- Linux, Powershell
- Vultr Cloud, Elastic, Ubuntu, Windows Server 2022, Windows 10, Fleet Server, Mythic Server, osTicket.
Create a Logical Diagram: I used draw.io to create a digital logical diagram of the entire network, its connections, and workflows. The IP ranges will be automatically configured through VULTR.
Setup Vultr: I start by heading to the Vultr cloud provider website and setting up my cloud account. https://www.Vultr.com
After setting up my account, I head over to products and create my VPC.
I decided to remote into the server instead of using the server's console. I then updated the server and began installing/configuring ElasticSearch and Kibana.
Next, I adjusted the firewall rules of the ELK server within VULTR.
Now, I begin setting up my Elastic instance.
Logging into the instance. Configuring Kibana key stores and API encryption tokens.
Creating my Windows Server with RDP enabled. It will be separated from my VNC for safety reasons.
Creating and updating my Ubuntu fleet server.
Adding my fleet server and Elastic agent from the Windows server to the Elastic web Gui instance.
Installing Sysmon along with a special configuration file on my Windows server for endpoint detection.
Integrating my Windows server Sysmon and Windows Defender logs into my Elastic instance. I needed to adjust the firewall rules on my VPC to allow incoming traffic from the correct port to enable viewing of the Windows server telemetry.
Creating and updating repositories for my Ubuntu SSH server. Checking auth.logs file for any data on authentication attempts.
Installing Elastic agent onto the new Ubuntu server and integrating the logs to my Elastic instance. Modifying the network firewall to allow traffic from the Ubuntu server. Examining suspicious authentication attempts for my root user from specific IP addresses in Elastic.
Creating alerts and dashboards in Elastic. I tune the rules to look for failed and successful authentication attempts on my SSH Ubuntu server.
Creating enhanced detection rules for my Windows and Ubuntu server agents. I wanted more information on adversaries to be displayed each time an authentication attempt occurs.
Creating visualizations for my dashboard.
Implementing osTicket into the Elastic environment. Alerts from Elastic should be automatically forwarded to my osTicket logs. I create an API key in osTicket and direct it to my ELK server's private address.
Next, I create a webhook in Elastic to enable log forwarding from the ELK server. The webhook's body was copied from the osTicket GitHub repository here https://github.com/osTicket/osTicket/blob/develop/setup/doc/api/tickets.md.
I then test the functionality of the newly created webhook. Configurations were made to my osTicket server's private IP address. Initially, I had to troubleshoot connectivity issues via the network adapter settings. You can finally see the Elastic log appear in the osTicket environment.
Lastly, I wanted to implement an EDR for my endpoints. Elastic offers a built-in EDR so I set one up for my Windows server machine