For some time now, the ElevenPaths Innovation and Laboratory team has been working on different projects and research related to the security aspects of SIEM (Security Information and Event Management). One of the projects we have released is a free open source tool called SIEM Attack Framework aimed at the security analysis of these technologies, and which allows us to detect weaknesses in the configuration of some products such as Splunk, GrayLog and OSSIM. Last year we presented it at BlackHat Arsenal 2019, 8dot8 and EkoLabs, where it won the award for best laboratory in EkoParty2019.
The tool is still alive and part of our toolkit available to the community. During this 2020 we have been talking about how the development structure is and how we have been attaching the discovery of new SIEMs within the framework in a chapter of our CodeTalks4Devs. In this talk we help the community to understand how the development was planned, how to contribute or modify modules for specific purposes, and also to anticipate that there would be many surprises soon.
What have we added in this update?
A few days ago, we launched an update of the tool in our repository by adding three more SIEMs to the attack framework to try to facilitate the work of the Red Team and Pentesting team. In this last update we have incorporated the following manufacturers:
- QRadar, for which we have implemented a brute force testing module to detect the administrator’s password. Since the user is always admin it is only necessary to obtain the password to access the web environment, despite being a very slow attack due to some protections. However, the API does not control the number of attempts, so it is possible to perform a brute force attack to detect the API-Key and then extract the complete configuration of the SIEM and user access to the internal database called ARIEL.
- McAfee SIEM, in this one we have implemented a dictionary attack to detect the user’s password that it is called ” NGCP ” by default. Due to certain configuration restrictions this attack can be slow, and so this is why we looked for another way to obtain those credentials. Therefore, we implemented a new module taking advantage of the fact that the system enables the SSH service by default and that it is possible to access with the root user, but additionally shares the same password as the NGCP user. Once this data is obtained, it is possible to use three other attacks that allow us to obtain configuration information, services, configured protections as well as to extract the shadow file from the system. And with all this, the complete users of the system.
- SIEMonster, where we implemented a dictionary attack module similar to the one mentioned in the previous case. Given that this SIEM has configured the same user for SSH access and for WEB access, called “deploy”, it is possible to obtain administrative access to both the web environment and the console. In addition, two attacks were generated to obtain system configuration data and the shadow file to have all the users of the system.
- ElasticSIEM, we also implement a brute force module by SSH since the operating system that is recommended for its installation enables the service by default. At the same time, for local implementations it does not generate a default web service access control and requires implementing a series of configurations so that an authentication mechanism can be integrated. Likewise, we generate a module that allows us to take advantage of this possible configuration and access the system through the console, to obtain more data from the configuration, although many times this SIEM only needs to be identified within the network.
In addition, in this new version, some changes were carried out:
- The validation of the data entered by the analyst was modified
- The possibility of specifying a port in a simple way different to the one detected in the installation of the SIEM was added. This way, it is possible to detect it even if it has been published in another port from the tool itself without having to resort to other tools to do so.
- Test batteries were added to optimize operation.
- Modifications were made to allow users to see which data can be obtained in some of the attacks and compare with their own results.
With all these changes and improvements, the tool´s 2.0 version offers the possibility of analysing seven different SIEMs in different ways. In some of them we can detect and take advantage of weaknesses in their default configuration, in others, in the use of the API management and in others, of the services exposed, but always offering a possibility to evaluate the security of the system.