 Hello, everybody. Welcome back to the continuation of the Open Sock CTF Tools. Our next speaker, Tim.Zero, aka TJ, aka Tim Johnson, will be giving us a walkthrough of the Kibana tool. This product is near and near to my heart being an elastic engineer. And hopefully everybody enjoys it. If you have questions, hit us up in the text workshop track one channel again. We will try to redirect you as best as possible. There's also the Recon InfoSec Discord channel that you can go into. There is actually a section that unfortunately I didn't write down, Tim, but ask for help, I think. Yeah, you can ask for help from other Open Sock veterans. Yeah, so definitely take advantage of the Discord channels that are out there so you can get more directed help. At this point, I'm going to turn it over to TJ and sit back and relax. Hey, how's it going, everybody? We're very excited about Open Sock this year. We got new scenarios, got some new tools for you to use, and we got some tools that you already know about. But for those of you who are attending DEF CON for the first time or participating in Open Sock for the first time, we're going to get you familiar with those tools and show you what kind of weapons you have in your arsenal. Like you said, my name is TJ, aka Tim.zero on Twitter. You can hit us up anytime. We'll retweet you, we'll talk to you, we'll get in our Discord and we'll try to help you out, try to make you better hunters. But without further ado, we're going to jump into some Cabana. So right when you log into Cabana, you're going to actually see this screen here. And it's no different than if you've used gray log before or other tools like this. It's a UI for your Elasticsearch database on the back end, and it helps you visualize your Elasticsearch data. And here you'll be able to create indexes to filter out and look through all of your agents pushing logs to your log stash server. And that's just a little background. I won't teach you about the tool because I don't work for Elastic, but I do love this tool. So first off, I like to tell everybody the disclaimer, do not ever forget your timeframe. You got to pay attention to the time filter. So you're going to get intel drops, you're going to get information saying that a particular event happened at a particular time, and you got to make sure that you're looking for events during that time. So right up here in the right corner here, you're going to see your by default, it'll open up and load as last 15 minutes. And if you click that right there, it'll actually provide you by default some of the quick, Hey, I just want to look at the last week. Hey, I just want to look at the last month. Oh, this happened in the last 30 minutes. Obviously, because we're hunting on a non live environment, we want to look pretty specific, right? So you're going to go in here and you can pick your, your time and your date here. And the cool thing about it, if you notice that I clicked a date, it zeroes out the start time. And if you click another date, it pulls it down to 20 through 59 where it's the end of the day. That's a very useful tool there because you're going to be looking at a lot of different timeframes and we want to make sure that you're getting the right data. So pay attention to your time frame because you don't want to hunt in the wrong place. Also, you'll go back and forth in between your hunts into different timeframes. And this will actually show you some of the last ones you picked. So it makes it a lot easier on you to, to jump between one timeframe and another, but we'll keep pushing. One of the things I like about Kibana is for the not so seasoned hunter, right? When I first started, Kibana was a great tool for me to, to try to learn and understand because you've got, you get to understand based on the data that you're given. You're looking at all your logs right here. So in the last 15 minutes, I'm looking at 131,000 logs. So I just, I usually just start off by looking at some of the stuff that I'm seeing here, but you'll notice that you're getting logs from different sources. So here we got this type here showing that it's a log, but you might also filter that out and say, what other type of logs do I have here? And you open that up and you can see I use this little magnifying glass. As you filter or you hover over some of these fields here, you can go and add and say, I want to filter for that value and I want to take out that value. And you'll see that that value for the log type is actually filtered out. And I'm only seeing now syslogs. So if you, if you would, I like to call this the point and click hunt method. You can actually go through here and be like, well, I don't want to see Desport 3306 and take it out. And as you do that, you'll see your filters just pile up here. And if you want to, you can actually go and start adding your own filters from scratch. So you might not have a range of IPs or a specific IP that you know is just a distractor or maybe just noise or for your specific hunt, you don't want to see that traffic. So you can go in here and select that IP and say, I don't want to see anything from that IP address. And you'll see my events drop because it took them out. Also, columns, looking at this view here, you can see that right now all I see is the time and the source. But what if you want to see in a single view source IP or maybe the desk IP, you can actually go through and here are all your columns that you could create based off of the fields in each of these logs. Another thing you can do is if you open up a log and you say, well, there's my desk IP there, you see the small icon here that looks like a column. If you click that there, it automatically throws it up into the desk IP column on this table. So now as you start narrowing down your hunts, you see the data that's pertinent to you. I'm looking for this specific actor talking to this specific network resource because it shouldn't be happening. Because ultimate goal here, right, when you're hunting is to make this number as small as possible in your searches because you know for a fact that that's activity that should not be happening. Now, obviously, as you go, you're going to see some traffic that you need to de-conflict and say, well, that is legit traffic and I don't want to see it. That's when I recommend building those filters. So as you go through, make sure you create filters for things that you don't find necessary in your searches. Moving on here, we're going to talk about how to query in Kibana. So Kibana uses a Lucene query language. If you're not familiar with it, there's lots