Transcription
Copyright and&Ma@UebelSecurityEngineer,DefensePointSecurity
Ma@Uebel2
TravisHolland3
oraSons. ear2015 20 SplunkCerSfiedArchitectsonStaff WeuseSplunktoachievemanyoftheexperSsedomainsabove4
Agenda oluSonstotheproblem AutomaSonscriptsandsnippets 5
dmins?6
ExploitaSon- ullyescalatedfromnon- geswithDPSCommunity7
ExploitaSon- ‐UniversalForwarderEscalaSonfromnon- ‐roottorootviatheUniversalForwarder1. Createroguedeploymentserver2. Changethedeploymentserveroftheuniversalforwarder3. RestarttheUniversalForwarder4. CreateexploitaSonAppa. Appreturnsarootshell5. DeployApp- ‐Reaptherewards8
ExploitaSon- reforwardersappropriately9
TheUFDeploymentPlanUsuallysimply“yum/apt- ecanbedone10
eploymentServerFirewallRulesSSLCerSficates11
Runasnon- ‐root ult)/opt/splunkforwarder/bin/splunk enable boot-start -user splunkchown -R splunk:splunk /opt/splunkforwarder Lockdownsplunk- ‐launch.conf,whichcontainsrunasuserconfigchown root:splunk /opt/splunk/etc/splunk-launch.confchmod 644 /opt/splunk/etc/splunk-launch.conf12
ReadingFilesasnon- ‐root ,orsimplychangegroupownershiptosplunkgroupadd syslogchown -R :syslog /var/logchmod -R g s /var/logusermod -a -G syslog splunk13
ReadingFilesasnon- ‐rootcont. Usualdefaultshave/var/logunreadablebynon- ‐rootusersetfacl -Rm u:splunk:r-x,d:u:splunk:r-x /var/log /etc/audit/auditd.conflog group splunk p -R splunk /var/log/auditchmod 0750 /var/log/auditchmod 0640 /var/log/audit/*14
WindowsLow- ‐privilegeMode yalocalordomainusermsiexec.exe /i splunkforwarder.msi AGREETOLICENSE YesLOGON USERNAME " env:computername\splunk"LOGON PASSWORD " password" SET ADMIN USER 0LAUNCHSPLUNK 0 /qn15
eploymentServerFirewallRulesSSLCerSficates16
ChangeAdminPassword(nix) Bashscripttosetadminpasswordtorandomstring SPLUNK HOME/bin/splunk edit user admin -password head -c 500 /dev/urandom sha256sum base64 head -c 16 ; echo -auth SOLUTION:Remove SPLUNK HOME/etc/passwd,restartsplunk17
ChangeAdminPassword(win) Generatetherandompassword.do { password (-join ((48.57) (65.90) (97.122) Get-Random -Count 14 % {[char] }))} until ( password -match "[0-9]" -and password -match "[a-z]" -and password -match "[A-Z]") Setthatpasswordforadminuser& " nk.exe" edit user admin -password ( password) -authadmin:changeme out-null18
eploymentServerFirewallRulesSSLCerSficates19
DisableManagementPort(nix) Createappdirectorymkdir -p /opt/splunkforwarder/etc/apps/UF-TA-killrest/local ementinterfaceecho '[httpServer]disableDefaultPort true' server.conf20
DisableManagementPort(win) Createappdirectorynew-item -path " \UF-TA-killrest\local" -ItemType "Directory" -force out-null ementinterface"[httpServer] r ndisableDefaultPort true" out-file " \UF-TA-killrest\local\server.conf" -force out-null21
eploymentServerFirewallRulesSSLCerSficates22
ingasroot/systemcaneasilytakeoveranenvironment23
ronmentindex internal sourcetype splunkd DeployedApplicationDownloaded url! your-ds-server*24
WhoHasAccesstoDS? nadminrole?25
MonitorDeployCapableUsers Whileinknowngoodstate,makelookup rest splunk server local /services/authentication/users searchcapabilities edit deployment* OR capabilities list deployment* evalusername title eval permitted "True" table username permitted outputlookup deploy capable users.csv26
MonitorDeployCapableUserscont. Onsomeschedule,searchtofindanyusersnotinlookup rest splunk server local /services/authentication/users searchcapabilities edit deployment* OR capabilities list deployment* evalusername title table username lookup deploy capable users.csvusername OUTPUTNEW permitted search NOT permitted *27
WatchingAuditLogforBundleReloads UsefulinparScularforoffhourseventsindex audit action list deployment server info grantedobject " reload" operation " reload"28
GatherBashHistory system CanaddalayerofprotecSonbygatheringbashcommands Seerepoformoredetails29
eploymentServerFirewallRulesSSLCerSficates30
mmunicaSon SplunkSSLConfiguraSonSSLipperySlope- ‐GeorgeandDuane'sSSLTalk izaSons31
eploymentServerFirewallRulesSSLCerSficates32
WhatNow? KeepingtheJunkOutofSplunkWorstPracSces ommandsFields,IndexedTokensandYou33
Links erspostonthetopicofreadinglogsasnon- orm)SplunkIRC- ‐#splunkonEFNet34
THANKYOU
Who*is*DPS?* ll*businesses*exclusively*providing*cyber* rnmentand .