AlienVault: End user Devices Integration-Lab Setup (Part 2)

As logs never lie, it’s very important to aggregate and analyze the internal and external network logs constantly so that you can prevent a breach or perform incident response on time. In the previous article, we looked at the configuration and installation of AlienVault OSSIM.

The operating-system integration for AlienVault is based on window-centric for a Linux platform.

Let’s take a look at the involved process for gathering logs from Linux servers using AlienVault.

You can access the previous article from here: – AlienVault Lab setup

in this article, we will discuss how to send Ubuntu RSYS logs to the AlienVault server and the Manual configuration and installation of the SSH plugin.

So, without much theory let’s begin the integration process.

Table of Content

  • Prerequisites
  • credentials
  • Integration of Rsyslog and SSH plugin to AlienVault OSSIM

Prerequisites

For the integration of Rsyslog and SSH plugin to AlienVault OSSIM, there are some minimum requirements as listed below.

  • Ubuntu 20.04 or later
  • Root privileges

Credentials

  • Ubuntu 20.04 IP: 192.168.1.8
  • AlienVault OSSIM IP: 192.168.1.70
  • OSSIM (CLI) user: root
  • OSSIM password: Designated by you on the time of server setup

Integration of Rsyslog and SSH plugin to AlienVault OSSIM

Ubuntu 20.04

Rsyslog is a software that is used for forwarding log messages in an IP network. It implements basic Syslog protocol and extends it with content-based filtering capabilities. It also supports different module outputs, flexible configuration options and adds features such as TCP for transport.

Make sure the Port 514 (UDP protocol) is both on the ubuntu 20.04 server-side and AlienVault OSSIM server is open so that the logs can be forwarded via UDP on port 514

Open rsyslog.conf file and check whether it is including all configuration file or not

To do this enter the following command

Uncomment the following line to include all configuration files.

If this line by default is uncommented, then save and exit.

Now we forward the rsyslog logs to the AlienVault OSSIM server.

Create a new configuration file named alienvault.conf and add the following line as shown below:

Where 192.168.1.70 is OSSIM server IP.

To make the changes effective restart rsyslog service by the following command:

OSSIM Server

Login to the OSSIM server Jailbreak the server to CLI as shown below

On the next prompt, it will ask you for permission to access the full command line select yes and continue.

Here we’re using tcpdump on the OSSIM server to see log communications between Ubuntu 20.04 and OSSIM by running tcpdump to capture the logs with the following command:

Let’s verify whether it is receiving logs from Ubuntu 20.04 server or not

Ubuntu 20.04

In the ubuntu machine, I m switching users by running the following command, and then after we will see the logs of switching users are reflected on the OSSIM server or not.

Come back to the OSSIM server

OSSIM Server

Let’s check what happens here …

Hurrah !!! as we can see the log from the Ubuntu server has entered into the OSSIM server, then now we will redirect the logs sent to OSSIM into a file.

Now we’re going to configure the Filtration in the Rsyslog.

To do this follow the below steps:

Head towards the rsyslog.conf file in the directory etc.

In the section GLOBAL DIRECTIVES, the line “$IncludeConfig /etc/rsyslog.d/*.conf” by default it includes the whole config file of the system.

To filter specific rsyslog configurations and logs put some specific name  on the place of * to filter it easily as shown below:

For example:-

Now head towards to directory of rsyslog.d and create a configuration file debian.conf

And enter the following rule into it:

Then save and exit as shown below

Now we check that the logs of the ubuntu server are inserted correctly in auth.log or not.

Before we do rsyslog restart and then follow the below steps:

As we can see logs are started coming from the ubuntu server 😉

Now we move on to the AlienVault part

OSSIM needs a plug-in t to connect any data source to the server. Plugins have XML based configuration.

The plugins have two elements: cfg and SQL

Let’s go to configure cfg

To do this head towards the directory /etc/ossim/agent/plugins

in the directory of plugins, there are lots of plugins available that can be activated in OSSIM

we went on to modify one by hand for example SSH

To do this run the following command:

Then after open the debianssh.cfg configuration file.

And change the plugin id with your desired no. to make it identifiable for the further process.

Here I’m replacing plugin id 4003 to 9001 as shown below:

Now we can activate the plugin

Come back to AlienVault setup by entering the following command:

And then configure the sensor by the below steps:

Select Configure Sensor > Configure Data Source Plugins > debianssh

Select Configure sensor

Select Configure Data Source Plugins

In the previous steps, we modified an SSH plugin into debianssh plugin. Select it in the list of plugins by pressing spacebar as shown below

And then come back to AlienVault Setup by selecting back option and then Apply All Changes

At last, it will ask for your permission to apply all changes

Select yes and then continue

On the next prompt, it will show you changes applied

Let’s go to configure the SQL part of the plugin.

