奇安信攻防社区-WatchAD攻防实战

WatchAD攻防实战

## WatchAD攻防实战 WatchAD是0KEE Team研发的开源域安全入侵感知系统，WatchAD收集所有域控上的事件日志和kerberos流量，通过特征匹配、Kerberos协议分析、历史行为、敏感操作和蜜罐账户等...

WatchAD攻防实战
-----------

WatchAD是0KEE Team研发的开源域安全入侵感知系统，WatchAD收集所有域控上的事件日志和kerberos流量，通过特征匹配、Kerberos协议分析、历史行为、敏感操作和蜜罐账户等方式来检测各种已知与未知威胁，功能覆盖了大部分目前的常见内网域渗透手法。目前支持的具体检测功能如下：  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-f514b0789416a947340c4c7906fabe74a9223908.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-f514b0789416a947340c4c7906fabe74a9223908.jpg)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-50a2324f917c2118423798011dd60b2a0bef551b.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-50a2324f917c2118423798011dd60b2a0bef551b.jpg)  
系统架构如下：  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-5f55a272da3a65f18debacdc705c0521331ee077.png)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-5f55a272da3a65f18debacdc705c0521331ee077.png)

WatchAD包括Server端、WatchAD agent和前Web前端，同时需要准备域环境，在域控中安装winlogbeat实现域控日志发送至WatchAD Server端进行检测，安装部署比较复杂，下面通过实战进行详细介绍。本次实战环境如下：

[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-5cede1cf983a9b7f8d303107885430145e38d91e.png)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-5cede1cf983a9b7f8d303107885430145e38d91e.png)

WatchAD Server：Centos7，192.168.159.130  
WatchAD Web ：kali，192.168.159.131  
AD域控服务器：Windows server 2008，域名：Motoo.nc，192.168.159.149  
AD域内服务器：Windows server 2012，192.168.159.154  
攻击机：kali，192.168.159.131

**0x01 WatchAD Server端安装部署**

WatchAD Server端操作系统选择CentOS7（笔者之前选择kali、ubuntu等Linux系统，踩坑无数，不建议使用），如果是虚拟机部署测试，由于需要在CentOS7中部署ES、Logstash、redis、mongodb、docker等软件，需要比较高的性能，建议虚拟机内存2G以上，CPU双核以上，否则在后续运行会出现内存报错等问题。

[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-c14446b2e5a83d85c7960a13eab9e4e24f31858e.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-c14446b2e5a83d85c7960a13eab9e4e24f31858e.jpg)

1、更新centos7系统（前提已添加yum源，国内建议用阿里云源）  
`# yum -y update`  
2、安装git命令工具  
`# yum install git –y`  
3、由于该项目需要python3环境运行，需要安装python3以及pip3  
`# yum install -y python36`  
`#yum -y install epel-release  #添加源`  
`#yum install -y python36-setuptools  #安装python tools插件`  
4、从github下载watachAD服务器端源码  
`git clone https://github.com/0Kee-Team/WatchAD.git`  
5、进入WatchAD目录，安装项目所需要的python包  
`# pip3 install -r requirements.txt`

[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-15622561bc502502b39a29000dd96111639b3183.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-15622561bc502502b39a29000dd96111639b3183.jpg)

6、安装安装docker  
`# yum -y install docker     #使用yum安装dokcer`  
`systemctl start docker.service  #启动dokcer`  
`systemctl enable docker.service  #设置为开机自启动`

7、安装docker-compose  
`# curl -L "https://github.com/docker/compose/releases/download/1.23.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose       # 下载docker-compose`

`#chmod +x /usr/local/bin/docker-compose    # 添加可执行权限`

8、docker本地单机搭建watchAD测试环境  
进入WatchAD目录中，启动基础环境  
`#docker-compose up                   #将在本地启动 rabbitmq、logstash、elasticsearch、redis、mongo服务`  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-9d693fbd860173790348034fc4b14fdb3ca44826.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-9d693fbd860173790348034fc4b14fdb3ca44826.jpg)

注意，在实际测试环境中，docker-compose部署logstash组件时，经常报错，笔者将logstash进行实地部署，不采用docker部署方式，需要将WatchAD server端的docker-compose.yaml配置文件中的相关配置去除：  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-d817aaec06bd39a36b3bf74f5987e994cd7d649d.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-d817aaec06bd39a36b3bf74f5987e994cd7d649d.jpg)

9、安装logstash：  
自ELK官网下载RPM包，链接：<https://artifacts.elastic.co/downloads/logstash/logstash-6.4.1.rpm>  
`# wget https://artifacts.elastic.co/downloads/logstash/logstash-6.4.1.rpm`  
`# rpm -ivh logstash-6.4.1.rpm`

