Processing of host triage packages is always a challenge when dealing with incidents involving large number of hosts. This repository contains
- a build script to install and configure Timesketch and associated services
- a workflow built using NodeRED to automate handling of triage archives, processing triage archives using log2timeline/plaso and ingestion into Timesketch.
- a custom Timesketch tagger file that has a curated list of pre-built queries (mapped to MITRE ATT&CK were possible). It can be used to quickly identify initial pivot points and get contextual information during investigations.
- workflow runs Hayabusa against Windows evtx files and ingests results to Timesketch
This section provides a brief overview of the automation setup and how components are configured.
Node-RED is a browser based flow editor which provides an easier way to achieve automation. NR_DFIR is an automation workflow where the flow will watch for archive files created at /cases/processor directory. When new triage archive files get created (Tested with CyLR and KAPE zips) it will run an integrity check and decompress them to unique folders, parses it with Log2timeline and ingests into Timesketch. It has the ability to queue up archive files for processing. This way you have the option to control how many archive files gets processed at any given point in time.
The Node-RED workflow contains 5 flows
This is the main workflow for the automation. It consists of archive validation checks, log2timeline processing and ingestion to Timesketch.
This flow runs Hayabusa over Windows event logs found in KAPE triage packages. You will need Hayabusa pre-downloaded for this to work.
This flow is used to detect the type of archive and then run an integrity check on the archive
This flow is used to detect the type of the archive and perform the relevant decompression action
This flow is used to send notifications via Slack. You need a Slack API key for this to work.
Timesketch is a core component of this project. The uses the docker version of Timesketch and Log2timeline. tsplaso_docker_install.sh script can be used to simplify install and configuration. Note: This script was tested on the latest Ubuntu 20.04.5 Server Edition.
##IMPORTANT - This bash script uses a custom version of nginx.conf and docker-compose.yml wget https://raw.githubusercontent.com/blueteam0ps/AllthingsTimesketch/master/tsplaso_docker_install.sh chmod a+x ./tsplaso_docker_install.sh sudo ./tsplaso_docker_install.sh
A tagging file is provided as part of this repository. It is used to get most out of Timesketch (It is already part of the tsplaso_docker_install.sh script
-
Install and configure Timesketch and Log2timeline. tsplaso_docker_install.sh script can assist with that. IMPORTANT!!! - tsplaso_docker_install.sh generates a self-signed certificate for the hostname 'localhost' and sets the nginx proxy configuration to use it.
-
Install Node-RED using the instructions given here. This has been tested on Ubuntu 20.04.5 LTS About Node-RED
-
Pre-install any archiving tools on your host (i.e. unrar, 7z , unzip)
-
Pre-configure Hayabusa and update the "Hayabusa Evtx Process" in "Hayabusa Process" node
-
Enable Incoming Webhooks for your slack and update the "Notification to Slack" in "Slack Notifications" node with you webhook and the posting username For more information about setting up incoming webhooks in Slack can be found here.
-
This automation depends on the following additonal nodes. I recommend installing it directly via the GUI -> Manage Pallette
- node-red-contrib-fs
- node-red-contrib-fs-ops
- node-red-contrib-simple-queue
- node-red-contrib-watchdirectory
- node-red-contrib-slack-files
- You should have the following folders pre-created on the host where this workflow is being operated.
- /cases/plaso
- /cases/processor/host-triage/
- /cases/evtxproc/ The account you are running Node-RED must have read and write permissions on /cases and its sub-folders.
- You should have Timesketch and Log2timeline pre-installed on the same host as your Node-RED installation.
- You should update the Log2timeline and Timesketch CLI parameters within the flow to meet your requirements.
-
Download the workflow JSON and Import it using the Node-RED GUI. https://github.com/blueteam0ps/AllthingsTimesketch/blob/master/NR_DFIRFlow.json
-
Update the "Timesketch CLI Params" with you Timesketch credentials
-
Update the "Queue Zips" with the amount of archives you would like to process at any given time
-
Hit Deploy Full!
-
Node-RED will watch for new files into the /cases/processor folder and it will kick off the flow
- Dialog box to enter Timesketch auth details so the token can be created at the start interactively
- Add flow branching to cater for E01 , Raw and VHDs
- Add memory dump process handling
My inspiration for the workflow was from the work carried by Eric Capuano (AWS DFIR Automation) and knowledge sharing sessions with Mike Pilkington. Special thanks to Sam Machin (https://github.com/sammachin) for his continous support with troubleshooting Node-RED workflow issues with me.