Head towards to the directory of /usr/share/doc/ossim-mysql/contrib/plugins by entering the following command

by running command ls you can see the examples of sql plugins

we’re going to copy the ssh.sql to debianssh.sql by running the following command:

Open the debianssh.sql file

Let’s do some modifications in the configuration file so that it can match the plugin.cfg to the SQL database.

The configuration looks like similar as shown below

Change the plugin id 4001 to 9001 or somewhat the value of no. that you designated in the upper section as shown below:

As you can see this configuration file contains a predefined database of SSH logs so that if any suspicious SSH activity or request comes to the Ubuntu server it can match with that request.

And then Save and exit from the file.

Let’s put it into the action and activate the database be reconfiguring it.

To do this enter the following command:

And at last reconfig the AlienVault OSSIM server by entering the following command:

On the next screen, it will start reconfiguring the server

If you are seeing this then congratulations…!!!

You successfully integrated Rsyslog and SSH plugin to the AlienVault OSSIMa server.

Hold tight! this is not enough…..

Have patience 😉

In this article, we explained the integration and configuration process of Rsyslog and SSH plugin to  AlienVault OSSIM.

In the next article, our focus will be on the configuration and installation of OSSEc Agents that send logs to AlienVault Server.

OSSEC is an open-source Host Intrusion Detection System (HIDS) that runs across multiple OS platforms such as Windows, Linux, Solaris. Mac …etc.

Author – Vijay is a Certified Ethical Hacker, Technical writer and Penetration Tester at Hacking Articles. Technology and Gadget freak. Contact Here

SIEM Lab Setup: AlienVault

AlienVault OSSIM is an Open Source Security Information and Event Management (SIEM), which provides you with the feature-rich open source SIEM complete with event collection, normalization, and correlation. OSSIM is a unified platform which is providing the essential security capabilities like: –

  • Asset discovery
  • Vulnerability assessment
  • Host Intrusion detection
  • Network intrusion detection
  • Behavioural monitoring
  • SIEM event correlation

It is already loaded with the power of the AlienVault Open Threat Exchange (OTX). The open threat intelligence community provides community-generated threat intelligence and allows you to collaborate with them and also automates the process of updating your security infrastructure with threat data from any source.

AlienVault is very useful for monitoring your system security event or vulnerability and can help you to audit assessment security like PCI-DSS.

So, without wasting more time or much theory let’s begin the installation process. AlienVault OSSIM ISO can be easily found on the AlienVault OSSIM product page.

Table of Content

  • Prerequisites
  • Installation
  • Setup log monitoring interface
  • Web UI Access

Prerequisites

For the installation of AlienVault OSSIM, there are some minimum requirements as listed below.

  • VMware or Virtual Box
  • 2 NIC (Network interface card) E1000 compatible network cards

(You can have multiple NICs for Log Management or network monitoring)

  • 4 CPU cores
  • 4-8GB RAM
  • 60GB HDD

Installation

Once you’ve downloaded the AlienVault OSSIM ISO file, begin installation It on your virtual machine.

To install AlienVault OSSIM

  • In your virtual machine, create a new VM instance using the AlienVault OSSIM ISO as the installation source.
  • Complete the requirements of AlienVault as shown below.

Once you launch the new AlienVault instance, select Install AlienVault OSSIM 5.7.4 (64 Bit) and Hit Enter As shown below

The installation process takes you through a tour of setup options choose as per your requirements.

  • Select language that you want to use

Select your location

Configure the network by Assigning

As we have 1 or more Network interface cards choose one for the primary network interface card for the management server. The IP address will be used to access AlienVault OSSIM Web UI. We are going to use eth0 for the management and the rest of the network is connected to eth1.

Assign a Unique IP address to the server as shown below. If you don’t know what to use here, consult your network administrator.

Assign the Netmask of the assigned unique IP address

Provide the Gateway: That indicates the gateway router, as known as the default router. All traffic goes outside your LAN is sent through this router.

Then the installation process takes you to set up a root password this will be used for the root login account in the AlienVault OSSIM login console.

Then on the next prompt set up your time zone as the final step.

And then it will install the base system. It takes quite long depends on your system speed as usually, it takes 10-15 to finish the installation till then go get served you with a coffee ☕.

You can now login to the AlienVault OSSIM console with the root user and enter the password that you designated in the setup process.

