JPCERTCC / Detectlm
Detecting Lateral Movement with Machine Learning
Stars: ✭ 117
Programming Languages
python
139335 projects - #7 most used programming language
powershell
5483 projects
Projects that are alternatives of or similar to Detectlm
Redelk
Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.
Stars: ✭ 1,692 (+1346.15%)
Mutual labels: elasticsearch, kibana
Docker offensive elk
Elasticsearch for Offensive Security
Stars: ✭ 112 (-4.27%)
Mutual labels: elasticsearch, kibana
Search Guard Docs
Official documentation for Search Guard, the Elasticsearch security suite
Stars: ✭ 92 (-21.37%)
Mutual labels: elasticsearch, kibana
Sentinl
Kibana Alert & Report App for Elasticsearch
Stars: ✭ 1,233 (+953.85%)
Mutual labels: elasticsearch, kibana
Spring Cloud Microservices Development
Spring Cloud Microservices Development.《Spring Cloud 微服务架构开发实战》
Stars: ✭ 106 (-9.4%)
Mutual labels: elasticsearch, kibana
Systemdlogger
Exports systemd logs to an external service, eg cloudwatch, elasticsearch
Stars: ✭ 91 (-22.22%)
Mutual labels: elasticsearch, kibana
Jmeter Elasticsearch Backend Listener
JMeter plugin that lets you send sample results to an ElasticSearch engine to enable live monitoring of load tests.
Stars: ✭ 72 (-38.46%)
Mutual labels: elasticsearch, kibana
Excelastic
Vert.x web and commandline application to import CSV/XLS/XLSX files into ElasticSearch.
Stars: ✭ 103 (-11.97%)
Mutual labels: elasticsearch, kibana
Cloud On K8s
Elastic Cloud on Kubernetes
Stars: ✭ 1,372 (+1072.65%)
Mutual labels: elasticsearch, kibana
Kibananestedsupportplugin
A plugin for Kibana 5.5 and beyond that adds support for nested field search and aggregation.
Stars: ✭ 78 (-33.33%)
Mutual labels: elasticsearch, kibana
Twint
An advanced Twitter scraping & OSINT tool written in Python that doesn't use Twitter's API, allowing you to scrape a user's followers, following, Tweets and more while evading most API limitations.
Stars: ✭ 12,102 (+10243.59%)
Mutual labels: elasticsearch, kibana
Helm Elasticstack
Kubernetes Helm Charts and Tools to run Elastic Stack(ELK) on Azure Container Service(AKS)
Stars: ✭ 76 (-35.04%)
Mutual labels: elasticsearch, kibana
Dynamite Nsm
DynamiteNSM is a free Network Security Monitor developed by Dynamite Analytics to enable network visibility and advanced cyber threat detection
Stars: ✭ 92 (-21.37%)
Mutual labels: elasticsearch, kibana
Logstash
OSSEC + Logstash + Elasticsearch + Kibana
Stars: ✭ 74 (-36.75%)
Mutual labels: elasticsearch, kibana
Logtrail
Kibana plugin to view, search & live tail log events
Stars: ✭ 1,343 (+1047.86%)
Mutual labels: elasticsearch, kibana
Docker Elk Tutorial
docker-elk-tutorial + django + logging
Stars: ✭ 69 (-41.03%)
Mutual labels: elasticsearch, kibana
Elasticsearch Cli
Command line interface for ElasticSearch
Stars: ✭ 70 (-40.17%)
Mutual labels: elasticsearch, kibana
Mysqlbeat
Fully customizable Beat for MySQL server - this beat will ship the results of any query defined in the config file to Elasticsearch.
Stars: ✭ 99 (-15.38%)
Mutual labels: elasticsearch, kibana
Search Guard Kibana Plugin
This plugin for Kibana adds session management and multi tenancy to a Search Guard secured cluster.
Stars: ✭ 107 (-8.55%)
Mutual labels: elasticsearch, kibana
DetectLM
Detecting Lateral Movement with Machine Learning.
DetectLM is a proof of concept code to analyze and detect malicious commands executed via cmd.exe with machine learning.
- DetectLM.py: Runs on server. Detect malicious Windows command execution using machine learning and blacklist.
- Invoke-DetectLM.ps1: Runs on client. Sends the logs to the Elasticsearch. Confirm analysis result and display alert message.
- cmdlogs.bat: Collect commands executed via cmd.exe.
Requirements
Each tools require the following modules:
for Server
- Python3
- NumPy http://www.numpy.org/
- Pandas http://pandas.pydata.org/
for Client
- PowerShell v3 or later
Supported Client OS
- Windows 8.1
- Windows 10
Usage
for Server
- Download and install Elasticsearch.
- Download and install Kibana.
- Start Elasticsearch and Kibana.
- Download and save the DetectLM from Github.
git clone https://github.com/JPCERTCC/DetectLM.git
- And your Elasticsearch IP Address to DetectLM/server/config/config.ini.
els_server = localhost
- And mapping in Elasticsearch.
$ python DetectLM.py -m
- Create cron jobs for DetectLM.py.
For example
*/15 * * * * python3.6 [Folder Name]/DetectLM.py
for Client
- Download client/cmdlogs.bat and client/Invoke-DetectLM.ps1.
- Register cmdlogs.bat in the registry entry that starts automatically when the cmd.exe is executed.
> reg add "HKEY_CURRENT_USER\Software\Microsoft\Command Processor" /v AutoRun /d [Downloaded Folder Name]\cmdlogs.bat
or
> reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor" /v AutoRun /d [Downloaded Folder Name]\cmdlogs.bat
- Create a scheduled task for Invoke-DetectLM.ps1.
> powershell -exec bypass .\Invoke-DetectLM.ps1 -ehost [Elasticsearch Server]
How to Check Log
Executed command logs can be checked from Kibana.
AlertLevel 2 is the malicious commands.
AlertLevel
The log has three levels of detection level
- 2 : Error log reported by user
- 1 : Logs detected as malicious by machine learning
- 0 : No Alert (Default)
Ignore Flag
Ignore flag is automatically added to any command executed by the user.
When malicious Windows command execution is detected by machine learning, a notification will be sent to the client.
A user also can set a ignore flag to specific command execution when asked by client tool.
Dashboard
Using Kibana dashboard, logs are visualized.
Example of dashboard is in kibana_objects. Import is [Management -> Saved Objects -> Import]
Known Issues
- This tool supports Windows commands executed via cmd.exe. Any command via PowerShell are not logged nor monitored.
- Client tool has an issue when handling command line includes "/c" or "/k".
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].