编辑  
/etc/logstash/logstash.conf，  
使其内容如下(配置文件内容复制自watchAD代码中的settings/logstash/logstash.conf)：  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-35b6bca2b14696c9060fccf6e51b34db241bf24a.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-35b6bca2b14696c9060fccf6e51b34db241bf24a.jpg)

启动logstash  
`# cd /usr/share/logstash/bin`  
`# ./logstash -f /etc/logstash/logstash.conf`

至此，整个WatchAD Server端基础环境已启动完毕。注意，需要关闭防火墙：  
`systemctl stop firewalld.service`

**0x02 部署客服端watchAD agnet**

1.客服端开启策略审核(域控制器上配置）  
我们的分析基础是所有域控的所有事件日志，所以首先需要打开域控上的安全审核选项，让域控记录所有类型的事件日志。这里以 windows server 2008为例，在 本地安全策略 -&gt; 安全设置 -&gt; 本地策略 -&gt; 审核策略，打开所有审核选项：  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-9e47e1213836100715c69aab2a64d5f93848ae82.png)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-9e47e1213836100715c69aab2a64d5f93848ae82.png)

2.安装agnet winlogbeat  
首先，打开我们提供的配置文件 {project\_home}/settings/winlogbeat/winlogbeat.yml ，修改output.logstash 的 hosts字段值为你所安装的LogstashIP和端口（默认5044）  
`# vi  ./WatchAD/settings/winlogbeat/winlogbeat.yml   #修改hosts字段中的ip地址（注意ingnore_older缩进，源码中缩进存在问题）`  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-d8bb6301029ac9c722f37600011f50cc95499960.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-d8bb6301029ac9c722f37600011f50cc95499960.jpg)

3.安装和配置winlogbeat(在域控主机上安装）  
下载对应版本的winlogbeat，建议版本为6.2，其它版本的字段可能有变动，存在不兼容的可能性。WatchAD要求下载6.2版本，其下载地址为：[https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-6.2.0-windows-x86\_64.zip](https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-6.2.0-windows-x86_64.zip)，  
解压之后，使用刚才修改的配置文件 winlogbeat.yml 替换掉原本默认的配置文件 winlogbeat.yml.

接下来按照官网的教程正常安装即可(<https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation.html>)。  
(1).把下载的winlogbeat 6.2压缩包，解压到中C:\\Program Files  
(2).将winlogbeat-&lt;version&gt;目录重命名为Winlogbeat  
(3).打开安装目录下Winlogbeat目录下的winlogbeat.yml文件，把内容都删除了，然后复制测试服务器上项目watchAD下winlogbat.yml文件覆盖该文件目录下。  
(4).以管理员身份打开PowerShell提示符  
(5).如果在系统上禁用了脚本执行，则需要为当前会话设置执行策略以允许脚本运行  
`set-executionpolicy remotesigned`

[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-6df248be98546f61afde9b1250fb6cc548315173.png)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-6df248be98546f61afde9b1250fb6cc548315173.png)  
(6).在PowerShell提示符下，运行以下命令以安装服务  
`PS C:\Users\Administrator> cd  "C:\Program Files\Winlogbeat"`  
`PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1`  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-02c5c9ae1decfc503066b96fa948ba9552a55732.png)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-02c5c9ae1decfc503066b96fa948ba9552a55732.png)  
4.启动winlogbeat  
`.\winlogbeat.exe –e -c .\winlogbeat.yml`  
出现successfully published字样，基本就成功了  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-6eb1da3777baa691d52c0366f27b3dbaa4785b5a.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-6eb1da3777baa691d52c0366f27b3dbaa4785b5a.jpg)

**0x03 初始化watchAD引擎**

1. wachchAD的帮助命令：  
    [![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-3bd063136e956e7b3fca37649e85e5dd29a1642e.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-3bd063136e956e7b3fca37649e85e5dd29a1642e.jpg)
2. 进行初始化安装  
    `python3 WatchAD.py --install -d Motoo.nc  -s 192.168.159.149  -u motoo\\administrator  -p Motoo123\!\@\#45`  
    注意，-d参数后面接域名，-s参数接域控IP地址，-u参数接域控管理员（双斜杠），-  
    参数接密码，如果密码有特殊字符，需要加上转义符。  
    正常初始化安装成功WatchAD，需要满足以下要求：  
    (1).所有存储相关的依赖都正确安装和配置  
    (2).能够访问安装时指定的LDAP Server  
    (3).supervisor正确安装可使用  
    (4).正确安装python3.6，且存在 /usr/bin/python3 软连接

