• Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Menu
  • Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Search
Close
  • Home
  • 2019
  • October
  • 25
  • Whids – Open Source Endpoint Detection System for Windows

Whids – Open Source Endpoint Detection System for Windows

October 25, 2019 Comments Off on Whids – Open Source Endpoint Detection System for Windows
whids windows endpoint detection windows hid

This is an hybrid solution combining a flexible Host IDS with detection based Incident Response capabilities. The detection engine is built on top of a previously developped rule engine Gene specially designed to match Windows events against user defined rules.

Why

  • Provide an Open Source EDR like tool
  • Flexible detection
  • Easy integration with other open-source tools (MISP, The Hive …)

How

Detection

  • On host real time detection
  • Listens to Windows event log channels and apply detection rules
  • User defined rules (we know why we detect something)
  • Designed to be used with MS Sysmon
  • Enriches Windows events in order to build powerfull detection primitives
  • Central agent to distributes rules and collect alerts

Incident Response

  • Reacts on detection (when an event above a given criticality is detected, artifacts are collected)
  • Real time evidence collection (files, process memory and registries)
  • Central agent to collect evidences

workflow

Demo

Rule Example

Here is an example of a rule designed to catch suspicious access to lsass.exe as it is done by the well known Mimikatz credential dump tool.

{
  "Name": "MaliciousLsassAccess",
  "Tags": ["Mimikatz", "Credentials", "Lsass"],
  "Meta": {
    "EventIDs": [10],
    "Channels": ["Microsoft-Windows-Sysmon/Operational"],
    "Computers": [],
    "Traces": [],
    "Criticality": 10,
    "Author": "0xrawsec"
  },
  "Matches": [
    "$ct: CallTrace ~= 'UNKNOWN'",
    "$lsass: TargetImage ~= '(?i:\\\\lsass\\.exe$)'"
  ],
  "Condition": "$lsass and $ct"
}

You can find a bunch of other rules as well as a quick introduction to the syntax of the rules on the Gene repository.

In Action

Running WHIDS with an already running Powershell Empire agent which invokes Mimikatz module.

WHIDS Mimikatz Demo

Herafter is the kind of output returned by WHIDS. An additional section is added to the JSON event where the criticality of the alert is reported along with the different signatures which matched the event.

{
  "Event": {
    "EventData": {
      "CallTrace": "C:\\Windows\\SYSTEM32\\ntdll.dll+4bf9a|C:\\Windows\\system32\\KERNELBASE.dll+189b7|UNKNOWN(00000000259123BC)",
      "GrantedAccess": "0x1410",
      "SourceImage": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "SourceProcessGUID": "{49F1AF32-DD18-5A72-0000-0010042C0A00}",
      "SourceProcessId": "2248",
      "SourceThreadId": "3308",
      "TargetImage": "C:\\Windows\\system32\\lsass.exe",
      "TargetProcessGUID": "{49F1AF32-DB3B-5A72-0000-001013690000}",
      "TargetProcessId": "492",
      "UtcTime": "2018-02-01 11:24:53.331"
    },
    "GeneInfo": {
      "Criticality": 10,
      "Signature": [
        "MaliciousLsassAccess"
      ]
    },
    "System": {
        "Classical Windows Event System Section": "..."
    }
  }
}

Installation

WHIDS

  1. Download and extract the latest WHIDS release https://github.com/0xrawsec/whids/releases
  2. If you want WHIDS to run along with Sysmon (strongly recommended), install it first. An optimal configuration file is shipped with the release so that you can take the most out of WHIDS. At installation the Sysmon service will be made dependant of WHIDS service so that we are sure the IDS runs before Sysmon starts generating some events.
  3. Run manage.bat as administrator
  4. Launch installation by selecting the appropriate option
  5. Verify that files have been created at the installation directory
  6. With a text editor opened as administrator (to prevent changing the rights of the WHIDS installation directory) open config.json and modify it as you wish. This can also be done from manage.bat
  7. Skip this if running with a connection to a manager, because rules will be updated automatically. If there is nothing in the rules directory the tool will be useless, so make sure there are some gene rules in there. Some rules are packaged with WHIDS and you will be prompted if you want to install those or not. If you want the last up to date rules, you can get those here (take the compiled ones)
  8. Start the services from appropriate option in manage.bat or just reboot (preferred option otherwise some enrichment fields will be incomplete leading to false alerts)
  9. If you configured a manager do not forget to run it in order to receive alerts and dumps