of data out there on it. But the primary information you need to know about it is the operators that it uses. So, for example, let's say there's two specific IP addresses that you care about and we'll look at these two here. So you want to know when and if these two machines here we're talking. So, what you can do is you want to say source underscore IP, this nervous click there, source IP is that and specifying that it has to match that operator. So you're saying it has to match this IP here. Otherwise, you don't want to see it. So you're saying those devices have never talked to each other in the last 15 minutes. Now, what if you say, well, I just want to know when this IP has talked to anybody and when this IP, anybody's talked to it, either or. So that's when you just drop change that and to an or operator. And now you're going to see that IP as the source, somewhere down the line, you'll see the other IP as the desk in a lot of the traffic. So you just have to pay attention to some of your syntax. Again, there's a few things you want to consider. Lucine does use regex. So what you might do is maybe there's a file called evil file that you know about. You had an intel drop and they say, hey, I need to go find I know they I know they clicked on a document and someone executed evil file. So how would you search for that? Right? Well, in Kibana, you can actually say, well, I just want to see anything called evil file. Okay, that's in the last 15 minutes, maybe the last 24 hours. Oh, nothing. Okay. So what if I want to use regex? Well, because evil might be capitalized or file might be capitalized. So what you would do here and you specify here that you're throwing in some regex and then here wildcard here wildcard and then do your search. Now the problem is there is no evil file. So. But what if you wanted everything in the last hour with the word file? Okay. So now if you pull down here, it's referencing file beat and mostly you're going to see file beat because that is the agent that's pushing these logs to you. Okay, well, let's take out file beat because I know that's my agent. I don't need to look at that. So I go and filter that out. The negative sign magnifying glass. So now is there anything else referencing file? Program files. Oh, I didn't specify that I wanted it to end in file that wasn't plural. So that's some of the things you got to pay attention to. If you're really good with regular expressions, that can be helpful. Also, you can come in and specify that because right now I just said lowercase to F, right? But what if you want to tell in regex, it could be also uppercase F. And as you notice, I'm getting pretty specific with the regex and already my events in the last hour have dropped down to 12,000. And our goal at the end of the day is to make our events as little as possible so you can start narrowing down the bad. All right, so another useful tool. So sometimes you're going to come across logs that don't have the data that you're looking for. For example, I see desk IP with the empty field here. Sometimes you can see message fields with the empty field. Sometimes you're going to see file paths with the empty field. Sometimes that's something worth looking at. But sometimes you're like, I really need to know the file path. I really need to know the desk IP. So we'll use desk IP as the example here. So I'll pick a source IP. So what I'm saying here is I want to know when this system talks to anybody because if I just search that there, I will still see this log with no destination IP. But I want something with some data. So what I'll do here is an exist operator. And now I'm saying I want to know when that IP is the source and the desk IP has content in the field. So let me update that up. So what does that tell me that? That tells me that system never talked to anybody or there's no log of that system talking to anybody in the last hour. We can go back a week and let's see if we find anything. Nope. So that might be worth looking into because you've now got a log of this file or this system, excuse me, talking, but what is it doing? So that might be worth investigating. Obviously if Intel provides that kind of content. But let's push here. Let's talk about what else you could search. So important artifacts, right? Hashes, imp hashes. The way that, and I forgot to just to tell you this at the beginning, but Kibana is actually showing you the same data that Greylog is showing you. As you can see by the index here, there's one single index, which on other instances of your Elk stack, you might see multiple index patterns that are saying that I'm getting logs from multiple different sources. But for the open SOC range, this tool is actually pointing to the same data that Greylog is pointing to. So Disclaimer, if you use Greylog, if you use Kibana, you can choose what you feel more comfortable with, what's more useful to you, what you find easier to use, but they're both showing the same data. But I will say the way that Greylog is parsing this data is different than how Kibana is getting Kibana is getting this data parsed in. So you have to consider if you're looking for an imp hash, there's a possibility, there's a field for it in Greylog, and there's a possibility that there's not a field for it here, but they do exist. So why are imp hashes important? Well, find out. So what I'm doing here is I'm actually just looking for any imp hash, and find out what field that data is in, because there is no imp hash field. So I've got a few hits on it. Right now, no source and destination IPs, but let's go ahead and expand a log and see what we're looking at. So we've got a driver called agent.exe and remote IPs, and we've got an imp hash for this file. Now, if you deem this file to be bad at any point, then you've now got the imp hash for it, and you can find every execution of it. So that's another quick artifact, but all I did was search the word imp hash, and I found all the logs that have imp hashes associated with it. Now there's going to have to do some more digging and filtering, because obviously you're going to find a file with an imp hash that could be legit. So just something to consider. That's just a plain text query there. Also more basic, if you're looking for event IDs, everybody knows what a 4624 is, and if you don't, get your event IDs out, Google a sheet of the top event IDs to keep an eye on. Microsoft has a sheet on from severity levels. That's important to look at. But if you look here, I just looked for all the 4624s for this week, and I'm now looking at all the logons, successful logons. You've got