3.启动watchAD  
`python3 WatchAD.py --start`  
初始化成功后，如下图：  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-97fb5715db0d5e8c8f480bb09b079cb8264cf5ef.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-97fb5715db0d5e8c8f480bb09b079cb8264cf5ef.jpg)

**0x04 部署WatchAD前端WatchAD-web**

WatchAD前端笔者采用kali系统进行部署

1. 下载WatchAD-Web源码  
    `# git clone https://github.com/0Kee-Team/WatchAD-Web.git`

2.修改配置  
修改连接数据库的配置：修改 WatchAD-web/Server/config/database\_config.py文件中的数据库配置与WatchAD一致;  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-b96c8bc5c4819ea070b370e03af9ca46cfad8801.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-b96c8bc5c4819ea070b370e03af9ca46cfad8801.jpg)  
3.进行编译  
进到下载WatchAD-Web目录，执行：docker-compose build，如果上一步的配置有修改或者代码有变动，需要重新执行此命令，下一步的docker-compose up才会对其修改生效  
4.进行安装  
执行命令：  
`docker-compose up`  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-cfc11a6bc5f5068f7e89bd254149f093720bf4c6.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-cfc11a6bc5f5068f7e89bd254149f093720bf4c6.jpg)  
启动后，就可以访问WatchAD-Web前端页面了，地址：[http://服务器ip/activity\_timeline.html](http://xn--ip-fr5c86lx7z/activity_timeline.html)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-9d3fedd364568d8c094fd457fb26667aba565502.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-9d3fedd364568d8c094fd457fb26667aba565502.jpg)

**0x05 WatchAD攻防实战**

攻击测试场景主要包括：ms17010攻击域控，dump hash，利用psexec横向移动、添加域控管理员等.  
ms17010攻击域控：  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-c7c43b194f8a02bd14497273677ab7c17da934f4.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-c7c43b194f8a02bd14497273677ab7c17da934f4.jpg)  
添加域控管理员：  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-7a3ba59157aa10263fe56185df1d1f3db542d836.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-7a3ba59157aa10263fe56185df1d1f3db542d836.jpg)  
Dump域管理员hash，利用psexec横向移动  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-a55367fd16b43c47d9374a87f88773ed96bbde5f.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-a55367fd16b43c47d9374a87f88773ed96bbde5f.jpg)  
WatchAD检测情况：

检测详情：  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-6c8ea937a1b39611e6a2138a409ca81327265a62.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-6c8ea937a1b39611e6a2138a409ca81327265a62.jpg)  
检测ms17010攻击  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-2b8548fd9017e5d9dda8954f159375ccf3e012b1.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-2b8548fd9017e5d9dda8954f159375ccf3e012b1.jpg)  
检测添加域控管理员  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-6753cdf3fdb7fb4601a70f9ff277993dba2bcfb4.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-6753cdf3fdb7fb4601a70f9ff277993dba2bcfb4.jpg)  
检测psexec横向移动  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-814e8a1ff95322fb129aca5e27e9148ed4766aca.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-814e8a1ff95322fb129aca5e27e9148ed4766aca.jpg)

最后，相比于微软ATA，ATA收费昂贵，以流量为主进行分析：  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-92c7ae35011eee382b75cd71d82dbbe10e1158b2.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-92c7ae35011eee382b75cd71d82dbbe10e1158b2.jpg)  
WatchAD检测结合了流量和日志，免费开源，并且可以在detect模块自定义检测规则，值得一试。  
[![](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-bbb4b60b635b151c6df2f60784f32c304f561ae0.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/10/attach-bbb4b60b635b151c6df2f60784f32c304f561ae0.jpg)

参考资料：  
1、 <https://www.cnblogs.com/backlion/p/13023599.html>  
2、 <https://zhuanlan.zhihu.com/p/261740456>  
3、 <https://mp.weixin.qq.com/s/7EH5jnF-rym0mI7sbGUUNg>  
4、 [https://github.com/Qianlitp/WatchAD/blob/master/README\_zh-cn.md](https://github.com/Qianlitp/WatchAD/blob/master/README_zh-cn.md)

