Installation - ecrawford-0/Whids-Testing GitHub Wiki

Introduction

The following will walk-through how to install Whids. Whids can be installed as a stand-alone or with a manager. For the most to be made out of WHIDS it is recommended to also install the manager.

• Standalone installation
  • Prerequisites
    • Install sysmon
    • Enable Powershell module logging
    • Enable Audit Security System Extension
    • Enable File System Audit
  • Install WHIDS
• Install Manager on Windows
  • Connect endpoint to manager

Standalone installation

Prerequisites

Install sysmon

First sysmon needs to be installed onto the system. Extract the zip file

Next open an administrator terminal, navigate to the location where Sysmon was download. Run the following command to install sysmon

sysmon64 -i

A popup will appear of terms and services, click agree and sysmon will finish installing and start running.

Make sure to keep note of the directory sysmon is located in it will be used later.

Enable Powershell module logging

Next enable Powershell module logging. In the search bar start typing local group and select the option to edit group policy

Next Select Computer Configurations\Administrative Templates\Windows Components

Scroll to the section where it says Windows PowerShell

Edit the policy labeled Turn on Module Logging, set the option to enabled.

In the options box select Show, simply add a * to monitor every powershell module and click ok

Finally click Apply and then OK, the Turn on Module Logging state should be enabled.

Enable Audit Security System Extension

Next enable Audit Security System Extension to do so go back to the local group policy editor. Go to Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Auditing Policies\System and select Audit Security System Extension

Check off all the checkboxes to audit both success and failure events.

Enable File System Audit

Go back to the local group policy editor. Go to Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access\ select Audit File System

Again check off every box, and click apply and OK

To apply the file system audit select any folder. In this case a new folder called Test located under C:\ was created

Right-click and select Properties. Go to Security

Select advanced, and go over to auditing, and click continue

Click Add, click Select a principle, enter the user or group that will be logged. In this case all Users will be logged

For type change it from Success to All

Click apply and OK to all the menus

Run the following command to update the group policy

gpupdate /force 

Install WHIDS

Download and extract the latest version of WHIDS For this example v1.7.0 was installed.

Navigate to whids-v1.7.0-release-bundle\whids\windows

Run the manage.bat file as an administrative user. A terminal will pop up with a menu to install simply type i

Select Y to the prompts to import detection rules and to start services.

By default the Whids logs are located in C:\Program Files\Whids\Logs and the alerts are located in C:\Program Files\Whids\Logs\Alerts

Install manager on windows

First install the whids release bundle, in this case v1.70 was the most up to date release. Extract the package and navigate to . For a windows machine navigate to /whids-v1.7.0-release-bundle/whids-man/windows Next create the a folder called data

Inside the data folder create 3 folders called containers, dumps, and logs

next run the Whids-man executable from an administrator terminal with the -h flag to see the options. For 64-bit systems use the whids-man-v1.7.0-amd64.exe. For 32-bit systems use the whids-man-v1.7.0-386.exe

Next generate a basic configuration file with the following command

whids-man-v1.7.0-amd64.exe --dump-config > config.toml

Under the [admin-api] settings and [endpoint-api] set the ip address to be the ip address of the machine and save the file.

Next run the executable again, but also input the name of the config file. In this case it should be config.toml

whids-man-v1.7.0-amd64.exe config.toml

If everything worked then the HTTP server is started

To verify the server is reachable open another terminal. There is no gui for WHIDS and instead to access the manager everything is done via REST api calls. To get the stats of the EDR manager follow this syntax

curl -skH "Api-key: [ENTER THE WHOLE API KEY NAME HERE]" "http://192.168.10.20:1520/stats"

A few things to note:

• Make sure to curl the hostname/ip, port, and admin-api.users key as defined from the config file
• If you receive a 404 error double check you are curling the correct hostname/ip and port as if either is incorrect it will result in a 404 error.

Connecting Endpoints to manager

Go to the configuration file on the manager and scroll to where it says [endpoint-api.endpoints](/ecrawford-0/Whids-Testing/wiki/endpoint-api.endpoints) copy over the uuid and key

Then go to the corresponding endpoint to be added. Open the config file and scroll down to the [forwarder.] section. First change it so

local = false 

For the [forwarder.manger] settings change it so they match the configuration on the manager. Make sure to copy the endpoint uuid, and key over.

After changes are made save the file, then open an administrative terminal and run the manage.bat file. Select the up option to apply changes

Back on the manager machine there should be constant logs from the endpoint

Checking the endpoints should also reflect the new endpoint and relevant information