pub/charts
1
0
Fork 0
Code Issues Pull requests Releases Packages 19 Activity Actions

feat(timesketch): add TLS CA option, copy in conf, change web container port to 8080, update default configs

Browse source
This commit is contained in:
Tommy 2024-05-13 17:13:54 +02:00
parent 6a7bad3905
commit 6dd85fc5b0
No known key found for this signature in database
34 changed files with 919 additions and 96 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
charts/timesketch/Chart.yaml
View file

@ -4,7 +4,7 @@ description: |
A toolset of DFIR tools A toolset of DFIR tools
appVersion: "20240508" appVersion: "20240508"
type: application type: application
version: 0.1.2 version: 0.1.3
maintainers: maintainers:
- name: Tommy Skaug - name: Tommy Skaug
email: tommy@skaug.me email: tommy@skaug.me

8
charts/timesketch/README.md Normal file
View file

@ -0,0 +1,8 @@
## Debugging
```sh
task flux:sync
kubectl annotate es timesketch-conf force-sync=$(date +%s) --overwrite -n sec-forensics
```

24
charts/timesketch/configs/bigquery_matcher.yaml Normal file
View file

@ -0,0 +1,24 @@
#
# Configuration file for the BigQuery matcher analyzer plugin.
#
# You can configure several matchers. They should look like this:
#
# matcher_name:
# event_field_name: sha256_hash
# bq_project: 'project_name'
# bq_query: 'SELECT DISTINCT hash FROM project.dataset.tablename WHERE hash IN UNNEST(@sha256_hash)'
# tags: ['bigquery-sha256-match']
# emojis: ['SKULL']
#
# The fields are used as follows:
# * matcher_name: Name for the matcher entry.
# * event_field_name: Field name in a Timesketch event that you want to match against.
# * bq_project: Google Cloud Project you want to run the BigQuery job under.
# * bq_query: Query that is used to match Timesketch events. Results from this query
# will be tagged. Match the "IN UNNEST(@sha256_hash)" part to your event_field_name.
# This example would tag any Timesketch events which have a "sha256_hash" field that
# has a matching row in BigQuery in the "hash" column.
# * tags: Tags to apply for matching Timesketch events.
# * emojis: Emojis to add for matching Timesketch events.
#

64
charts/timesketch/configs/context_links.yaml
View file

@ -1,3 +1,67 @@
# ------------------------------------------------------------------------
# -- CONTEXT LINKS --
# ------------------------------------------------------------------------
#
# This is a config file to define context links for event attributes.
# Documentation: https://timesketch.org/guides/admin/context-links/
#
# There are two types of context links:
#
# 1. Hardcoded modules: These are modules that are hardcoded into Timesketch.
# The config is used to define the match fields for the module.
#
# module_name:
#
# match_fields: Type: list[str] | List of field keys where
# this context link should be available. Will
# be checked as case insensitive!
#
# validation_regex: Type: str | OPTIONAL
# A regex pattern that needs to be
# matched by the field value to to make the
# context link available. This can be used to
# validate the format of a value (e.g. a hash).
#
# Currnetly supported modules are:
# - XML formatter: Displays a formatted XML in a pop-up dialog.
# - Unfurl graph: Displays a graph of an URL using unfurl results.
#
# 2. External services: These are context links that are defined by each admin.
# Those links use external services to provide additional information about the
# attribute value.
#
# context_link_name:
#
# short_name: Type: str | The name for the context link.
# Will be displayed in the context link submenu.
#
# match_fields: Type: list[str] | List of field keys where
# this context link should be available. Will
# be checked as case insensitive!
#
# validation_regex: Type: str | OPTIONAL
# A regex pattern that needs to be
# matched by the field value to to make the
# context link available. This can be used to
# validate the format of a value (e.g. a hash).
#
# context_link: Type: str | The link that will be opened in a
# new tab when the context link is clicked.
# IMPORTANT: Add the placeholder "<ATTR_VALUE>"
# where the attribute value should be inserted
# into the link.
#
# redirect_warning: [TRUE]: If the context link is clicked it will
# open a pop-up dialog first that asks the
# user if they would like to proceed to
# the linked page. (Recommended for
# external pages.)
# [FALSE]: The linked page will be opened without
# any pop-up. (Recommended for internal
# pages.)
#
# ------------------------------------------------------------------------
## Hardcoded Modules
hardcoded_modules: hardcoded_modules:
### format xml dialog ### format xml dialog
xml_formatter: xml_formatter:

105
charts/timesketch/configs/data_finder.yaml Normal file
View file

@ -0,0 +1,105 @@
# Config file for analyzing data to detect whether data sources
# are present in the data set or not.
#
# Each analyzer definition in this file defines sets of requirements
# that are needed to determine if a certain type of data is present
# in the sketch. In addition to the parameters given in this definition
# start and end time are defined as parameters to the data analyzer
# to further limit the data set that is searched.
#
# The analyzer is simple, it runs the query, which is defined either as a
# query_string or a query_dsl. Then a particular field or an attribute
# of the resulting data set is fetched and compared against a regular
# expression. If there is a match in the regular expression then a True
# value is returned, and that data is considered to be part of the
# overall dataset for that time period, otherwise False is returned and
# we assume that data is missing from the total dataset.
#
# These are the available fields:
# description Simple string that provides a bit more description
# of the data that is being analyzed.
#
# notes A message that may be displayed to the user if the
# data source is not present in the dataset, perhaps
# helpful hints on where the data is defined, how to
# collect it, or how to add it to Timesketch.
#
# query_string A query string (OpenSearch Query String) that
# defines the search string that will be used to find
# data within the dataset. This is the same search
# string as can be found in the Web UI of Timesketch.
#
# query_dsl A query DSL (OpenSearch Query DSL) that defines the
# full query DSL that is used to find data within the
# the dataset. Each data analyzer needs to define
# either a query_string or a query_dsl. If both are
# defined the query_string is used and query_dsl
# is ignored.
#
# attribute The attribute or field that will be further
# inspected by a regular expression in order to
# determine if the data exists within the dataset.
#
# regular_expression The regular expression that is run on the data from
# the field or the attribute that is fetched from the
# the attribute definition.
#
# re_flags Each regular expression can define a flag, which is
# a list of flags as strings from the re module.
# These include:
# - DEBUG
# - DOTALL
# - IGNORECASE
# - LOCALE
# - MULTILINE
# - TEMPLATE
# - UNICODE
# - VERBOSE
#
# re_parameters A regular expression may also contain a variable
# that can be replaced by a user supplied value,
# eg. 'http(s)?://{domain}' to further check for
# a particular value. If and only if a re_parameters
# value is set then all values in the RE that are
# within curly brackets ({}) are replaced with the
# user supplied value. Only string values are
# supported for now.
#
# Example:
#
# windows_administrator_login:
# description: Login information for Administrator in Windows EVTX files.
# notes: Collect the SECURITY.EVTX log from a Windows machine.
# query_string: data_type:"windows:evtx:record" AND event_identifier:4624
# attribute: username
# regular_expression: "^Administrator"
# ------------------------------------------------------------------------
windows_administrator_login:
description: Login information for Administrator in Windows EVTX files.
notes: Collect the SECURITY.EVTX log from a Windows machine.
query_string: data_type:"windows:evtx:record" AND event_identifier:4624
attribute: username
regular_expression: "^Administrator"
windows_login:
description: Login information in Windows EVTX files.
notes: Collect the SECURITY.EVTX log from a Windows machine.
query_string: data_type:"windows:evtx:record" AND event_identifier:4624
browser_history:
description: Browser history information.
notes: Collect browser history and parse using plaso or make source and url fields are set.
query_string: source_short:"WEBHIST" OR source:"WEBHIST"
attribute: url
regular_expression: "https?://"
windows_event_log_specific_computer:
description:
notes: Collect
query_string: data_type:"windows:evtx:record"
attribute: computer_name
regular_expression: "{computer_name}"
re_flags: [IGNORECASE]
re_parameters:
- computer_name

57
charts/timesketch/configs/dfiq/approaches/Q0001.01.yaml Normal file
View file

@ -0,0 +1,57 @@
display_name: Remote Desktop Protocol (RDP) from Windows Event Logs
description:
summary:
details:
references:
-
type: approach
id: Q0001.01
tags:
- windows
view:
data:
- type: artifact
value: WindowsEventLogs
processors:
- name: plaso
options:
- type: parsers
value: winevtx
analysis:
timesketch:
- description: RDP authentication from client
type: opensearch-query
value: 'data_type:"windows:evtx:record" AND event_identifier:4624 AND logon_type:RemoteInteractive'
- description: Failed RDP authentication from client
type: opensearch-query
value: 'data_type:"windows:evtx:record" AND event_identifier:4625 AND logon_type:RemoteInteractive'
- description: Use of explicit credentials
type: opensearch-query
value: 'data_type:"windows:evtx:record" AND event_identifier:4648 AND source_name:"Microsoft-Windows-Security-Auditing"'
- description: ClientActiveXCore RDP client
type: opensearch-query
value: 'data_type:"windows:evtx:record" AND event_identifier:1024 AND source_name:"Microsoft-Windows-TerminalServices-ClientActiveXCore"'
- description: RDP client connection to server
type: opensearch-query
value: 'data_type:"windows:evtx:record" AND event_identifier:1102 AND source_name:"Microsoft-Windows-TerminalServices-ClientActiveXCore"'
- description: RDP successful logon
type: opensearch-query
value: 'data_type:"windows:evtx:record" AND event_identifier:1149 AND source_name:"Microsoft-Windows-TerminalServices-RemoteConnectionManager"'
- description: RDP successful TCP connection
type: opensearch-query
value: 'data_type:"windows:evtx:record" AND event_identifier:(98 OR 131) AND source_name:"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS"'
- description: RDP session logon
type: opensearch-query
value: 'data_type:"windows:evtx:record" AND event_identifier:21 AND source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager"'
- description: RDP session shell start
type: opensearch-query
value: 'data_type:"windows:evtx:record" AND event_identifier:22 AND source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager"'
- description: RDP session logoff
type: opensearch-query
value: 'data_type:"windows:evtx:record" AND event_identifier:23 AND source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager"'
- description: RDP session reconnection
type: opensearch-query
value: 'data_type:"windows:evtx:record" AND event_identifier:25 AND source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager"'
- description: RDP session disconnect
type: opensearch-query
value: 'data_type:"windows:evtx:record" AND event_identifier:40 AND source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager"'

24
charts/timesketch/configs/dfiq/approaches/Q0001.02.yaml Normal file
View file

@ -0,0 +1,24 @@
display_name: Remote Desktop Protocol (RDP) from the Registry
description:
summary:
details:
references:
-
type: approach
id: Q0001.01
tags:
- windows
view:
data:
- type: artifact
value: WindowsRegistryFiles
processors:
- name: plaso
analysis:
timesketch:
- description: RDP destinations (registry)
type: opensearch-query
value: 'key_path:"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Terminal Server Client\\Servers"'
- description: mstsc.exe in ShimCache
type: opensearch-query
value: 'data_type:"windows:registry:appcompatcache" AND path:mstsc.exe'

