FaresMorcy
  • Whoami
  • Footprinting Labs
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Shells & Payloads
    • The Live Engagement
  • Password Attacks
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • SOC Hackthebox Notes & Labs
    • Security Monitoring & SIEM Fundamentals Module
    • Windows Event Logs & Finding Evil Module
    • Introduction to Threat Hunting & Hunting With Elastic Module
    • Understanding Log Sources & Investigating with Splunk Module
      • Introduction To Splunk & SPL
      • Using Splunk Applications
      • Intrusion Detection With Splunk (Real-world Scenario)
      • Detecting Attacker Behavior With Splunk Based On TTPs
      • Detecting Attacker Behavior With Splunk Based On Analytics
      • Skills Assessment
    • Windows Attacks & Defense
      • Kerberoasting
      • AS-REProasting
      • GPP Passwords
      • GPO Permissions/GPO Files
      • Credentials in Shares
      • Credentials in Object Properties
      • DCSync
      • Golden Ticket
      • Kerberos Constrained Delegation
      • Print Spooler & NTLM Relaying
      • Coercing Attacks & Unconstrained Delegation
      • Object ACLs
      • PKI - ESC1
      • Skills Assessment
    • Intro to Network Traffic Analysis Module
    • YARA & Sigma for SOC Analysts Module
      • Developing YARA Rules
      • Hunting Evil with YARA (Windows Edition)
      • Hunting Evil with YARA (Linux Edition)
      • Sigma and Sigma Rules
      • Developing Sigma Rules
      • Hunting Evil with Sigma (Chainsaw Edition)
      • Hunting Evil with Sigma (Splunk Edition)
      • Skills Assessment
  • TryHackme SOC 1
    • TShark
      • TShark: The Basics
      • TShark: CLI Wireshark Features
      • TShark Challenge I: Teamwork
      • TShark Challenge II: Directory
    • Tempest
    • Boogeyman 1
    • Boogeyman 2
    • Boogeyman 3
  • TryHackme SOC 2
    • Advanced Splunk
      • Splunk: Exploring SPL
      • Splunk: Setting up a SOC Lab
      • Splunk: Dashboards and Reports
      • Splunk: Data Manipulation
      • Fixit
    • Advanced ELK
      • Slingshot
    • Threat Hunting
      • Threat Hunting: Foothold
      • Threat Hunting: Pivoting
      • Threat Hunting: Endgame
  • TryHackme Rooms
    • Investigating Windows
    • Splunk 2
    • Windows Network Analysis
  • Sans SEC505
    • Powershell Scripting Fundamentals
    • Book One
      • The Object-Oriented Command Shell
  • SANS SEC504 & Labs
    • Book one
      • Live Examination
      • Network Investigations
      • Memory Investigations
      • Malware Investigations
      • Accelerating IR with Generative AI
      • Bootcamp: Linux Olympics
      • Bootcamp: Powershell Olympics
    • Book Two
      • Hacker Tools and Techniques Introduction
      • Target Discovery and Enumeration
      • Discovery and Scanning with Nmap
      • Cloud Spotlight: Cloud Scanning
      • SMB Security
      • Defense Spotlight: Hayabusa and Sigma Rules
    • Book Three
      • Password Attacks
      • Cloud Spotlight: Microsoft 365 Password Attacks
      • Understanding Password Hashes
      • Password Cracking
      • Cloud Spotlight: Insecure Storage
      • Multipurpose Netcat
    • Book Four
      • Metasploit Framework
      • Drive-By Attacks
      • Command Injection
      • Cross-Site Scripting
      • SQL Injection
      • Cloud Spotlight: SSRF and IMDS
    • Book Five
      • Endpoint Security Bypass
      • Pivoting and Lateral Movement
      • Hijacking Attacks
      • Establishing Persistence
      • Defense Spotlight: RITA
      • Cloud Spotlight: Cloud Post-Exploitation
  • SANS SEC511 & Labs
    • Resources
      • Primers
      • References
      • Tools
        • Network
        • Elastic Stack
      • Printable Versions
    • Book One
      • Part One
      • Part Two
      • Part Three
    • Book Two
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Three
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Four
      • Part One
      • Part Two
      • Part Three Lab
      • Part Four Lab
    • Book Five
      • Part One Lab
      • Part Two Lab
      • Part Three Lab
  • CyberDefenders
    • XXE Infiltration Lab
    • T1594 Lab
    • RetailBreach Lab
    • DanaBot Lab
    • OpenWire Lab
    • BlueSky Ransomware Lab
    • Openfire Lab
    • Boss Of The SOC v1 Lab
    • GoldenSpray Lab
    • REvil Lab
    • ShadowRoast Lab
    • SolarDisruption Lab
    • Kerberoasted Lab
    • T1197 Lab
    • Amadey Lab
    • Malware Traffic Analysis 1 Lab
    • Insider Lab
    • Volatility Traces Lab
    • FalconEye Lab
    • GitTheGate Lab
    • Trident Lab
    • NerisBot Lab
  • Practical Windows Forensics
    • Data Collection
    • Examination
    • Disk Analysis Introduction
    • User Behavior
    • Overview of disk structures, partitions and file systems
    • Finding Evidence of Deleted Files with USN Journal Analysis
    • Analyzing Evidence of Program Execution
    • Finding Evidence of Persistence Mechanisms
    • Uncover Malicious Activity with Windows Event Log Analysis
    • Windows Memory Forensic Analysis
  • WEInnovate Training
    • Weinnovate - Active Directory Task One
    • Build ELK Lab
      • Configure Elasticsearch and Kibana setup in ubuntu
      • Configure Fluent-Bit to send logs to ELK
      • Set up Winlogbeat & Filebeat for log collection
      • Send Logs from Winlogbeat through Logstash to ELK
      • Enable Windows Audit Policy & Winlogbeat
      • Elasticsearch API and Ingestion Pipeline
    • SOAR
      • Send Alerts To Email & Telegram Bot
      • Integrate Tines with ELK
    • SOC Practical Assessment
    • Boss of the SOC V1 - Web Defacement
    • Lumma C2
    • Network Analysis
  • Build ELK Lab
    • Configure Elasticsearch and Kibana setup in ubuntu
    • Configure Fluent-Bit to send logs to ELK
    • Set up Winlogbeat & Filebeat for log collection
    • Send Logs from Winlogbeat through Logstash to ELK
    • Enable Windows Audit Policy & Winlogbeat
    • Elasticsearch API and Ingestion Pipeline
  • Build Home Lab - SOC Automation
    • Install & configure Sysmon for deep Windows event logging
    • Set up Wazuh & TheHive for threat detection & case management
    • Execute Mimikatz & create detection rules in Wazuh
    • Automate everything with Shuffle
    • Response to SSH Attack Using Shuffle, Wazuh, and TheHive
  • Home Lab (Attack & Defense Scenarios)
    • Scheduled Task Attack & Defense
    • Kerberoasting Attack & Defense
    • Password Spraying Attack & Defense
Powered by GitBook
On this page
  1. Build Home Lab - SOC Automation

