Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/kulinacs/cowrie-attack

Mapping the ATT&CK matrix in a Cowrie honeypot
https://github.com/kulinacs/cowrie-attack

Last synced: 26 days ago
JSON representation

Mapping the ATT&CK matrix in a Cowrie honeypot

Host: GitHub
URL: https://github.com/kulinacs/cowrie-attack
Owner: kulinacs
Created: 2018-08-31T23:27:49.000Z (over 6 years ago)
Default Branch: master
Last Pushed: 2018-08-31T23:28:23.000Z (over 6 years ago)
Last Synced: 2024-08-03T23:04:37.144Z (4 months ago)
Language: Shell
Size: 49.8 KB
Stars: 17
Watchers: 4
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-honeypot - **11**星

README

# CS6324 Project

Detecting and classifying attacks in a Linux environment

## Running

Create the network for the system to run on `sudo docker network create alertnet`

Increase the max mem count `sudo sysctl -w vm.max_map_count=262144`

Start up the Honeypot and Elastic Stack `sudo docker-compose -f base.yml up`

You need to generate logs before you can create an index. Do this by logging in to the honepot by: `ssh [email protected] -p 2222`

When the stack comes up, login to Kibana Username: `elastic` Password: `changeme`

Create an index `logstash-*`

Start up ElastAlert `sudo docker-compose -f alert.yml up`

## Testing a rule

List containers

`sudo docker ps`

Grab container ID for elast alert

Attach to container

`sudo docker exec -it containerid /bin/sh`

Rules found in `/opt/elastalert/rules`

Config found at `/opt/elastalert/config.yml`

Run rule

`python -m elastalert.test_rule --config config.yaml `

## MITRE Attack Matrix

https://attack.mitre.org/wiki/Linux_Technique_Matrix

## Rule Alerting

ElastAlert will write back alerts to `index: elastalert_status` with the `_type: elastalert` with all information the Alert provides. As such, we created a custom alert, `MITREAttack` to put this information into ElasticSearch.

To use the `MITREAttack` alert, the following keys should be used.

```
alert: "elastalert_modules.custom_alerts.MITREAttack"
attack_tactic:
attack_name:
attack_id:
```

## Nick's Straight Forward Rules

### User enumeration

cat /etc/passwd

cat */????wd

### Group enumerate

cat /etc/group

### System Enumeration

uname -a

### User Privilege enumeration

sudo -l

### Miscellaneous Find Commands

Search for setuid binaries

Search for writable directories

See: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Further reading: WAF bypassing (Nick will look for link)