Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mauricelambert/fastlogcollector

Event collector for Linux (python) and Windows (powershell). I write theses scripts in KOTH (King of the Hill) to detect any intrusion by monitoring only one file.
https://github.com/mauricelambert/fastlogcollector

Last synced: about 10 hours ago
JSON representation

Event collector for Linux (python) and Windows (powershell). I write theses scripts in KOTH (King of the Hill) to detect any intrusion by monitoring only one file.

Host: GitHub
URL: https://github.com/mauricelambert/fastlogcollector
Owner: mauricelambert
License: gpl-3.0
Created: 2024-10-25T16:38:13.000Z (20 days ago)
Default Branch: main
Last Pushed: 2024-10-31T18:00:00.000Z (14 days ago)
Last Synced: 2024-10-31T19:16:39.935Z (14 days ago)
Language: Python
Homepage:
Size: 19.5 KB
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE.txt

Awesome Lists containing this project

README

# FastLogCollector

Event collector for Linux (python) and Windows (powershell). I write theses scripts in KOTH (King of the Hill) to detect any intrusion by monitoring only one file.

> It's a POC (i write it in less than 2 hours for the KOTH), connection are not secure, there is no authentication, it's not recommended for production (you can use it in incident response if you don't have any other solution but you should consider logs as untrust, because it's very easy for an attacker to send fake/crafted logs, to sniff the network connection, to block it or to modify logs between client and server).
>> In this KOTH we had only one Windows Server (an Active Directory), a Linux server (with SMB file share and SSH access linked to domain with SSSD), a PfSense and a switch. We had secure access to AD and Linux server by creating new VLAN for servers and monitor all connections between servers and PC with the PfSense. We had some local firewall rules on the AD and the Linux, we had theses script to monitor easily servers activity with only one console and only one SOC analyst (everyone else on the team could compromise the adversaries' systems). On the Linux we had `selinux` policy for the samba share.

## Install

### Linux

1. Change IP and port in `FastLogCollectorServer.py` and `FastLogCollectorLinuxClient.py`.
2. Write or copy the `FastLogCollectorServer.py` in `/root` directory (as `/root/FastLogCollectorServer.py`).
3. Write or copy the `FastLogCollectorLinuxClient.py` in `/root` directory (as `/root/FastLogCollectorLinuxClient.py`).
4. Write or copy the `FastLogCollectorServer.service` in `/etc/systemd/system` directory (as `/etc/systemd/system/FastLogCollectorServer.service`).
5. Write or copy the `FastLogCollectorLinuxClient.service` in `/etc/systemd/system` directory (as `/etc/systemd/system/FastLogCollectorLinuxClient.service`).
6. Run the script: `InstallAndConfigureAuditAndFirewall.sh` with root privileges (`sudo bash InstallAndConfigureAuditAndFirewall.sh`).

### Windows

1. Change IP and port in `FastLogCollectorWindowsClient.ps1`.
2. Write or copy the `FastLogCollectorWindowsClient.ps1` in `C:\Users\Administrator\services` directory (as `C:\Users\Administrator\services\FastLogCollectorWindowsClient.ps1`).
3. Run the script: `SysmonInstallAndConfigure.ps1` as Administrator.
4. Run the script: `InstallServiceWindows.ps1` as Administrator.

## Usages

In a KOTH we know that an attack is going to happen but we don't know how, we don't know the precise minute and we don't know the attacker's skills. The use of this project in KOTH is relatively simple since it requires to read a file only continuously, when a process creation log occurs, the attack is successful, when an outgoing connection occurs the attacker tries to establish a means of communication for an easier to use takeover (reverse shell, C&C agent)...

It's possible with this project to monitor all your machines at the same time (manually, a SOC analyst should wait for a new event in the unique console) and when an attack occurs go to the compromised machine before the attacker exploits privileges escalation vulnerability and block the IP address used or the compromised user and fix the exploited vulnerability (sometime the vulnerability should be difficult to found, you should restrict access to the service used to get more time to find the vulnerability).

```bash
tail -f /root/received_logs.txt
```

## Licence

Licensed under the [GPL, version 3](https://www.gnu.org/licenses/).