Set up Wazuh & TheHive for threat detection & case management

PreviousInstall & configure Sysmon for deep Windows event loggingNextExecute Mimikatz & create detection rules in Wazuh

Last updated 13 days ago

Wazuh is a free and open-source security platform that integrates Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) capabilities. It offers comprehensive protection for endpoints and cloud workloads, enabling organizations to detect and respond to threats effectively.

Key Features of Wazuh:

  • Intrusion Detection: Monitors systems for signs of unauthorized access or malicious activity.

  • Log Data Analysis: Collects and analyzes logs from various sources to identify potential security incidents.

  • File Integrity Monitoring: Tracks changes to critical files and directories, alerting administrators to unauthorized modifications.

  • Vulnerability Detection: Identifies known vulnerabilities in software and hardware components within the network.

  • Configuration Assessment: Evaluates system configurations to ensure compliance with security policies and standards.

  • Incident Response: Provides tools and capabilities to respond to and mitigate security incidents promptly.

  • Regulatory Compliance: Assists organizations in meeting compliance requirements by providing necessary security controls and reporting tools.

  • Cloud Security: Offers monitoring and protection for cloud-based infrastructures, ensuring security across various environments.

Wazuh's architecture consists of lightweight agents deployed on monitored systems and a centralized management server that processes and analyzes data received from these agents.

Let's start by installing Wazzuh:

curl -sO https://packages.wazuh.com/4.10/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

Finally, we will access the Wazuh dashboard.

Next, we need to configure Wazuh by setting up a new agent.

We need to put the IP address of the machine where Wazuh is installed.

Next, execute the following command on the Windows machine where you intend to install the Wazuh agent.

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.10.1-1.msi -OutFile $env:tmp\wazuh-agent; msiexec.exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER='192.168.204.147' WAZUH_AGENT_NAME='faresmorcy'

Next, we need to initiate the Wazuhsvc service.

net.exe start WazuhSvc

Next, we need to modify the ossec.conf file to configure it for forwarding Sysmon logs to Wazuh.