24
charts/timesketch/configs/dfiq/approaches/Q0002.01.yaml Normal file
View file

@ -0,0 +1,24 @@
display_name: Map Network Shares from Windows Event Logs
description:
summary:
details:
references:
-
type: approach
id: Q0002.01
tags:
- windows
view:
data:
- type: artifact
value: WindowsEventLogs
processors:
- name: plaso
options:
- type: parsers
value: winevtx
analysis:
timesketch:
- description: Map Network share with net.exe
type: opensearch-query
value: 'data_type:"windows:prefetch:execution" AND net\.exe*'

18
charts/timesketch/configs/dfiq/approaches/Q0003.01.yaml Normal file
View file

@ -0,0 +1,18 @@
display_name: PsExec execution from filesystem events
description:
summary:
details:
references:
-
type: approach
id: Q0003.01
tags:
- windows
view:
processors:
- name: plaso
analysis:
timesketch:
- description: PsExec executions from prefetch
type: opensearch-query
value: 'data_type:"windows:prefetch:execution" AND psexec\.exe*'

25
charts/timesketch/configs/dfiq/approaches/Q0003.02.yaml Normal file
View file

@ -0,0 +1,25 @@
display_name: PsExec execution from Windows Event Logs
description:
summary:
details:
references:
-
type: approach
id: Q0003.02
tags:
- windows
view:
data:
- type: artifact
value: WindowsEventLogs
processors:
- name: plaso
options:
- type: parsers
value: winevtx
analysis:
timesketch:
- description: PsExec installed as a service
type: opensearch-query
value: 'data_type:"windows:evtx:record" AND event_identifier:7045 AND source_name:"Service Control Manager" AND strings:"psexesvc"'

24
charts/timesketch/configs/dfiq/approaches/Q0004.01.yaml Normal file
View file

@ -0,0 +1,24 @@
display_name: Scheduled tasks from Windows Event Logs
description:
summary:
details:
references:
-
type: approach
id: Q0004.01
tags:
- windows
view:
data:
- type: artifact
value: WindowsEventLogs
processors:
- name: plaso
options:
- type: parsers
value: winevtx
analysis:
timesketch:
- description: Scheduled tasks executions
type: opensearch-query
value: 'data_type:"windows:prefetch:execution" AND executable:("AT.EXE" OR "SCHTASKS.EXE")'

24
charts/timesketch/configs/dfiq/approaches/Q0005.01.yaml Normal file
View file

@ -0,0 +1,24 @@
display_name: Installed services from Windows Event Logs
description:
summary:
details:
references:
-
type: approach
id: Q0005.01
tags:
- windows
view:
data:
- type: artifact
value: WindowsEventLogs
processors:
- name: plaso
options:
- type: parsers
value: winevtx
analysis:
timesketch:
- description: Installed services
type: opensearch-query
value: 'data_type:"windows:evtx:record" AND event_identifier:7045 AND source_name:"Service Control Manager"'

24
charts/timesketch/configs/dfiq/approaches/Q0006.01.yaml Normal file
View file

@ -0,0 +1,24 @@
display_name: WMI activity from from Windows Event Logs
description:
summary:
details:
references:
-
type: approach
id: Q0006.01
tags:
- windows
view:
data:
- type: artifact
value: WindowsEventLogs
processors:
- name: plaso
options:
- type: parsers
value: winevtx
analysis:
timesketch:
- description: Provided DLLs executed by wmiprvse
type: opensearch-query
value: 'data_type:"windows:evtx:record" AND event_identifier:7045 AND source_name:"Service Control Manager"'

8
charts/timesketch/configs/dfiq/facets/F0001.yaml Normal file
View file

@ -0,0 +1,8 @@
display_name: Remote Access
description: Remote access can indicate lateral movements.
type: facet
id: F0001
tags:
- windows
parent_ids:
- S0001

8
charts/timesketch/configs/dfiq/facets/F0002.yaml Normal file
View file

@ -0,0 +1,8 @@
display_name: Remote Execution
description: Remote executions can indicate lateral movements.
type: facet
id: F0002
tags:
- windows
parent_ids:
- S0001

11
charts/timesketch/configs/dfiq/questions/Q0001.yaml Normal file
View file

@ -0,0 +1,11 @@
display_name: Who has used Remote Desktop (RDP) to login to the system?
description: |
Remote Desktop Protocol (RDP) is a protocol developed by Microsoft which provides a user with a graphical
interface to connect to another computer over a network connection. The user employs RDP client software for this
purpose, while the other computer must run RDP server software. (based on: https://en.wikipedia.org/wiki/Remote_Desktop_Protocol)
type: question
id: Q0001
tags:
- windows
parent_ids:
- F0001

13
charts/timesketch/configs/dfiq/questions/Q0002.yaml Normal file
View file

@ -0,0 +1,13 @@
display_name: Which network shares has been mapped?
description: |
Mapped network shares are a way to access files and folders on other computers
on a network as if they were local drives. This can be useful for sharing files and
folders between users and computers, or for accessing files and folders that are
stored on a central server. Mapped network shares can be used to move laterally within
a network.
type: question
id: Q0002
tags:
- windows
parent_ids:
- F0001

