SANS ISC Internship Setup: AWS DShield Sensor + DShield SIEM [Guest Diary]

Published: 2024-11-26. Last Updated: 2024-11-28 01:52:48 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

[This is a Guest Diary by John Paul Zaguirre , an ISC intern as part of the SANS.edu BACS program]

Introduction

This is a blog post documentation on how to set up the DShield Sensor in AWS, DShield SIEM locally, and connecting them both. I initially setup a Raspberry Pi5 to use as a DShield Sensor, but ultimately switched to AWS after a while. I then added a DShield SIEM hosted locally on my network and connected the AWS sensor into it to utilize for my attack observations. This walkthrough is based on multiple documentations that have been compiled into one, and I have linked their GitHub pages under the “References and Resources” section. You can find the full walkthrough on this page – https://github.com/15HzMonitor/Internship-Blog-Post

Requirements - Hardware, Software, and Accounts

Hardware
1.    A machine to host your DShield SIEM. This can be a laptop, a desktop, or a virtual machine running on your desktop. If you're planning to run the SIEM 24/7, I suggest using something different than your daily production machine. In my case, I reused an old desktop to use as my SIEM so that it can run 24/7. Below are the minimum specs required to run the SIEM based on Guy's documentation for the Ubuntu Setup [1]:
    o    Minimum 8+ GB RAM
        -    If the amount of RAM assigned to each container (see below) is more than 2GB, consider increasing the server RAM capacity.
    o    4-8 Cores
    o    Add 2 partitions, one for the OS, the other for docker
    o    Minimum 300 GB partition assigned to /var/lib/docker (I used a 1TB SATA drive)
2.    USB flash drive(s) to put your Ubuntu ISO to be installed to your repurposed machine. Have at least 16GB, and it must be clear of any data since you will be using Rufus, and it will format the USB stick when creating a boot drive.

Software
1.    Ubuntu 22.04 LTS Live Server 64-bit for your DShield SIEM. You can download the ISO on the Ubuntu Server Page [2].
2.    Rufus Software to put your Ubuntu ISO into a bootable USB. You can find the latest Rufus version on the Rufus downloads page [3].
3.    (Optional) a software such as Parted Magic or DBAN to wipe the machine you will be using.
4.    Your router's software to create a static IP for your SIEM and do port forwarding.

Accounts
1.    A SANS Internet Storm Center (ISC) Account for your API key to enter in your sensor. You can sign up on the ISC sign up page [4].
2.    An AWS Account to deploy your DShield Sensor using the Free Tier offer.
If you don't have one yet, you can sign up on the AWS sign up page [5].
3.    An AlienVault OTX account for generating the API code to link to your DShield SIEM. You can sign up on the AlienVault OTX sign up page [6].

Setup Process

1. Setup your DShield Sensor.

  1. Sign up for an AWS Account.
  2. Setup EC2 Instance
  3. Install & setup DShield Sensor
  4. Configure EC2 Security

2. Setup your DShield SIEM.

  1. Install Ubuntu Server to a physical machine.
  2. (Option) Install Ubuntu Server virtually through VMWare.
  3. Build a Docker Partition.
  4. Install Docker.
  5. Install and Configure DShield ELK.
    •  An optional setup for using Raspberry Pi as a SIEM has been written by another SANS Student and can be found on their GitHub page [7].

3. Configure Filebeat and connect your DShield Sensor to DShield SIEM.

  1. Install and configure Filebeat on your DShield sensor and connect it to your ELK.
  2. Troubleshoot and test Filebeat.
  3. Start Filebeat, Elastic-agent, and Softflowd.
  4. Check the status of Filebeat, Elastic-agent, and Softflowd.
  5. Accessing your dashboards and logs.

4. Harden your DShield SIEM.

  1. Adding non-root user(s), Install updates, Unattended upgrades, Locking down OpenSSH, Fail2ban.
  2. 10 Tips for Hardening your Linux Servers.

[1] https://github.com/bruneaug/DShield-SIEM#ubuntu-setup
[2] https://ubuntu.com/download/server
[3] https://rufus.ie/downloads/
[4] https://isc.sans.edu/register.html
[5] https://signin.aws.amazon.com/signup?request_type=register
[6] https://otx.alienvault.com/
[7] Installing DShield SIEM on a Raspberry Pi 5 - 8 GB RAM
[8] https://www.sans.edu/cyber-security-programs/bachelors-degree/

Special thanks to the writers of these GitHub documents:

dshield: DShield Raspberry Pi Sensor
Installing DShield SIEM on a Raspberry Pi 5 - 8 GB RAM
DShield-SIEM: DShield Sensor Log Collection with ELK
Dshield-ELK

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Keywords: AWS BACS DShield DShield Sensor ELK
0 comment(s)

[Guest Diary] Using Zeek, Snort, and Grafana to Detect Crypto Mining Malware

Published: 2024-11-26. Last Updated: 2024-11-26 20:07:54 UTC
by David Fitzmaurice, SANS.edu BACS Student (Version: 1)
0 comment(s)

[This is a Guest Diary by David Fitzmaurice, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1].

Over the last six months there have been frequent SSH connections leaving versions of the RedTail malware on my DShield Honeypot [2]. This variation of the malware is placed on a victim device through a secure shell (SSH) connection. Upon a successful install of the malware the server will send a domain name system (DNS) request for the command and control IPs and begin communicating with its botnet. 

This kind of attack is easy to prevent on a small network with only a handful of devices where SSH servers aren’t accessible to the internet. In a large network serviced by administrators with varying skill levels devices are often left with default or weak credentials. How can we minimize the time to detect a breach from a crypto miner? 