Login with credentials of the root account.

Setup log monitoring interface

After successfully login, you must configure the log management interface.

To set up a network interface for log management and scanning follow the steps as described below.

Click on System Preferences > Configure Network > Setup Network Interface > eth1 > IP address > netmask.

Go to System Preferences

Select Configure Network

Select Network Interface

Select eth1 for log management and scanning.

Assign a unique IP address to set up a network management interface.

Assign the netmask of the designated IP address.

And then come back to the AlienVault setup by selecting back and back and then select Apply all Changes as shown below.

Verify the changes that you have done if correct then select yes.

Now you have successfully set up the Network interface for the log management !!!

Hmm 😃 !! you have successfully installed and set upped AlienVault in VMware.

Web UI Access

By completing the installation process, you can access the Web UI and setup your admin account.

To access Web UI, open up your favourite browser and visit 

Hold tight! this is not enough…..

Have patience 😉

Author – Vijay is a Certified Ethical Hacker, Technical writer and Penetration Tester at Hacking Articles. Technology and Gadget freak. Contact Here

Defense Evasion with obfuscated Empire

In this article, we will learn the technique of Defence Evasion using the PowerShell Empire. PowerShell Empire is one of my favourite Post Exploitation tools and it is an applaudable one at that.

Table of Contents:

  • Installation
  • Getting a session with Empire
  • Obfuscating with Empire

Installation

When evading all the target defences with Empire, it is important to focus on installation. There are two methods to install Empire, obfuscating scripts would not work if you install Empire using apt install command. But this problem wouldn’t occur if you use the git clone command as shown in the image below.

The above command will download Empire on your system and to install it, use the following command:

Getting a session with Empire

With the above commands, your Empire is downloaded and installed. Let us now get the Empire up to and running and take a session of the target system. Once you start Empire, the first thing to do is to start a Listener. And to start a listener, use the set of following commands:

The above commands will start a listener on port 80. Once the listener is active, we have to launch a stager. The stager that we are going to use in this article is of windows and is in batch language. To launch the stager, use the following set of commands:

Once your malware is ready, it will be stored in /tmp directory by default as you can see in the image above. To send this bat file to the target system, you can use python one-liner server or any other method you like. We used a python server for our this practical. To use the python server, type the following command in the directory where the file is saved like in our case it was /tmp directory:

Once the file is executed in the target system. You will get your session as it is shown in the image below. To access the session or agent (as per the Empire terminology) use the following commands:

In the event viewer, you can go to the Applications and Services Logs > Microsoft > Windows > PowerShell > Operational and check the log made by the batch file from Empire as shown in the image below:

Obfuscating with Empire

Now, you can see in the image above that the log of the file gives proper detail of the malicious file. These details include the code of the file, where the file is stored, and other important details. These details, when readable by the system, makes it easy for the file to be detected. For successfully attacking the target, it is important to evade all the defenses put up by the target. And to do so, we will globally obfuscate the Empire and then create our malicious file. Obfuscating the Empire will mean all the malicious files that will be generated from Empire will be obscure i.e. they will be had to detect in the target system and will allow you to bypass the defence systems like antiviruses. To obfuscate the Empire, use the following command first:

The above command will download all the scripts required for the obfuscation.

The command executed above takes a bit of time but if it allows us to be successful in our attack then little time is no problem and most importantly it is worth it. Once all the obfuscating scripts are downloaded, execute the following command:

This command will initiate the obfuscating and all the stagers developed and agents created will be obfuscated, which you can see in the image below:

Now once the obfuscation is active, we will once again execute the listener as shown previously in this article and once the listener is up and running we will launch a stager with the following set of commands:

Similarly, like before, use the python server to deliver the malicious file to the target system.

Once the file is executed in the target system; you will get a new session as shown in the image below. To access the new agent, use the following commands:

Now the session we have received is through obfuscation and we will confirm this by using Event Viewer. Follow the same path as earlier (Applications and Services Logs > Microsoft > Windows > PowerShell > Operational) in the Event Viewer to see the log created by our malicious file.  AS you can see in the image below, the details that the log has now is vague and confusing. This makes the file unreadable by the system and is successful in dodging defenses such as anti-viruses.

This way the Obfuscated Empire can save you from getting caught in the target system. It is important to learn such techniques to glide by the defenses in the target system to test whether the defenses in the place are proper or not.

Author: Yashika Dhir is a Cyber Security Researcher, Penetration Tester, Red Teamer, Purple Team enthusiast. Contact her on Linkedin and Twitter