18
charts/timesketch/configs/dfiq/questions/Q0003.yaml Normal file
View file

@ -0,0 +1,18 @@
display_name: Has there been any executions of PsExec?
description: |
PsExec is a command-line tool that allows you to execute commands on remote computers.
It is part of the Sysinternals suite of tools, which are a collection of free and
open-source utilities for Windows system administration.
It works by establishing a remote connection to the target computer and then executing
the specified command. The command can be anything that you would normally run on a local
computer, such as a batch file, a PowerShell script, or a simple command-line instruction.
PsExec can be used to move from one computer to another on a network. This can be
done by using PsExec to execute a command on the target computer.
type: question
id: Q0003
tags:
- windows
parent_ids:
- F0002

16
charts/timesketch/configs/dfiq/questions/Q0004.yaml Normal file
View file

@ -0,0 +1,16 @@
display_name: What Scheduled Tasks has been executed?
description: |
Scheduled tasks are a feature of Windows that allows you to run a program or script at
a specific time or date. This can be useful for tasks such as backing up files or running
updates.
Scheduled tasks can be used for lateral movement between computers in a few ways.
First, an attacker who has gained access to a computer on a network can create a
scheduled task that runs a malicious program on another computer on the network. This
can be done by using the Task Scheduler user interface.
type: question
id: Q0004
tags:
- windows
parent_ids:
- F0002

19
charts/timesketch/configs/dfiq/questions/Q0005.yaml Normal file
View file

@ -0,0 +1,19 @@
display_name: Which system services has been installed and executed?
description: |
A system service in Windows is a program that runs in the background and provides essential
functionality for the operating system. System services are typically started automatically
when Windows boots up, and they run continuously until Windows is shut down.
System services can be used for lateral movement between computers in a few ways. First, an
attacker who has gained access to a computer on a network can create a malicious system service
that runs on the computer. This can be done by using the `sc` command-line tool.
Once the malicious system service is running, it can be used to execute commands on the computer
or to connect to other computers on the network. This can allow the attacker to move laterally to
other computers on the network and gain further access.
type: question
id: Q0005
tags:
- windows
parent_ids:
- F0002

19
charts/timesketch/configs/dfiq/questions/Q0006.yaml Normal file
View file

@ -0,0 +1,19 @@
display_name: Has there been any remote executions via WMI?
description: |
WMI, or Windows Management Instrumentation, is a set of tools and APIs that allow you to manage
Windows computers remotely. WMIC, or Windows Management Instrumentation Command-line, is a
command-line tool that allows you to interact with WMI.
WMI can be used for a variety of purposes, including getting information about Windows computers,
Managing Windows computers and Automating tasks on Windows computers.
WMI can be used for lateral movement between computers in a few ways. First, an attacker who
has gained access to a computer on a network can use WMIC to execute commands on other computers
on the network. This can be done by using the wmic command with the /node switch and the name
of the target computer.
type: question
id: Q0006
tags:
- windows
parent_ids:
- F0002

16
charts/timesketch/configs/dfiq/questions/Q0007.yaml Normal file
View file

@ -0,0 +1,16 @@
display_name: Has there been any remote PowerShell executions?
description: |
Remote PowerShell executions in Windows allow you to run PowerShell commands on a remote computer.
This can be useful for a variety of purposes, such as troubleshooting problems, deploying software,
or running administrative tasks.
Remote PowerShell executions can be used for lateral movement between computers in a few ways.
First, an attacker who has gained access to a computer on a network can use remote PowerShell
executions to run commands on other computers on the network. This can be done by using the
`Invoke-Command` cmdlet with the ComputerName parameter.
type: question
id: Q0007
tags:
- windows
parent_ids:
- F0002

13
charts/timesketch/configs/dfiq/scenarios/S0001.yaml Normal file
View file

@ -0,0 +1,13 @@
display_name: Windows Lateral Movement
description: |
Lateral movement is the process of an attacker moving from one system to another within a network
after they have gained initial access to a system. This can be done through a variety of methods,
such as exploiting vulnerabilities in software or using stolen credentials.
Once an attacker has gained lateral movement within a network, they can then access sensitive data,
install malware, or disrupt operations. Lateral movement is a critical step in many cyberattacks,
as it allows attackers to gain deeper access to a network and ultimately achieve their goals.
type: scenario
id: S0001
tags:
- windows