Figure 1: Diagram showing the collecting network architecture and the visible portion of the attacking network.

 

This malware uses SSH password guessing for the initial exploit and install of the RedTail malware as shown in figure 2. This attack uses username and password combos that can be found as defaults or passwords commonly used when users are forced to change their passwords frequently such as username root and password abc123!@#. This is a great reminder not to arbitrarily require password changes. Once the attacking server successfully authenticates it will upload the following files.

  • setup.sh
  • redtail.x86_64
  • redtail.i686
  • redtail.arm8
  • redtail.arm7
  • clean.sh


Figure 2: Initial SSH Connection to DShield Honeypot

 

The RedTail files above each contain strings associated with the XMRig [3] crypto mining software.  The clean.sh script is used to prep the system for install and the setup.sh script is used to select and install the executable file appropriate for the victim system which will be one of the RedTail files above. Once the RedTail malware is run it will start two apache [4] processes for network communications, send a DNS request to various DNS servers for moneroed[.]net, create a connection to the original attacking IP on port 43782, and create a connection to one of the servers identified in the DNS request to moneroed[.]net IPv4 records on port 2137. The DNS requests can be seen in Figure 3, and the command and control connections can be seen in Figure 4. 


Figure 3: DNS Request/Response

 


Figure 4: Command and Control Channels

 

Using the default configuration for Snort [5] did not generate any alerts from this attack. The default configuration for Zeek created SSH logs, DNS logs, and connection logs. In a busy network this could easily go undetected. Following the TCP stream for that port 2137 connection in Wireshark shows JSON entries in ASCII that look exactly like the Stratum mining protocol [6] used by the XMRig software. This is shown in Figure 5.  


Figure 5: Port 2137 connection showing Stratum mining protocol communications

 

In order to detect the Stratum mining protocol I found a Zeek package called zeek-cryptomining [6] that included Zeek scripts and signatures to detect the most common crypto mining communications such as communications from XMRig. Once the package was loaded onto my network sensor I started getting logs showing the malware communications. The network tap and network sensor can be seen in figures 1-4 and the logs created from the Stratum mining protocol can be seen in figure 6. 


Figure 6: An example of searching Grafana for Zeek_Notice logs generated from an infected system. 

The port 43782 connection proved to be a bit more complicated. During the initial connection the attacking server transferred around 70,000 bytes of data to the victim device. Once that concluded the victim system would send data starting with the hex bytes 0x0c180000003c in each transmission. This is shown below in figure 7. 


Figure 7: Hex dump of port 43782 TCP stream in Wireshark. 

In order to track the connections seen on port 43782 a Snort rule can be written. In this case I used the hex bytes 0x0c180000003c which I observed in most client to server packets. To speed up the rule writing process I used ChatGPT [8] to generate a basic draft. 

ChatGPT Prompt 
“Create a Snort signature to alert when the first six bytes of a TCP payload are as follows 0x0c180000003c. This signature should alert when the communications are from the home network to the internet.“

ChatGPT Rule
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"TCP payload matches 0x0c180000003c"; content:"|0C 18 00 00 00 3C|"; offset:0; depth:6; flow:to_server,established; sid:1000001; rev:1;)

I searched the Snort documentation [8] to verify the fields and add additional information. As a rule AI in its current state should be used as an augment, but any outputs should be verified. The Snort rule I used is added below. I decided to use the classtype field to output “Known malware command and control traffic” and set “Priority: 1” in the alert logs. The logs from testing the rule on my network tap and Grafana[9] server can be seen in figure 8. 

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"TCP payload starts with 0x0c180000003c. Possible Crypto mining."; content:"|0c 18 00 00 00 3c|"; offset:0; depth:6; sid:1900001; rev:1; classtype:malware-cnc;)


Figure 8: Snort alerts seen in Grafana for port 43782 traffic

These rules are specific enough to avoid false positives and broad enough to consistently detect when the RetTail malware is active. These rules have been running on my network tap from September 12, 2024 through November 15, 2024 and have not created any false positives. In that time the RedTail network has used three different initial attack IPs, and the sha256 hash of the X86_64 variant of RedTail has changed five times. If we were to only rely on threat intelligence to identify malicious file hashes or IPs we would miss those changes. 

Using a network tap or mirroring a port into an intrusion detection system (IDS) like Snort or Zeek and sending the traffic to a log analysis tool like Grafana creates a great environment for threat hunting activities. With some effort to characterize and create signatures or scripts for malicious network traffic threats can be detected almost immediately when the network is monitored. Analysts could take this a step further and characterize normal communications on the network so when something unusual occurs it will be noticed by security analysts much quicker. 

[1] https://www.sans.edu/cyber-security-programs/bachelors-degree/
[2] https://isc.sans.edu/honeypot.html
[3] https://xmrig.com/
[4] https://httpd.apache.org/
[5] https://www.snort.org/
[6] https://github.com/xmrig/xmrig-proxy/blob/master/doc/STRATUM.md
[7] https://packages.zeek.org/packages/view/cccea150-9348-11eb-81e7-0a598146b5c6
[8] https://chatgpt.com/
[9] https://docs.snort.org/rules/options/general/
[10] https://grafana.com/

 

--
Jesse La Grew
Handler

Keywords: crypto dshield grafana mining snort zeek
0 comment(s)
ISC Stormcast For Tuesday, November 26th, 2024 https://isc.sans.edu/podcastdetail/9232

Comments

Login here to join the discussion.


Diary Archives