{"id":13844764,"url":"https://github.com/activecm/BeaKer","last_synced_at":"2025-07-12T00:31:40.254Z","repository":{"id":37893316,"uuid":"244757028","full_name":"activecm/BeaKer","owner":"activecm","description":"Beacon Kibana Executable Report. Aggregates Sysmon Network Events With Elasticsearch and Kibana","archived":false,"fork":false,"pushed_at":"2024-09-27T15:40:54.000Z","size":3652,"stargazers_count":285,"open_issues_count":14,"forks_count":40,"subscribers_count":19,"default_branch":"master","last_synced_at":"2024-11-13T07:19:37.290Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/activecm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2020-03-03T22:43:42.000Z","updated_at":"2024-10-24T20:52:15.000Z","dependencies_parsed_at":"2024-04-12T15:03:38.841Z","dependency_job_id":"5fbf8f81-9dc6-44ea-b4b0-0bb0688535cb","html_url":"https://github.com/activecm/BeaKer","commit_stats":null,"previous_names":[],"tags_count":17,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/activecm%2FBeaKer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/activecm%2FBeaKer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/activecm%2FBeaKer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/activecm%2FBeaKer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/activecm","download_url":"https://codeload.github.com/activecm/BeaKer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225772749,"owners_count":17521882,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:02:55.775Z","updated_at":"2024-11-21T17:30:47.388Z","avatar_url":"https://github.com/activecm.png","language":"Shell","readme":"# BeaKer - Beaconing Kibana Executable Report\n\nBrought to you by [Active Countermeasures](https://www.activecountermeasures.com/).\n\n---\n\nBeaKer visualizes Microsoft Sysmon network data to help threat hunters track down the source of suspicious network connections. The custom dashboard presents which users and executables created connections between two given IPs, how many times they've connected, the protocols and ports used, and much more.\n\n## Getting Started\n\n![BeaKer_demo](./images/BeaKer_demo.gif)\n\nAfter Sysmon starts sending data to ElasticSearch, Kibana will be ready to go. Filter by a source and destination IP and a time range to view what connections have been made between the two. The Program List will display which executables on the source machine made the connections to the destination. The actual Sysmon logs are displayed lower on the screen where you can investigate the events in greater detail.\n\n## How it works\n\n- Microsoft Sysmon: Logs network connections to the Windows Event Log\n- WinLogBeats: Sends the network connection logs to Elasticsearch\n- Elasticsearch: Stores, indexes, and aggregates the network connection logs\n- Kibana: Displays logs stored in Elasticsearch and provides a user interface for Elasticsearch administration\n- Beacon Dashboard: Aggregates the network connections between two hosts\n\n## Installation\n\n### BeaKer Server System Requirements\n* Operating System: The preferred platform is x86 64-bit Ubuntu 20.04 LTS. The system should be patched and up to date using apt-get.\n  * The automated installer will also support CentOS 7.\n* Processor: Two or more cores. Elasticsearch uses parallel processing and benefits from more CPU cores.\n* Memory: 8-64GB. Monitoring more hosts requires more RAM.\n* Storage: Ensure `/var/lib/docker/volumes` has free space for the incoming network logs.\n\n### BeaKer Agent System Requirements\n* Operating System: Windows x86-64 bit OS\n* Powershell Version: 3+\n* Installed WinLogBeats version must be \u003c= the Elasticsearch version installed on the BeaKer server, but at least the minimum supported wire version for the Elasticsearch version\n  * Elasticsearch v8.6.2 supports WinLogBeats 7.17.0 through 8.6.2 \n  * Elasticsearch v7.17.9 supports WinLogBeats 6.8.0 through 7.17.9\n\n### Automated Install: BeaKer Server\n\nDownload the [latest release](https://github.com/activecm/BeaKer/releases/latest) tar file, extract it, and inside the `BeaKer` directory,\nrun `./install_beaker.sh` on the Linux machine that will aggregate your Sysmon data and host Kibana.