176
charts/timesketch/configs/regex_features.yaml
View file

@ -53,130 +53,126 @@
# ------------------------------------------------------------------------ # ------------------------------------------------------------------------
email_addresses: email_addresses:
query_string: 'source_short:"WEBHIST"' query_string: 'source_short:"WEBHIST"'
attribute: 'message' attribute: 'message'
store_as: 'email_address' store_as: 'email_address'
re: '([a-zA-Z0-9_\.+\-]+@[a-zA-Z0-9\-]+\.[a-zA-Z0-9\-\.]+)' re: '([a-zA-Z0-9_\.+\-]+@[a-zA-Z0-9\-]+\.[a-zA-Z0-9\-\.]+)'
re_flags: [] re_flags: []
tags: ['email-address'] tags: ['email-address']
gmail_accounts: gmail_accounts:
query_string: 'source_short:"WEBHIST" AND url:"mail.google.com"' query_string: 'source_short:"WEBHIST" AND url:"mail.google.com"'
attribute: 'message' attribute: 'message'
store_as: 'found_account' store_as: 'found_account'
re: '[a-zA-Z0-9_\.+\-]+@(gmail|googlemail)\.com' re: '[a-zA-Z0-9_\.+\-]+@(gmail|googlemail)\.com'
re_flags: [] re_flags: []
tags: ['gmail-account'] tags: ['gmail-account']
emojis: ['ID_BUTTON'] emojis: ['ID_BUTTON']
github_accounts: github_accounts:
query_string: 'source_short:"WEBHIST" AND query_string: 'source_short:"WEBHIST" AND url:"https://github.com/users" AND title:"Your Profile"'
url:"https://github.com/users" AND title:"Your Profile"' attribute: 'url'
attribute: 'url' store_as: 'found_account'
store_as: 'found_account' re: 'https://github.com/users/([A-z-\d]{1,39})'
re: 'https://github.com/users/([A-z-\d]{1,39})' re_flags: []
re_flags: [] tags: ['github-account']
tags: ['github-account'] emojis: ['ID_BUTTON']
emojis: ['ID_BUTTON']
# Linkedin account extraction from profile edit url # Linkedin account extraction from profile edit url
linkedin_accounts: linkedin_accounts:
query_string: 'source_short:"WEBHIST" AND query_string: 'source_short:"WEBHIST" AND url:"https://www.linkedin.com/in/" AND url:"/edit/"'
url:"https://www.linkedin.com/in/" AND url:"/edit/"' attribute: 'url'
attribute: 'url' store_as: 'found_account'
store_as: 'found_account' re: 'https://www.linkedin.com/in/([A-z-\d]{5,32})/edit/'
re: 'https://www.linkedin.com/in/([A-z-\d]{5,32})/edit/' tags: ['linkedin-account']
tags: ['linkedin-account'] emojis: ['ID_BUTTON']
emojis: ['ID_BUTTON']
rdp_ts_ipv4_addresses: rdp_ts_ipv4_addresses:
query_string: 'data_type:"windows:evtx:record" AND query_string: 'data_type:"windows:evtx:record" AND source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager"'
source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager"' attribute: 'strings'
attribute: 'strings' store_as: 'ip_address'
store_as: 'ip_address' re: '(?:[0-9]{1,3}\.){3}[0-9]{1,3}'
re: '(?:[0-9]{1,3}\.){3}[0-9]{1,3}'
rdp_rds_ipv4_addresses: rdp_rds_ipv4_addresses:
query_string: 'data_type:"windows:evtx:record" AND query_string: 'data_type:"windows:evtx:record" AND source_name:"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS"'
source_name:"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS"' attribute: 'strings'
attribute: 'strings' store_as: 'client_ip'
store_as: 'client_ip' re: '(?:[0-9]{1,3}\.){3}[0-9]{1,3}'
re: '(?:[0-9]{1,3}\.){3}[0-9]{1,3}'
ssh_client_ipv4_addresses: ssh_client_ipv4_addresses:
query_string: 'reporter:"sshd"' query_string: 'reporter:"sshd"'
attribute: 'message' attribute: 'message'
store_as: 'client_ip' store_as: 'client_ip'
re: 'Connection from ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+ on (?:[0-9]{1,3}\.){3}[0-9]{1,3} port \d+(?: rdomain ? .*)?$' re: 'Connection from ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+ on (?:[0-9]{1,3}\.){3}[0-9]{1,3} port \d+(?: rdomain ? .*)?$'
ssh_client_ipv4_addresses_2: ssh_client_ipv4_addresses_2:
query_string: 'reporter:"sshd"' query_string: 'reporter:"sshd"'
attribute: 'message' attribute: 'message'
store_as: 'client_ip' store_as: 'client_ip'
re: 'Connection [a-z]+ by ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+' re: 'Connection [a-z]+ by ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+'
ssh_host_ipv4_addresses: ssh_host_ipv4_addresses:
query_string: 'reporter:"sshd"' query_string: 'reporter:"sshd"'
attribute: 'message' attribute: 'message'
