FaresMorcy
  • Whoami
  • Footprinting Labs
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Shells & Payloads
    • The Live Engagement
  • Password Attacks
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • SOC Hackthebox Notes & Labs
    • Security Monitoring & SIEM Fundamentals Module
    • Windows Event Logs & Finding Evil Module
    • Introduction to Threat Hunting & Hunting With Elastic Module
    • Understanding Log Sources & Investigating with Splunk Module
      • Introduction To Splunk & SPL
      • Using Splunk Applications
      • Intrusion Detection With Splunk (Real-world Scenario)
      • Detecting Attacker Behavior With Splunk Based On TTPs
      • Detecting Attacker Behavior With Splunk Based On Analytics
      • Skills Assessment
    • Windows Attacks & Defense
      • Kerberoasting
      • AS-REProasting
      • GPP Passwords
      • GPO Permissions/GPO Files
      • Credentials in Shares
      • Credentials in Object Properties
      • DCSync
      • Golden Ticket
      • Kerberos Constrained Delegation
      • Print Spooler & NTLM Relaying
      • Coercing Attacks & Unconstrained Delegation
      • Object ACLs
      • PKI - ESC1
      • Skills Assessment
    • Intro to Network Traffic Analysis Module
    • YARA & Sigma for SOC Analysts Module
      • Developing YARA Rules
      • Hunting Evil with YARA (Windows Edition)
      • Hunting Evil with YARA (Linux Edition)
      • Sigma and Sigma Rules
      • Developing Sigma Rules
      • Hunting Evil with Sigma (Chainsaw Edition)
      • Hunting Evil with Sigma (Splunk Edition)
      • Skills Assessment
  • TryHackme SOC 1
    • TShark
      • TShark: The Basics
      • TShark: CLI Wireshark Features
      • TShark Challenge I: Teamwork
      • TShark Challenge II: Directory
    • Tempest
    • Boogeyman 1
    • Boogeyman 2
    • Boogeyman 3
  • TryHackme SOC 2
    • Advanced Splunk
      • Splunk: Exploring SPL
      • Splunk: Setting up a SOC Lab
      • Splunk: Dashboards and Reports
      • Splunk: Data Manipulation
      • Fixit
    • Advanced ELK
      • Slingshot
    • Threat Hunting
      • Threat Hunting: Foothold
      • Threat Hunting: Pivoting
      • Threat Hunting: Endgame
  • TryHackme Rooms
    • Investigating Windows
    • Splunk 2
    • Windows Network Analysis
  • Sans SEC505
    • Powershell Scripting Fundamentals
    • Book One
      • The Object-Oriented Command Shell
  • SANS SEC504 & Labs
    • Book one
      • Live Examination
      • Network Investigations
      • Memory Investigations
      • Malware Investigations
      • Accelerating IR with Generative AI
      • Bootcamp: Linux Olympics
      • Bootcamp: Powershell Olympics
    • Book Two
      • Hacker Tools and Techniques Introduction
      • Target Discovery and Enumeration
      • Discovery and Scanning with Nmap
      • Cloud Spotlight: Cloud Scanning
      • SMB Security
      • Defense Spotlight: Hayabusa and Sigma Rules
    • Book Three
      • Password Attacks
      • Cloud Spotlight: Microsoft 365 Password Attacks
      • Understanding Password Hashes
      • Password Cracking
      • Cloud Spotlight: Insecure Storage
      • Multipurpose Netcat
    • Book Four
      • Metasploit Framework
      • Drive-By Attacks
      • Command Injection
      • Cross-Site Scripting
      • SQL Injection
      • Cloud Spotlight: SSRF and IMDS
    • Book Five
      • Endpoint Security Bypass
      • Pivoting and Lateral Movement
      • Hijacking Attacks
      • Establishing Persistence
      • Defense Spotlight: RITA
      • Cloud Spotlight: Cloud Post-Exploitation
  • SANS SEC511 & Labs
    • Resources
      • Primers
      • References
      • Tools
        • Network
        • Elastic Stack
      • Printable Versions
    • Book One
      • Part One
      • Part Two
      • Part Three
    • Book Two
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Three
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Four
      • Part One
      • Part Two
      • Part Three Lab
      • Part Four Lab
    • Book Five
      • Part One Lab
      • Part Two Lab
      • Part Three Lab
  • CyberDefenders
    • XXE Infiltration Lab
    • T1594 Lab
    • RetailBreach Lab
    • DanaBot Lab
    • OpenWire Lab
    • BlueSky Ransomware Lab
    • Openfire Lab
    • Boss Of The SOC v1 Lab
    • GoldenSpray Lab
    • REvil Lab
    • ShadowRoast Lab
    • SolarDisruption Lab
    • Kerberoasted Lab
    • T1197 Lab
    • Amadey Lab
    • Malware Traffic Analysis 1 Lab
    • Insider Lab
    • Volatility Traces Lab
    • FalconEye Lab
    • GitTheGate Lab
    • Trident Lab
    • NerisBot Lab
  • Practical Windows Forensics
    • Data Collection
    • Examination
    • Disk Analysis Introduction
    • User Behavior
    • Overview of disk structures, partitions and file systems
    • Finding Evidence of Deleted Files with USN Journal Analysis
    • Analyzing Evidence of Program Execution
    • Finding Evidence of Persistence Mechanisms
    • Uncover Malicious Activity with Windows Event Log Analysis
    • Windows Memory Forensic Analysis
  • WEInnovate Training
    • Weinnovate - Active Directory Task One
    • Build ELK Lab
      • Configure Elasticsearch and Kibana setup in ubuntu
      • Configure Fluent-Bit to send logs to ELK
      • Set up Winlogbeat & Filebeat for log collection
      • Send Logs from Winlogbeat through Logstash to ELK
      • Enable Windows Audit Policy & Winlogbeat
      • Elasticsearch API and Ingestion Pipeline
    • SOAR
      • Send Alerts To Email & Telegram Bot
      • Integrate Tines with ELK
    • SOC Practical Assessment
    • Boss of the SOC V1 - Web Defacement
    • Lumma C2
    • Network Analysis
  • Build ELK Lab
    • Configure Elasticsearch and Kibana setup in ubuntu
    • Configure Fluent-Bit to send logs to ELK
    • Set up Winlogbeat & Filebeat for log collection
    • Send Logs from Winlogbeat through Logstash to ELK
    • Enable Windows Audit Policy & Winlogbeat
    • Elasticsearch API and Ingestion Pipeline
  • Build Home Lab - SOC Automation
    • Install & configure Sysmon for deep Windows event logging
    • Set up Wazuh & TheHive for threat detection & case management
    • Execute Mimikatz & create detection rules in Wazuh
    • Automate everything with Shuffle
    • Response to SSH Attack Using Shuffle, Wazuh, and TheHive
  • Home Lab (Attack & Defense Scenarios)
    • Scheduled Task Attack & Defense
    • Kerberoasting Attack & Defense
    • Password Spraying Attack & Defense
Powered by GitBook
On this page
  1. Build Home Lab - SOC Automation