security IDs, and something I failed to mention, you want to pay attention to the message column here. So what I like to do is keep the, I'm going to pull this out here, go down to the message field, and actually filter out for that column, because now I can just scroll down and start looking through and saying, Hey, this is some stuff, but I don't care about S1000. I don't care about that. So let's see how we can filter that out. So not, excuse me, and not, there we go. I just took out, took out all the S1000s, and now I can start seeing some other security IDs that have logged in. And if you want, you can go down and start narrowing down the system names. There's your host names there. And you can say, I don't care about ACC1. That guy's a good guy. Let me keep moving. But I do care about, let's maybe say, who we got here? Under host name. That's ACC101 again. But you get the drift, right? I'll filter out for ACC, that was the username, but same difference. So I've now filtered out for ACC1. I said, I want to see 4624s, but I don't care about S1000. That's how you would do that there. You can get a little bit more complex here and start looking at datapaths and filepaths and imagepath names. So let's look at, let me pull this out here, flip to a new one. And I want to see, let's just look at Sysmon here. Let's just look at Beats Logs. So I'm going to say, I want to see, here we go. Something to keep in mind, Beats, right? Beats are the agents that are actually shipping the logs to your LogStash. Now keep in mind, WinLogBeat, Windows event logs, security, application, then you got your PowerShell logs. Everybody knows PowerShell is always good, but you might want to look at it anyway. Hint, hint. So what I'm going to do here is go ahead and filter out and say, I just want to see WinLogBeat logs. And then I want to search for specific event ID. Or you know better yet, let's see if we can start filtering for different filepaths. So let's find the filepath field. Here we go. Very minimal logs, right? Where the filepath exists. So here's the filepath. I got users, I got folders here, but I want to just know where this user here might have looked at or what files this user has actually executed or file created, right? So let's say I want to filter by file create. So I go here and I can either say in a specific path or I can say a specific user, but I want to know when anything let's say created in this app data path here. So I'm going to do a regex here, say anything, close my regex, anything. And then because it's regex, you got to escape your characters and we'll take out for simplicity. There we go. That's a hefty one there. But I'm down to 32 events in the last 15 minutes, right? That, right there is I've now narrowed down every time file was created by Claudia Davis, or maybe not by Claudia Davis, just in her path in the app data path. And what's an app data, temp folder. So keep that in mind, keep going. So something else you can do. And if you come across a query like this hefty one here that maybe sometimes, oh, I want to just swap out the user and use that search over again. You could just copy and paste it to a text file, or you can get real fancy with it and go and start saving some of your searches. And so Claudia Davis file create, right? So you confirm that. And at any given time, you start opening up a fresh Kibana page. You can go in and say, where's my search? Oh, there we go. Claudia Davis. Because now I want to look at James Brown or I want to look at Kanye West. So that's some of the things you want to start doing as you go because you're going to use these queries over again. If not, you're going to use the shell of it for a different file path for a different user. And that's something that might be useful for you down the line. Now, there's some other stuff you can do with visualizations. So you can actually pull in the visualization and as safe search as a visualization or you can create your own. A lot of times I like to create tables and look at timeframes. They're real good for looking at live data, but you can also look at over a span of time and say, hey, I want to see how many times this system has used SMB or I want to see how many times Quad 4 protocol was used. And then you can actually just have it on the table, throw it in a visualization and pop it up anytime you want to start. Just keep in mind like, hey, this come across during this time frame that I'm already inspecting. And then you can use that. And I'll just show you a quick one here because you can get pretty caught up in it. Yeah, we're going to do the count here, aggregated on a term. In the field we're going to add, let's say IP source, excuse me, source IP. There it is. And we're going to say you want to see the top five. You can call that source. You can label it whatever you want. Hit play. There you go. So what this is showing here is just the log counts for each of these sources here. So that's a super quick way to start seeing in this time frame who was talking the most is that data X field is that port scanning is that some of the stuff you want to start paying attention to look at the count of the logs. That's a low level hunt that you can do. But you can go in and you can use the same concept and throw in protocols. You can you can make a bar graph out of it. You can make a pie graph out of it. But I like to use them more for live hunts. But for this exercise, you're probably going to spend most of your time in discover. I think I kind of gave you the low level or high level rather rundown of everything. I don't want to take up more of your time. You got a lot of tools to learn today. And there's a lot of times you can go spend playing with Kibana. There's a couple of videos out there that you can do. I can give you all some resources if you just hit me up in the open sock discord channel. We've got a Kibana channel. And then also there's some more advanced Kibana users out there. I'm definitely not the know all but I've seen my way around it. But we've got to ask for help channel over in the open sock discord willing to answer any questions. A lot of the open sock veterans that have used played open sock before have used Kibana before. They got some tips and tricks. And they can get you sorted out. So thank you for your time today. If you need anything, again, just hit us up on the discord and we'll talk soon. Thanks a lot, TJ. It was a great talk. As he pointed out, check out the recon if is that discord channel. If you're looking for open sock questions, they're over there to assist you as needed. I appreciate it. Thanks again.