really doesn't matter i said if we take a look at the configuration here again and we see that active response configuration that i set up let's see if i can find it uh no that's all the way at the bottom um give that a couple of seconds there we are so active response so that was firewall drop the other ones that we have here i will drop yeah that's correct so timeouts are allowed so far will drop localhost that's the agent there because i do know the the location might be an issue um yeah so i think that looks fine so again if we i know it's a we set it to a thousand seconds there so we try and log log in here it looks like yeah we do know that the attackers are using other ips which is why we're still getting other authentication attempts there and uh you know we can also if we click on events here then um we should be able to add the geolocation to see that change occurring so this was uh let's go into the geolocation location i believe was that added there now we can just add the city name there yeah for the other ones it doesn't look like we're getting that that's very interesting this was us definitely yeah if we click on that there we should see that this was indeed uh that's still vios that's very interesting um yeah okay anyway um we know that we specified the options correctly but uh it looks like uh the other alerts being generated here because i know the ssh uh let me talk a little bit about filtering because we can also filter this here so rule groups we can also add another filter if we want through the actual search functionality i'll get or we can just use the filtering option here so in this case we can look for the id uh in in this case the what we're looking for specifically is the rule id so we can say rule dot id and say is and we specify the value as five seven one zero to only show those attempts so those are the brute force attempts so let's save there and that should actually reflect so it's currently loading there we are so it's only displaying those ones now very interesting okay so we can refresh that and uh okay yeah so that's going to take a couple of seconds is that another user probably probably another user but i think we've slowed it down i think we have slowed it down yeah it looks like uh so we go back to the dashboard authentication failure yeah that's going down but uh we want to get rid of that filter that'll give us the accurate picture yeah so i think we have been able to mitigate that attack but just again as i said this was totally unscripted this just goes to show you how you can do that yourself how you can actively respond to a particular attack as i said there's multiple other options that you can use so again i'll just show you this one more time because i think it's very important but if i click on management and uh sorry um let's go back down there management configuration and we can then move along because i wanted to highlight vulnerabilities so edit configuration and let's take a look at that active response not really sure where i specified it uh the way it should be here there we are okay so these are the uh active responses available so uh you by default you can see that this one is global which means that uh you know this is for white listing you can also disable an account if you want you can restart wazoo firewall drop is what we used you can also use the host deny option there which is fairly similar so and you can also do this for windows as well uh if you wanted to as well uh but yeah in our case we were able to do that we can probably increase the timeout if we wanted to but hey i think we're wasting too much time on that now uh so let's go back into agents and we'll click on the linux one here and what i wanted to focus on was uh the actual uh vulnerabilities uh so if we click on um localhost and we go back into uh integrity monitoring i know that this shouldn't have logged anything yet but even though we created another user so i'll go back into modules and that took me back into agent so localhost and we click on sca all right so this is very important this is the security configuration assessment right so as it says here this is using this here the cis benchmark for debian linux 10. so this document provides a descriptive or prescriptive guidance for establishing um essentially establishing compliance uh for this particular linux system so you can see the current score is 38 so what does this mean this is essentially the equivalent of auditing your system with linus so it performs an audit right a security audit and it tells you that all of these fail all of these checks fail right so it's pretty much giving you recommendations as to what you need to do to increase or improve the security of this system or to harden it if you will so if we click on the second page let's look at a few important options because i know these are not really that important in the context of security uh there we are so ensure sudo is installed that is passed um ensure the sudo log file exists that's not done so you can start to see from this information being displayed you can actually learn a lot about how to secure a system regardless of the operating system as i'll show it for windows as well if i click on export i do know that this usually has an error or an issue but there we are you can actually export it as a as an actual uh csv sheet and uh again this will also be displayed under events but the filter is upload is essentially applied uh accordingly so you can see this these are the cis benchmarks here let's go back into that agent there and we were talking about system auditing which is uh what we did i believe system auditing events that's not yet given us any output which is fine and then we have our vulnerabilities okay so this is the vulnerability scan or vulnerability detection where it essentially scans the the system uh you know on which the agent is installed and it gives you you know it sorts it based on critical severity vulnerabilities high severity medium etc so if we click on high or critical if you will you can see that we have the following cve so as i said you can learn more by clicking on the events on the events tab there so these are the vulnerabilities here so if we click on it you can see that the agent ip is provided there the data vulnerability cv version is there ideally would look for criticality so it's a 9.8 which is pretty crazy the attack vector is network and then you can perform uh research on this right so an issue is discovered in caleb c before 2.0.9 at additions in the malloc function may result in an integer overflow and a subsequent heap buffer overflow yeah so you know really really useful information so you know we can go back into the dashboard and uh again you can then click on the inventory here to essentially display the the actual vulnerabilities and all the cves that affect a particular package in this case it looks like it's mostly you know it's mostly busy box that is being affected but yeah that's the vulnerability page uh if i click back on it which i'll do right now you can see that the dashboard gives you or you know visually displays the data so that it makes sense right and you can see that you have the most common cves the top affected packages by cves in this case uh lib mount is critical here and then we