git clone https://github.com/bryant-treacle/Sysmon_for_linux
cd Sysmon_for_linux
sudo cp beats.common /opt/so/saltstack/local/salt/elasticsearch/files/ingest/
sudo cp linux_sysmon /opt/so/saltstack/local/salt/elasticsearch/files/ingest/
sudo so-elasticsearch-restart
wget -q https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo apt-get update
sudo apt-get install sysinternalsebpf
sudo apt-get install sysmonforlinux
git clone https://github.com/bryant-treacle/Sysmon_for_linux
cd Sysmon_for_linux
sudo cp sysmon-4-linux-config.xml /bin
sudo sysmon -i /bin/sysmon-4-linux-config.xml -accepteula
sudo systemctl status sysmon
Prior to installing Filebeat on the Linux server, run the so-allow command to allow beats endpoints to connect.
sudo dpkg -i filebeat-oss-*
cp filebeat.yml /etc/filebeat/
filebeat.inputs:
paths:
- /var/log/syslog*
output.logstash
hosts: ["MANAGER_NODES_IP_HERE:5044"]
processors:
- decpde_xml_wineventlog:
field: message
target_field: winlog
sudo systemctl enable filebeat
sudo systemctl start filebeat
sudo systemctl status filebeat
To import Linux based sigma rules from SigmaHQ to Playbook, modify the soctopus pillar in the global.sls file.
sudo vim /opt/so/saltstack/local/pillar/global.sls
soctopus:
playbook:
rulesets:
- windows
- linux
sudo so-soctopus-restart
sudo so-playbook-ruleupdate
Additional Sigma rules can be found in the Sigma folder.
Sliver implant Yara signatures are located within the Yara folder. If you would like Zeek extract ELF files and pass them to Strelka, you will need to add the following to the /opt/so/saltstack/default/salt/zeek/fileextraction_defaults.yaml file:
- application/x-executable: elf
To add local YARA rules, create a directory in /opt/so/saltstack/local/salt/strelka/rules, for example localrules. Inside of /opt/so/saltstack/local/salt/strelka/rules/localrules, add your YARA rules.
