Skip to content

IanCWeston/dinohunter

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

121 Commits
terraform
terraform
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
todo.txt
todo.txt
 
 

Repository files navigation

DinoHunter

CodeFactor

Please note: This project is still in pre-release and may not behave as expected

The goal of DinoHunter is to aid Incident Responders with large scale investigations and quickly spin up a temporary Velociraptor and Elastic Stack server in AWS. This solution can act as a "historical" SIEM when no SIEM was present during a compromise. Velociraptor will query the endpoints and can pipe the data into the Elastic Stack for analysis.

To do list

  • Create Terraform script that launches the infrastructure
  • Automate the Velociraptor server configuration
  • Automate the Velociraptor client configuration
  • Automate the Filebeat module configuration for Office365

Velociraptor

Velociraptor is a Digital Forensics and Incident Response (DFIR) tool that allows investigators to "dig deeper" at scale.

Velociraptor Benefits

  • A single server can handle environments of up to 10,000 endpoints.
  • You can parse forensic artifacts on the fly ($MFT, amcache, prefetch, etc)
  • Data can be viewed in the Velociraptor GUI or can be sent to the Elastic Stack for dashboarding and visualization

The Elastic Stack

The Elastic Stack is a data analysis platform that can ingest many forms of data in large volumes and present it in a way that is easily analyzed.

Elastic Stack Benefits

  • Speed of querying
  • Visualizations
  • Dashboards
  • Can handle a large amount of data

Prerequisites

  • The following software installed on your comptuer:
    • Terraform installed and added to PATH
    • AWS IAM User with the below minimum permissions for Terraform

Terraform Minimum Permissions

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:PLACEHOLDER"
      ],
      "Resource": "*"
    }
  ]
}

Usage Instructions

Terraform

To stand up new infrastructure use the following commands:

  • Change into the terraform directory and execute the following commands:

    • Initialize the directory with - terraform init

    • Make sure everything looks good with - terraform plan

    • Create the infrastructure with - terraform apply

    • Note the dns name that is listed when it completes

Connect to the new server

  • Execute - ../connect/connect.sh
  • As long as this SSH session is open you can access the Kibana and Velociraptor front ends at:
  • Once connected you can tail -f /home/ubuntu/dh-install.log to quickly see the status of the installation. Wait to connect to the front ends until you see instalation complete: your server is now ready for use in the file.

Configure Velociraptor Agents

Place holder instructions

Configure Velociraptor to send data to elasticsearch

Directions to send Velociraptor data to elasticsearch

About

No description, website, or topics provided.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 5

Languages