I only need to forward the Sysmon logs, nothing else.

Next, restart the Wazuh service.

Restart-Service WazuhSvc

Now, let's verify on the Wazuh dashboard whether the Wazuh agent is successfully sending Sysmon events.

TheHive is an open-source Security Incident Response Platform (SIRP) designed to assist Security Operations Centers (SOCs), Computer Security Incident Response Teams (CSIRTs), and Computer Emergency Response Teams (CERTs) in efficiently managing and responding to security incidents. It offers a collaborative environment where security professionals can analyze, track, and resolve incidents effectively.

Key Features of TheHive:

  • Case Management: Create and manage cases with detailed information, including tasks, observables, and logs.

  • Collaboration: Multiple users can work on the same case simultaneously, promoting teamwork and efficient incident handling.

  • Integration: Seamlessly integrates with other security tools like MISP (Malware Information Sharing Platform) and Cortex for automated analysis.

  • Alert Management: Ingest alerts from various sources, enabling quick triage and prioritization.

  • Customizable Dashboards: Visualize incident data and track performance metrics through user-defined dashboards.

TheHive is built to be scalable and can be deployed as a standalone node or in a clustered environment, depending on organizational needs.

Installation Guid: https://docs.strangebee.com/thehive/installation/step-by-step-installation-guide/#installation

Now, let's install TheHive.

First, we need to install the required dependencies.

apt install wget gnupg apt-transport-https git ca-certificates ca-certificates-java curl  software-properties-common python3-pip lsb-release

TheHive requires Java 11, so let's install Amazon Corretto 11 with the following commands:

wget -qO- https://apt.corretto.aws/corretto.key | sudo gpg --dearmor -o /usr/share/keyrings/corretto.gpg
echo "deb [signed-by=/usr/share/keyrings/corretto.gpg] https://apt.corretto.aws stable main" | sudo tee /etc/apt/sources.list.d/corretto.list
sudo apt update
sudo apt install -y java-11-amazon-corretto-jdk
echo 'JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto"' | sudo tee -a /etc/environment
source /etc/environment

TheHive uses Apache Cassandra as its database. Let's install it as follows:

wget -qO - https://downloads.apache.org/cassandra/KEYS | sudo gpg --dearmor -o /usr/share/keyrings/cassandra-archive.gpg
echo "deb [signed-by=/usr/share/keyrings/cassandra-archive.gpg] https://debian.cassandra.apache.org 40x main" | sudo tee /etc/apt/sources.list.d/cassandra.sources.list
sudo apt update
sudo apt install -y cassandra

TheHive requires Elasticsearch for data indexing. Let's install Elasticsearch 7.x with the following commands:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elasticsearch-7.x.list
sudo apt update
sudo apt install -y elasticsearch

Additionally, let's add TheHive's repository and proceed with the installation.

wget -O- https://archives.strangebee.com/keys/strangebee.gpg | sudo gpg --dearmor -o /usr/share/keyrings/strangebee-archive-keyring.gpg
echo 'deb [signed-by=/usr/share/keyrings/strangebee-archive-keyring.gpg] https://deb.strangebee.com thehive-5.2 main' | sudo tee -a /etc/apt/sources.list.d/strangebee.list
sudo apt update
sudo apt install -y thehive

Next, we need to start TheHive and enable it to run on system boot:

sudo systemctl start thehive
sudo systemctl enable thehive

Now, let's edit Cassandra configuration file:

nano /etc/cassandra/cassandra.yaml

Enter the IP address of the machine where TheHive is installed.

After installation, let's start and enable Cassandra:

sudo systemctl start cassandra
sudo systemctl enable cassandra

We also need to edit the configuration for Elasticsearch.

nano /etc/elasticsearch/elasticsearch.yml

Next, let's start and enable Elasticsearch:

sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

Next, we need to modify TheHive's configuration. However, before proceeding, we must update the ownership of the /opt/thp directory, assigning it to the thehive user and group.

chown -R thehive:thehive /opt/thp
nano /etc/thehive/application.conf

Now, let's access TheHive by navigating to http://192.168.204.149:9000.

The default admin user credentials are as follows:

  • Username: admin@thehive.local

  • Password: secret

I encountered an authentication failure when attempting to access it. Let's work on resolving this issue.

nano /etc/elasticsearch/jvm.options.d/jvm.option
-Dlog4j2.formatMsgNoLookups=true
-Xms2g
-Xmx2g

Then restart the Elasticsearch.

systemctl restart elasticsearch

Now, let's access TheHive again.