store_as: 'host_ip' store_as: 'host_ip'
re: '^\[sshd\] \[\d+\]: Connection from (?:[0-9]{1,3}\.){3}[0-9]{1,3} port \d+ on ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+(?: rdomain ? .*)?$' re: '^\[sshd\] \[\d+\]: Connection from (?:[0-9]{1,3}\.){3}[0-9]{1,3} port \d+ on ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+(?: rdomain ? .*)?$'
ssh_client_password_ipv4_addresses: ssh_client_password_ipv4_addresses:
query_string: 'reporter:"sshd"' query_string: 'reporter:"sshd"'
attribute: 'message' attribute: 'message'
store_as: 'client_ip' store_as: 'client_ip'
re: '(?:Accepted|Failed) (?:password|publickey) for \w+ from ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+' re: '(?:Accepted|Failed) (?:password|publickey) for \w+ from ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+'
ssh_disconnected_username: ssh_disconnected_username:
query_string: 'reporter:"sshd"' query_string: 'reporter:"sshd"'
attribute: 'body' attribute: 'body'
store_as: 'username' store_as: 'username'
re: 'Disconnected\s+from user (?P<username>[^\s]+) [^\s]+ port \d+$' re: 'Disconnected\s+from user (?P<username>[^\s]+) [^\s]+ port \d+$'
ssh_disconnected_ip_address: ssh_disconnected_ip_address:
query_string: 'reporter:"sshd"' query_string: 'reporter:"sshd"'
attribute: 'body' attribute: 'body'
store_as: 'ip_address' store_as: 'ip_address'
re: 'Disconnected from user [^\s]+ (?P<ip_address>[^\s]+) port \d+$' re: 'Disconnected from user [^\s]+ (?P<ip_address>[^\s]+) port \d+$'
ssh_disconnected_port: ssh_disconnected_port:
query_string: 'reporter:"sshd"' query_string: 'reporter:"sshd"'
attribute: 'body' attribute: 'body'
store_as: 'port' store_as: 'port'
re: 'Disconnected from user [^\s]+ [^\s]+ port (?P<port>\d+)$' re: 'Disconnected from user [^\s]+ [^\s]+ port (?P<port>\d+)$'
ssh_failed_username: ssh_failed_username:
query_string: 'reporter:"sshd"' query_string: 'reporter:"sshd"'
attribute: 'body' attribute: 'body'
store_as: 'username' store_as: 'username'
re: 'Failed password for (?:invalid user)?\s*(?P<username>[^\s]+) from [^\s]+ port \d+ ssh\d' re: 'Failed password for (?:invalid user)?\s*(?P<username>[^\s]+) from [^\s]+ port \d+ ssh\d'
ssh_failed_ip_address: ssh_failed_ip_address:
query_string: 'reporter:"sshd"' query_string: 'reporter:"sshd"'
attribute: 'body' attribute: 'body'
store_as: 'ip_address' store_as: 'ip_address'
re: 'Failed password for (?:invalid user)?\s*[^\s]+ from (?P<ip_address>[^\s]+) port \d+ ssh\d' re: 'Failed password for (?:invalid user)?\s*[^\s]+ from (?P<ip_address>[^\s]+) port \d+ ssh\d'
ssh_failed_port: ssh_failed_port:
query_string: 'reporter:"sshd"' query_string: 'reporter:"sshd"'
attribute: 'body' attribute: 'body'
store_as: 'port' store_as: 'port'
re: 'Failed password for (?:invalid user)?\s*[^\s]+ from [^\s]+ port (?P<port>\d+) ssh\d' re: 'Failed password for (?:invalid user)?\s*[^\s]+ from [^\s]+ port (?P<port>\d+) ssh\d'
ssh_failed_method: ssh_failed_method:
query_string: 'reporter:"sshd"' query_string: 'reporter:"sshd"'
attribute: 'body' attribute: 'body'
store_as: 'authentication_method' store_as: 'authentication_method'
re: 'Failed (?P<authentication_method>[^\s]+) for .*ssh\d' re: 'Failed (?P<authentication_method>[^\s]+) for .*ssh\d'
win_bits_client_ipv4_addresses: win_bits_client_ipv4_addresses:
query_string: 'data_type:"windows:evtx:record" AND source_name:Microsoft-Windows-Bits-Client' query_string: 'data_type:"windows:evtx:record" AND source_name:Microsoft-Windows-Bits-Client'
attribute: 'strings' attribute: 'strings'
store_as: 'ip_address' store_as: 'ip_address'
re: '(?:[0-9]{1,3}\.){3}[0-9]{1,3}' re: '(?:[0-9]{1,3}\.){3}[0-9]{1,3}'
win_bits_client_url: win_bits_client_url:
query_string: 'data_type:"windows:evtx:record" AND source_name:Microsoft-Windows-Bits-Client' query_string: 'data_type:"windows:evtx:record" AND source_name:Microsoft-Windows-Bits-Client'
attribute: 'strings' attribute: 'strings'
store_as: 'url' store_as: 'url'
re: '(?<=")(?:(?:https?:\/\/)[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)+)(?:[\/\?#][^\s,"]*)?(?=")' re: '(?<=")(?:(?:https?:\/\/)[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)+)(?:[\/\?#][^\s,"]*)?(?=")'