Automate everything with Shuffle

PreviousExecute Mimikatz & create detection rules in WazuhNextResponse to SSH Attack Using Shuffle, Wazuh, and TheHive

Last updated 10 days ago

Let's begin by installing Shuffle on Ubuntu.

sudo apt update && sudo apt install -y docker.io docker-compose

sudo systemctl enable docker
sudo systemctl start docker

git clone https://github.com/Shuffle/Shuffle.git
cd Shuffle

sudo docker-compose up -d

After the installation is complete, access the application by navigating to http://your-ip:3001 in your web browser.

After executing these commands, we will proceed to create an account and log in.

sudo chown -R 1000:1000 shuffle-database
sudo swapoff -a
sudo docker restart shuffle-opensearch

After creating the workflow, you may notice that several applications are missing. To address this, we need to take the following steps.

Now, let's proceed with creating a new workflow.

Next, we need to set up a webhook to receive alerts from the Wazuh dashboard.

On the Wazuh server, open the /var/ossec/etc/ossec.conf file. Insert the webhook URL within the <hook_url> tags.

sudo nano /var/ossec/etc/ossec.conf
  <integration>
    <name>shuffle</name>
    <hook_url>http://192.168.204.151:3001/api/v1/hooks/webhook_82a81730-b6b5-476f-8eab-225c6b165fda </hook_url>
    <rule_id>100002</rule_id>
    <alert_format>json</alert_format>
  </integration>

Here, I aim to receive alerts for Rule ID 100002, which we previously configured for Mimikatz detection. You can modify the rule to capture additional alerts based on your requirements or adjust the alert level as needed.

After saving the changes, let's restart the Wazuh manager to apply the new configuration:​

systemctl restart wazuh-manager

Next, let's run Mimikatz again to verify whether the alert generated by Wazuh is successfully sent to Shuffle.

Now, let's verify whether any alerts have been triggered in the Shuffle workflow.

Workflow:

  1. Mimikatz Alert Trigger – A Mimikatz alert is generated and sent to Shuffle.

  2. Alert Processing in Shuffle – Shuffle receives the alert and extracts the SHA-256 hash of the detected file.

  3. Reputation Check – The extracted hash is queried against VirusTotal to assess its reputation score.

  4. Alert Creation in TheHive – The analysis details are forwarded to TheHive to generate an incident alert.

  5. Notification to SOC Analyst – A notification is sent to the SOC Analyst through telegram bot, prompting them to initiate an investigation.

Next, we need to obtain the file's hash to verify it on VirusTotal. To do this, let's follow these steps.

Hover over the Execution Argument.

Next, we need to create a regular expression specifically designed to extract only the SHA-256 hash.

Let's rename it from Wazuh_Receive_alerts to SHA256.

We now need to submit this SHA-256 hash to VirusTotal for analysis.

Please retrieve your API key from your VirusTotal account and enter it here.

Let's run it again.

Let's check the attributes.

This means that 65 security scanners have identified the file as malicious.

Next, we need to forward the results provided by VirusTotal to TheHive.

Let's transition to TheHive and proceed with creating a new organization along with user accounts for it.

Now, let's create new users.

Now, we need to set a password for Omar's account and generate an API key for the SOAR account.

Now, we will use this API key to establish a connection with Shuffle.

Certain fields need to be completed.

Summary -> Mimikatz Activity Detected on host: $exec.text.win.system.computer and the Process Id: $exec.text.win.eventdata.processId and the Commandline: $exec.text.win.eventdata.commandLine
Description -> Mimikatz Detected on host:$exec.text.win.system.computer

Let's execute the workflow again.

Next, we need to rerun the process to ensure everything functions correctly.

Now, let's log in to TheHive using the previously created account, "Omar," to check for any alerts.

The alert has been successfully sent to TheHive. The next step is to notify the analyst via telegram boot.

You can see how to create telegram boot to send alerts via this link: https://faresbltagy.gitbook.io/footprintinglabs/weinnovate-training/soar/send-alerts-to-email-and-telegram-bot

Time:$exec.text.win.eventdata.utcTime\n Title: $exec.title\n Host: $exec.text.win.system.computer\n

Now, let's rerun the process and verify the functionality of our Telegram bot.