发表于 2021-10-15 14:10:31
阅读 ( 4539 )
分类：安全工具

2 条评论

General 2022-06-10 09:32

4.启动winlogbeat .\winlogbeat.exe –e -c .\winlogbeat.yml 出现successfully published字样，基本就成功了问一下我这里启动有点问题 PS C:\Program Files\Winlogbeat> .\winlogbeat.exe -e -c .\winlogbeat.yml 2022-06-10T09:20:38.713+0800 INFO instance/beat.go:468 Home path: [C:\Program Files\Winlogbeat] Config path: [C:\Program Files\Winlogbeat] Data path: [C:\Program Files\Winlogbeat\data] Logs path: [C:\Program Files\Winlogbeat\logs] 2022-06-10T09:20:38.731+0800 INFO instance/beat.go:475 Beat UUID: 1d6869eb-9bc0-4a6d-85f5-f5759653e6ed 2022-06-10T09:20:38.733+0800 INFO instance/beat.go:213 Setup Beat: winlogbeat; Version: 6.2.0 2022-06-10T09:20:38.735+0800 WARN instance/metrics_other.go:8 Metrics not implemented for this OS. 2022-06-10T09:20:38.752+0800 INFO pipeline/module.go:76 Beat name: WIN-SRMTER94UPR 2022-06-10T09:20:38.754+0800 INFO beater/winlogbeat.go:56 State will be read from and persisted to C:\Program Files\Winlogbeat\data\.winlogbeat.yml 2022-06-10T09:20:38.758+0800 INFO instance/beat.go:301 winlogbeat start running. 2022-06-10T09:20:38.764+0800 INFO [monitoring] log/log.go:97 Starting metrics logging every 30s 2022-06-10T09:20:42.854+0800 ERROR pipeline/output.go:74 Failed to connect: dial tcp 10.10.10.12:5044: connectex: No connection could be made because the target machine actively refused it. 2022-06-10T09:20:45.884+0800 ERROR pipeline/output.go:74 Failed to connect: dial tcp 10.10.10.12:5044: connectex: No connection could be made because the target machine actively refused it. 2022-06-10T09:20:50.908+0800 ERROR pipeline/output.go:74 Failed to connect: dial tcp 10.10.10.12:5044: connectex: No connection could be made because the target machine actively refused it. 2022-06-10T09:20:59.932+0800 ERROR pipeline/output.go:74 Failed to connect: dial tcp 10.10.10.12:5044: connectex: No connection could be made because the target machine actively refused it. 2022-06-10T09:21:08.777+0800 INFO [monitoring] log/log.go:124 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"libbeat":{"config":{"module":{"running":0}},"output":{"type":"logstash"},"pipeline":{"clients":1,"events":{"active":4117,"published":4116,"retry":3600,"total":4117}}},"msg_file_cache":{"SecurityHits":4202,"SecurityMisses":1,"SecuritySize":1},"uptime":"{\"server_time\":\"2022-06-10T01:21:08.7727189Z\",\"start_time\":\"2022-06-10T01:20:38.7052249Z\",\"uptime\":\"30.067494s\",\"uptime_ms\":\"30067494\"}"}}} 2022-06-10T09:21:16.995+0800 ERROR pipeline/output.go:74 Failed to connect: dial tcp 10.10.10.12:5044: connectex: No connection could be made because the target machine actively refused it. 2022-06-10T09:21:38.777+0800 INFO [monitoring] log/log.go:124 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":1,"events":{"active":4117,"retry":900}}},"uptime":"{\"server_time\":\"2022-06-10T01:21:38.7773897Z\",\"start_time\":\"2022-06-10T01:20:38.7052249Z\",\"uptime\":\"1m0.0721648s\",\"uptime_ms\":\"60072164\"}"}}} 2022-06-10T09:21:50.023+0800 ERROR pipeline/output.go:74 Failed to connect: dial tcp 10.10.10.12:5044: connectex: No connection could be made because the target machine actively refused it. 2022-06-10T09:22:08.778+0800 INFO [monitoring] log/log.go:124 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":1,"events":{"active":4117,"retry":1800}}},"uptime":"{\"server_time\":\"2022-06-10T01:22:08.7781495Z\",\"start_time\":\"2022-06-10T01:20:38.7052249Z\",\"uptime\":\"1m30.0729246s\",\"uptime_ms\":\"90072924\"}"}}} 还请帮看看哪里的问题？

General 2022-06-10 09:34

进行初始化安装 python3 WatchAD.py --install -d Motoo.nc -s 192.168.159.149 -u motoo\\administrator -p Motoo123\!\@\#45 这里连接也有问题 [root@localhost /]# cd /root/WatchAD/ [root@localhost WatchAD]# python3 WatchAD.py --install -d general.local -s 10.10.10.10 -u general\\administrator -p Ds@902903 Traceback (most recent call last): File "WatchAD.py", line 21, in from scripts.init_settings import init_es_template, check_es_template, check_mongo_connection, check_mq_connection, \ File "/root/WatchAD/scripts/init_settings.py", line 8, in import simplejson ModuleNotFoundError: No module named 'simplejson'