35
charts/timesketch/configs/scenarios/facets.yaml Normal file
View file

@ -0,0 +1,35 @@
# ------------------------------------------------------------------------
# -- Facets --
# ------------------------------------------------------------------------
#
# Facets are mini investigations that focus on strategically and specifically
# selected sets of investigative questions.
#
# This is a config file to define facets.
#
# Each facet consists of the following fields:
#
# -- metadata --
# display_name Simple string that contains the display name that
# be used in an UI to describe the question.
#
# description Further description of the facet, what the
# facet attempts to answer, whether it will
# require further manual analysis, etc.
#
# questions List of investigative questions that will help
# the analyst to come to an conclusion for the facet.
#
# ------------------------------------------------------------------------
attacker_maintain_access:
display_name: Are there any signs of an attacker moving from the computer to another host?
description: Are there any signs of an attacker moving from the computer to another host? (Lateral Movement)
questions:
- user_logged_in_win
- user_downloaded_file
interference_with_protective_measures:
display_name: Interference with protective measures?
description: Are there any signs of an attacker trying to maintain their access? (Persistence)
questions:
- user_logged_in_win

120
charts/timesketch/configs/scenarios/questions.yaml Normal file
View file

@ -0,0 +1,120 @@
# ------------------------------------------------------------------------
# -- Questions --
# ------------------------------------------------------------------------
#
# This is a config file to define questions that can be asked
# in Timesketch. A single question is by nature small in scope and tactical,
# something that can be answered by analysis, either automatically or by
# providing enough context so that an analyst can determine the answer.
#
# Each investigation may contain many questions, some dependent on the
# outcome of others, that is one question can determine that no further
# questions need to be asked, or that several other questions need to be
# brought up, etc.
#
# These questions define what data needs to be present in order to
# be able to answer it, as well as what user supplied parameters may be
# required to be defined beforehand. It will then also define what set of
# analyzers, graph plugins and potential searches will be useful in order
# to answer the question and what conditions are sufficient
# in order to have the question answered.
#
# As described above, each of these isolated tactical questions are part
# of a bigger picture, part of an investigation, which sets out to answer
# a broader set of questions, which can then in hand be part of an even
# larger scenario.
#
# Each question consists of the following fields:
#
# -- metadata --
#
# display_name Simple string that contains the display name that
# be used in an UI to describe the question.
#
# description Further description of the question, what the
# question attempts to answer, whether it will
# require further manual analysis, etc.
#
# -- data requirements --
#
# data_sources A list of data sources (as defined in the
# data_finder.yaml configuration file) that
# either need to be present, should not be
# present or are optional in the dataset in
# order to be able to answer the question.
#
# parameters A list of parameters that will be asked
# in the investigation, to provide context
# needed for the question. This can be
# simple things like the username of the user
# the analyst is looking at, or a domain that
# they are interested in, that is some context
# that is needed in order for the question to be
# properly asked.
#
#
# -- context/enrichment --
#
# analyzers A list of analyzers that will be run on the
# dataset.
#
# graphs A list of graph plugins that will assist the
# analyst with answering the question.
#
# search_templates A list of search templates that will assist the
# analyst with answering the question.
#
# sigma_rules A list of sigma_rules that will enrich the sketch
# with information to help the analyst answering the question.
#
#
# -- answers --
#
# answer_simple If the answer can be simply derived from a search
# in the dataset, an answer source can be defined.
# It contains two section, a "must" or "must_not",
# which is a list of data finder defintions that all
# must or must not return True values. This can be
# used to define things that should be present in the
# dataset or should not be there in order to give
# an answer to the investigative question.
#
# answer_analyzer If the answer cannot be derived from a simple
# search a name of an analyzer can be provided
# that is specifically designed to answer this
# particular investigative question.
# ------------------------------------------------------------------------
user_logged_in_win:
display_name: Did someone log into a Windows machine?
description: This question aim to answer whether
someone (anyone) logged into the machine. It will run the login analyzer
to determine if there was any login activity. This question only
looks at activity logged in the EVTX file, therefore it only
applies to Windows machines.
data_sources:
- windows_login
analyzers:
- login
sigma_rules:
-
answer_simple:
must:
- windows_login
user_downloaded_file:
display_name: What files were downloaded through a web browser to a computer?
description: This question checks whether there is browser activity
happening and during that activity a specific file got downloaded
or is seen on the disk during the time period.
data_sources:
- browser_activity
parameters:
- username
- filename
answer_simple:
must:
- browser_activity
- user_browser_activity
- browser_download
- browser_specific_file_download

23
charts/timesketch/configs/scenarios/scenarios.yaml Normal file
View file

@ -0,0 +1,23 @@
# ------------------------------------------------------------------------
# -- Scenarios --
# ------------------------------------------------------------------------
#
# This is a config file to define scenarios.
#
# Each scenario consists of the following fields:
#
# -- metadata --
# display_name Simple string that contains the display name that
# be used in an UI to describe the question.
#
# description Further description of the question, what the
# question attempts to answer, whether it will
# require further manual analysis, etc.
#
# ------------------------------------------------------------------------
- short_name: "compromise_assessment"
display_name: "Compromise Assessment"
description: "Initial triage of a compromised system."
facets:
- attacker_maintain_access
- interference_with_protective_measures

22
charts/timesketch/configs/sigma/rules/lnx_susp_zmap.yml Normal file
View file

@ -0,0 +1,22 @@
title: Suspicious Installation of ZMap
id: 5266a592-b793-11ea-b3de-0242ac130004
description: Detects suspicious installation of ZMap
references:
- https://rmusser.net/docs/ATT&CK-Stuff/ATT&CK/Discovery.html
author: Alexander Jaeger
date: 2020/06/26
modified: 2020/06/26
tags:
- attack.discovery
- attack.t1046
logsource:
product: linux
service: shell
detection:
keywords:
# Generic suspicious commands
- '*apt-get install zmap*'
condition: keywords
falsepositives:
- Unknown
level: high

20
charts/timesketch/configs/sigma/rules/win_powershell_susp_1.yaml Normal file
View file

@ -0,0 +1,20 @@
title: General Powershell line suspiciousness
id: 7d4282f2-7794-416b-b632-d27bc88c8585
description: Broad rule to detect suspicious Powershell artifacts
status: stable
references: https://github.com/SigmaHQ/sigma/blob/master/other/godmode_sigma_rule.yml
author: Alexander Jaeger
date: 2022/11/17
modified: 2022/11/17
level: high
detection:
# Different suspicious or malicious powershell command line parameters
selection_plain:
CommandLine|contains:
- ' -NoP ' # Often used in malicious PowerShell commands
- ' -W Hidden ' # Often used in malicious PowerShell commands
- ' -decode ' # Used with certutil
- ' /decode ' # Used with certutil
- '.downloadstring(' # PowerShell download command
- '.downloadfile(' # PowerShell download command
condition: 1 of them

21
charts/timesketch/configs/sigma/rules/win_suspicious_keywords.yml Normal file
View file

@ -0,0 +1,21 @@
title: General suspicious keywords
id: 9532df7b-ac88-4706-a764-9bbc9c2b2d5f
description: 'Broad rule to detect common bad terms. Warning: Can be noisy'
status: stable
references:
- https://github.com/SigmaHQ/sigma/blob/master/other/godmode_sigma_rule.yml
- https://twitter.com/hela_luc/status/1592934231583621121
author: Alexander Jaeger
date: 2022/11/17
modified: 2022/11/17
level: high
detection:
# Different suspicious or malicious command line parameters
selection_plain:
message:
- ' mimi' # Mimikatz
- 'lsass.dmp' # Attempt to dump the lsass process
- 'powershell -nop -w hidden -encodedcommand' # often used to obfuscate powershell
- 'vssadmin' # Attempt to work with volume shadow copies
- '.dmp full' # Process dumping method apart from procdump
condition: 1 of them