NB: whenever you go to the installation directory with Explorer.exe and if you are Administrator the explorer will ask you if you want to change the permission of the directory. DO NOT CLICK YES, otherwise it will break the folder permissions put in place at installation time. Always access installation directory from applications started as Administrator (i.e. text editor).

Configuration

WHIDS

WHIDS configuration file example

{
    // Path to the rules directory used for detection
    "rules-db": "C:\\Program Files\\Whids\\Database\\Rules",
    // Path to the containers used in some of the rules
    // containers must be GZIP compressed and have .cont.gz extension
    // basename without extension is taken as container name
    // Example: blacklist.cont.gz will create blacklist container
    "containers-db": "C:\\Program Files\\Whids\\Database\\Containers",
    // Forwarder related configuration
    "forwarder": {
        "manager-client": {
            // Hostname or IP address of remote manager
            "host": "",
            // Port used by remote manager
            "port": 0,
            // Protocol used http or https
            "proto": "",
            // Key used to authenticate the client
            "key": "",
            // Server key used to authenticate remote server
            "server-key": "",
            // Whether or not the TLS certificate should be verified
            "unsafe": false,
            // Maximum upload side for dump forwarding
            "max-upload-size": 104857600
        },
        // Alert logging settings
        "logging": {
            // Path where to store the alerts
            "dir": "C:\\Program Files\\Whids\\Logs\\Alerts",
            // Rotation interval
            "rotation-interval": "24h"
        },
        // If local=true the forwarder won't communicate with manager
        "local": true
    },
    // Windows event log channels to monitor
    // run "whids -h" to get the list of aliases
    // otherwise any Windows channel can be used here 
    "channels": [
        "all"
    ],
    // Dump related settings
    "dump": {
        // Dump mode: file, memory or all (can be empty)
        // file: dumps anything identified as a file in the event
        // memory: dumps (guilty) process memory in Windows minidump format
        // registry: dumps registry in case alert concerns a registry
        "mode": "file|registry",
        // Dumps when criticality of the events is above or equal to treshold
        "treshold": 8,
        // Where to store dumps
        "dir": "C:\\Program Files\\Whids\\Dumps",
        // Whether or not to enable dump compression
        "compression": true
    },
    // Log events with criticality above or equal to treshold
    "criticality-treshold": 5,
    // Sleep time in seconds between two rules updates (negative number means no update)
    "update-interval": 60,
    // Whether on not hooks should be enabled
    "en-hooks": true,
    // Logfile used to store WHIDS stderr
    "logfile": "C:\\Program Files\\Whids\\Logs\\whids.log",
    // Log all the events passing through the engine (usefull for event dumping or debugging)
    "log-all": false,
    // Tells WHIDS that it is running on an endpoint. If false any kind 
    // of dump is disabled to avoid dump things if installed on a WEC
    "endpoint": true
}