\n\n** Note that existing BeaKer installations must be upgraded to v7.17 before they can be upgraded to v8.x.\nThe automated installer will:\n  - Install Docker and Docker-Compose\n  - Create a configuration directory in `/etc/BeaKer`\n  - Install Elasticsearch, Kibana, and load the dashboards\n  - Set the Elasticsearch superuser password for the `elastic` account\n  - Set the `sysmon-ingest` user password for connecting WinLogBeats\n  - Set up index templates, ILM policy, data streams and ingest pipelines \n\nThe `beaker` script installed to `/usr/local/bin/beaker` is a wrapper around `docker-compose` and can be used to manage BeaKer.\n - To stop BeaKer, run `beaker down`\n - To start Beaker, run `beaker up`\n - To view the logs of the Elasticsearch container, run `beaker logs -f elasticsearch`\n - To view the logs of the Kibana container, run `beaker logs -f kibana`\n\nAfter running `./install_beaker.sh` you should be able to access Kibana at `localhost:5601`. Note that Kibana is exposed on every network interface available on the Docker host.\n\nUse the `elastic` account to perform your initial login to Kibana. Additional user accounts can be created using the Kibana interface. The `sysmon-ingest` user account is not allowed to access Kibana.\n\nThe Elasticsearch server will begin listening for connections on port 9200 using HTTPS. It expects Sysmon ID 3 Network Events to be published to:\n- WinLogBeats less than v7.17.9: ES index `sysmon-%{+YYYY.MM.dd}`\n- WinLogBeats v7.17.9: ES index `winlogbeat-%{[agent.version]}` via data stream\n- WinLogBeats v8.6.2: Ingest Pipeline `winlogbeat-%{[agent.version]}-routing`\nSee the embedded `winlogbeat.yml` file in `./agent/install-sysmon-beats.ps1` for more info.\n\nThe easiest way to begin sending data to the server is to use the automated BeaKer agent installer.\n\n### Automated Install: BeaKer Agent\nThe PowerShell script `./agent/install-sysmon-beats.ps1` will install Sysmon and WinLogBeats, and configure WinLogBeats to begin sending data to the BeaKer server.\n\nTo install the agent, run the script as `.\\install-sysmon-beats.ps1 ip.or.hostname.of.beaker.server 9200`.\n\nThe script will then:\n- Ask for the credentials of the Elasticsearch user to connect with\n  - These may be supplied using the parameters `ESUsername` and `ESPassword`\n  - If using the automated BeaKer Server installer, use `sysmon-ingest`\n- Download Sysmon and install it with the default configuration in `%PROGRAMFILES%` if it doesn't exist\n- Ensures Sysmon is running as a service\n- Download WinLogBeat and install it in `%PROGRAMFILES%` and `%PROGRAMDATA%` if it doesn't exist\n- **Removes any existing winlogbeat configuration files (`winlogbeat.yml`)**\n- Installs a new `winlogbeat.yml` file to connect to the BeaKer server\n- Ensures WinLogBeat is running as a service\n\n### BeaKer Agent uninstall\nAs an administrator, run the following scripts to uninstall the beaker agent:\n- `C:\\Program Files\\winlogbeat-7.5.2-windows-x86_64\\uninstall-service-winlogbeat.ps1\n- `C:\\Program Files\\Sysmon\\Sysmon64.exe -u`\n\n### Data Collected By Sysmon Per Network Connection\n- Source\n  - IP Address\n  - Hostname\n  - Port\n- Destination\n  - IP Address\n  - Hostname\n  - Port\n- Network\n  - Transport Protocol\n  - Application Protocol\n  - Community ID\n- Process\n  - PID\n  - Executable\n  - Entity ID\n- User\n  - Domain\n  - Name\n- Timestamp\n\n## Developer Information\nWhen cloning the project, ensure that you have cloned the git submodules as well.\nEither pass `--recurse-submodules` to `git clone` when pulling down the project, or run the following commands afterwards:\n- `cd BeaKer`\n- `git submodule update --init --recursive`\n\nTo generate a new release tarball, run `./installer/generate_installer.sh`.\n\n## License\n\nGNU GPL V3 © Active Countermeasures ™\n","funding_links":[],"categories":["Shell (473)","Shell","Operating Systems"],"sub_categories":["Windows"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Factivecm%2FBeaKer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Factivecm%2FBeaKer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Factivecm%2FBeaKer/lists"}