14
charts/timesketch/templates/deployment-frontend.yaml
View file

@ -32,7 +32,7 @@ spec:
{{- toYaml .Values.frontend.securityContext | nindent 12 }} {{- toYaml .Values.frontend.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }} imagePullPolicy: {{ .Values.image.pullPolicy }}
command: ["sh", "-c", "gunicorn --bind 0.0.0.0:5000 --log-file - \ command: ["sh", "-c", "update-ca-certificates && cp /var/timesketch.conf /etc/ && gunicorn --bind 0.0.0.0:8080 --log-file - \
--error-logfile - --log-level info \ --error-logfile - --log-level info \
--capture-output --timeout 600 --limit-request-line 8190 \ --capture-output --timeout 600 --limit-request-line 8190 \
--workers 4 timesketch.wsgi:application"] --workers 4 timesketch.wsgi:application"]
@ -46,6 +46,8 @@ spec:
fieldRef: fieldRef:
fieldPath: metadata.name fieldPath: metadata.name
apiVersion: v1 apiVersion: v1
- name: SSL_CERT_FILE
value: /usr/local/share/ca-certificates/extra/{{ .Values.caCert.existingConfigMapKey }}
- name: TIMESKETCH_USER_USERNAME - name: TIMESKETCH_USER_USERNAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
@ -64,8 +66,12 @@ spec:
mountPath: /config mountPath: /config
readOnly: true readOnly: true
- name: timesketch-conf - name: timesketch-conf
mountPath: /etc/timesketch.conf mountPath: /var/timesketch.conf
subPath: timesketch.conf subPath: timesketch.conf
readOnly: false
- name: ca-cert
mountPath: /usr/local/share/ca-certificates/extra/{{ .Values.caCert.existingConfigMapKey }}
subPath: {{ .Values.caCert.existingConfigMapKey }}
readOnly: true readOnly: true
ports: ports:
- containerPort: {{ .Values.metrics.port }} - containerPort: {{ .Values.metrics.port }}
@ -85,6 +91,10 @@ spec:
secret: secret:
secretName: {{ .Values.config.existingConfSecret }} secretName: {{ .Values.config.existingConfSecret }}
optional: true optional: true
- name: ca-cert
configMap:
name: {{ .Values.caCert.existingConfigMapName }}
optional: true
nodeSelector: nodeSelector:
{{- toYaml .Values.frontend.nodeSelector | nindent 8 }} {{- toYaml .Values.frontend.nodeSelector | nindent 8 }}
affinity: affinity:

14
charts/timesketch/templates/deployment-worker.yaml
View file

@ -32,7 +32,7 @@ spec:
{{- toYaml .Values.worker.securityContext | nindent 12 }} {{- toYaml .Values.worker.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }} imagePullPolicy: {{ .Values.image.pullPolicy }}
command: ["sh", "-c", "celery -A timesketch.lib.tasks worker \ command: ["sh", "-c", "update-ca-certificates && cp /var/timesketch.conf /etc/ && celery -A timesketch.lib.tasks worker \
--loglevel=DEBUG"] --loglevel=DEBUG"]
env: env:
- name: POD_NAME - name: POD_NAME
@ -42,6 +42,8 @@ spec:
apiVersion: v1 apiVersion: v1
- name: WORKER_LOG_LEVEL - name: WORKER_LOG_LEVEL
value: "DEBUG" value: "DEBUG"
- name: SSL_CERT_FILE
value: /usr/local/share/ca-certificates/extra/{{ .Values.caCert.existingConfigMapKey }}
- name: TIMESKETCH_USER_USERNAME - name: TIMESKETCH_USER_USERNAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
@ -60,9 +62,13 @@ spec:
mountPath: /config mountPath: /config
readOnly: true readOnly: true
- name: timesketch-conf - name: timesketch-conf
mountPath: /etc/timesketch.conf mountPath: /var/timesketch.conf
subPath: timesketch.conf subPath: timesketch.conf
readOnly: true readOnly: true
- name: ca-cert
mountPath: /usr/local/share/ca-certificates/extra/{{ .Values.caCert.existingConfigMapKey }}
subPath: {{ .Values.caCert.existingConfigMapKey }}
readOnly: true
ports: ports:
- containerPort: {{ .Values.metrics.port }} - containerPort: {{ .Values.metrics.port }}
- containerPort: 5000 - containerPort: 5000
@ -81,6 +87,10 @@ spec:
secret: secret:
secretName: {{ .Values.config.existingConfSecret }} secretName: {{ .Values.config.existingConfSecret }}
optional: false optional: false
- name: ca-cert
configMap:
name: {{ .Values.caCert.existingConfigMapName }}
optional: true
nodeSelector: nodeSelector:
{{- toYaml .Values.worker.nodeSelector | nindent 8 }} {{- toYaml .Values.worker.nodeSelector | nindent 8 }}
affinity: affinity:

2
charts/timesketch/templates/service.yaml
View file

@ -10,7 +10,7 @@ spec:
ports: ports:
- port: 8080 - port: 8080
protocol: TCP protocol: TCP
targetPort: 5000 targetPort: 8080
selector: selector:
app.kubernetes.io/component: frontend app.kubernetes.io/component: frontend
{{- include "timesketch.selectorLabels" . | nindent 4 }} {{- include "timesketch.selectorLabels" . | nindent 4 }}

4
charts/timesketch/values.yaml
View file

@ -48,3 +48,7 @@ resources:
metrics: metrics:
enabled: true enabled: true
port: 9001 port: 9001
caCert:
existingConfigMapName: cluster-certificates
existingConfigMapKey: opensearch-ca.crt