Manager

Manager configuration example

{
    // Hostname / IP on which to run the manager
    "host": "192.168.56.1",
    // Port used by the manager
    "port": 1519,
    // Logfile (automatically rotated) where to store alerts received
    "logfile": "alerts.log",
    // Server authentication key (see server-key in WHIDS config)
    "key": "someserverkey",
    // List of authorized client keys (see key in WHIDS config)
    // If the client is not authorized in this list, all the connections 
    // to the manager will abort
    "authorized": [
      "clientapikey"
    ],
    // TLS settings
    "tls": {
        // Server certificate to use
        "cert": "cert.pem",
        // Server key to use
        "key": "key.pem"
    },
    "misp": {
        // Protocol to use for MISP connection
        "protocol" :"https",
        // MISP host
        "host" : "misp.host",
        // API key to use
        "api-key" :"your misp api key"
    },
    // Rules directory used to serve rules to the clients
    "rules-dir": "",
    // Rules of containers used in rules (served to the clients)
    // a container name is the basename of the file without extension
    // Example: /some/container/dir/blacklist.txt will take the content
    // of the file and use it as being a Gene container named blacklist
    "containers-dir": ""
    // Directory used to store dumps sent by the client
    "dump-dir": "",
}

Documentation

To know how to write rules for the engine please visit: https://rawsec.lu/doc/gene/1.6/

Download Whid here – https://github.com/0xrawsec/whids

Post navigation

Faction – C2 Framework
TikiTorch – Process Injection Tool

Related Articles

Armourbird – Container Security Framework

- Firewall
September 4, 2019

PingCastle – Active Directory Security Assessment Tool

- Firewall
August 29, 2019

FalconGate – A Smart Gateway to Stop Hackers and Malware Attacks

- Firewall
August 13, 2019
hacker gadgets
hacker phone covers

Recent Posts

Winevt_Logs_Analysis - Searching .Evtx Logs For Remote Connections

Winevt_Logs_Analysis – Searching .Evtx Logs For Remote Connections

February 5, 2023
NJ Man Attempted to Hire a Hitman on the Dark Web

NJ Man Attempted to Hire a Hitman on the Dark Web

February 5, 2023
PlumHound v1.5.1 releases: Bloodhound for Blue and Purple Teams

PlumHound v1.5.1 releases: Bloodhound for Blue and Purple Teams

February 4, 2023
EAST - Extensible Azure Security Tool - Documentation

EAST – Extensible Azure Security Tool – Documentation

February 4, 2023
Dutchman Sold Counterfeit Banknotes on the Dark Web

Dutchman Sold Counterfeit Banknotes on the Dark Web

February 4, 2023
CVE-2023-22501: Critical Flaw in Atlassian Jira Service Management Server and Data Center

CVE-2023-22501: Critical Flaw in Atlassian Jira Service Management Server and Data Center

February 4, 2023

Social Media Hacking

SocialPath – Track users across Social Media Platforms

SocialPath – Track users across Social Media Platforms

- Social Media Hacking
October 16, 2019October 16, 2019

SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit...

SocialScan – Check Email Address and Username Availability on Online Platforms

SocialScan – Check Email Address and Username Availability on Online Platforms

June 17, 2019
Shellphish – Phishing Tool For 18 Social Media Apps

Shellphish – Phishing Tool For 18 Social Media Apps

June 10, 2019July 27, 2019
WhatsApp Hacking using QRLJacking

WhatsApp Hacking using QRLJacking

May 2, 2019May 19, 2019
How to Hack any Facebook Account with Z-Shadow

How to Hack any Facebook Account with Z-Shadow

April 26, 2019June 29, 2020
hacker buffs

About Us

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Join Our Community!

Please wait...
Get the latest News and Hacking Tools delivered to your inbox.
Don't Worry ! You will not be spammed

Active Members

Submit a Tool

Hackers Handbook 2018


Grab your copy here

ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Menu
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Live Chat
RESOURCES
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Menu
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Get Started
TOOLBOX
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Menu
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Tools Directory

2014 – 2020 | Haxf4rall.com               Stay Connected:

Facebook Twitter Google-plus Wordpress
Please wait...

Join Our Community

Subscribe now and get your free HACKERS HANDBOOK

Don't Worry ! You will not be spammed
SIGN UP FOR NEWSLETTER NOW