have all of the other all of the other packages there so fairly simple to understand let's go back here to our dashboard we then have mitre right which is the last thing i wanted to focus on which you should have an understanding of right now so this is where threat intelligence comes into play as i said so you can see on the dashboard it tells us that the pretty much the attack that we're dealing with right now is a brute force attack and this tells us the same thing here you can see it's credential access right and in this case it uh you know it gives us the type of alerts in this case they are brute force attack alerts and the same thing it does here brute force brute force so we know what the issue is and of course you can expand the actual range here so uh you know in in my case i'm showing the last 24 hours and you can get the same information from the events the only difference is here as you'll see from the columns is you'll actually get the miter uh the the mitre attack id that's the tactic id and then the actual name and you get it right over here so the rule level is five and rule id is as follows so based on the actual um settings that we had set up you know we would not be getting email notifications regarding this because this is fairly common we would however be actually all of these would be locked because they're above three right the rule level is above three so yeah if you take a look at the framework here you can search for specif this is really awesome you can actually search for specific tactics and their techniques so you know we can see in our case it looks like we have a few issues with brute force attacks and then it gives you a description and it tells you you know when the last one was so yeah pretty cool stuff um uh yeah so that's the miter attack uh module i said there's the other options here uh in regards to regulatory compliance but we're not really interested in that at that point but this is the dashboard that you'll be provided with so it essentially contains the miter module you then have compliance uh the other you know in terms of fim you have the recent events and then you have the um you know you have the last uh the last scan performed in regards to you know providing you with a guidance for establishing a secure configuration posture there and then of course you have the events count the event count evolution so this gives you as sort of like a trend as to when you know and the graph is fairly easy to understand you have the the count here and then you have the actual time at the bottom so it tells you you know when you're experiencing the highest amount of attacks so yeah fairly fairly cool stuff if you click on stats here you can see that uh in this case um let's take a look at it here yeah that just displays the stats for that particular agent there so you know you can pretty much tell where most of the events are coming from so active responses log auth.log 93 and in this case it looks like the events pertinent to the active responses log so it looks like it is responding correctly so our rule or the active response configuration that we set up is working correctly messages sent 903 you get the idea okay so yep i think that's what i wanted to cover from that perspective i also wanted to show you the windows agent because uh you know i completely forgot about it we're dealing with a brute force attack and i know this video is way over where it's supposed to be in terms of duration but uh you can see that this this system is vulnerable and if i take a look at the security events i performed a few attacks on it i added a new user just to show you how that looks from an internal perspective you can see right over here uh user logged on that was me you can actually tell that from the time there's an error event there when log on success that's because i actually logged on and then i know i created another user here so let's just take a step back here because that log that was actually logged so there we are i created a user here and you're pretty much getting all of these uh you're pretty much getting all of these events which is very very important right and of course you can click on the events page and you know you can add additional fields based on what you're looking for as i said this makes much more sense to explore in the context of the linux agent because it's currently under attack so we have much more data to analyze so we go to security events let's take a look at our threat surface at this point in time yeah that's fine that's fine i know that's that's really high at this point but it looks like they're changing their tact so in this case the high alerts are pertinent to i think the cve so if we patch this then you know we should be good in regards to that so if we clear this filter here um you can see authentication failure and what we can do is let's click on events let's perform a little bit of analysis here and you know what i can do is we can also add a filter here to it by the rule id so i'm just going to say rule id and we're going to say that is that is five seven five seven one zero okay and i'm just going to hit save and ideally i would like to know where the attacks are coming from so i said that can be obtained by clicking on the available fields here so we can add the geolocation location um guessing that gives us uh let's see yeah that's latitude and longitude so i'll get rid of that there because i really don't need that here what i want is the geolocation city or the country yeah that will be very useful in our case so let's add that there yeah yeah that's definitely where you'd expect it to come from so you know uh you have russia etc by the way this was me i know that this was me here because that's kenya unless we have an attacker from kenya yeah that's test so yeah i think the attacks have actually slowed down because uh apart from those ones there we had a couple of other ones but it looks like they're switching ips which is why we're still getting brute force attacks the only good thing in our case is the fact that they are being blocked and what we can do is i can actually show you how to also view the response alerts or events if you will as i said if you get rid of the filters and you click on the events you can actually see the active response rules here or events if you will so you can actually see the host blocked this particular ip address or this particular attempt so we do know that it works with that being said uh you know we've covered quite a lot and you know this exercise has been very fruitful because i didn't expect an ssh attack at this point but yeah thank you very much for watching i'm just going to switch over back into the slides so if you have any questions or recommendations or if you had any issues with this video uh you know you can take a look at the slides provided to you or you can reach out to uh to me and the hackersplay community on our discord server the link to that is in the description section if you want to register for part two of this series uh you can also access that uh by clicking the link in the description and you can access part two for free uh in the next video we're gonna be taking a look at how to perform intrusion detection with suricata so i'll be seeing you in the next video [Music] you