BlueCloud

Cyber Range deployment of HELK and Velociraptor! Automated terraform deployment of one system running HELK + Velociraptor server with the one registered Windows endpoint in Azure or AWS. A collection of Terraform and Ansible scripts that automatically (and quickly) deploys a small HELK + Velociraptor R&D lab.

Use Cases

• EDR Testing lab
• Penetration Testing lab
• SIEM / Threat Hunting / DFIR / Live Response lab with HELK + Velociraptor [1, 2]
• Data Science research with HELK server, Jupyter notebooks
• Detection Engineering research with Mordor [3, 4]

Features and Information

• New Feature: Combined Velociraptor + HELK System! Velociraptor [1] + Hunting ELK [2] System: Windows 10 Endpoints instrumented with agents to auto register Velociraptor and send Sysmon logs
• New Feature: Three tools for Adversary Simulation: Script to automatically invoke Atomic Red Team unit tests using Ansible playbook.
• New Feature: Support for AWS and Azure – Terraform provider support for AWS, Azure.
• Deploys one Linux 18.04 HELK Server with data science capabiliies. Deploys HELK install option #4, including KAFKA + KSQL + ELK + NGNIX + SPARK + JUPYTER + ELASTALERT
• Windows endpoint is automatically configured with Sysmon (SwiftOnSecurity) and Winlogbeat
• Windows endpoint is automatically configured to use HELK configuration + Kafka Winlogbeat output to send logs to HELK
• Automatically registers the Windows endpoint to the Velociraptor server with TLS self-signed certificate configuration
• Windows endpoint includes Atomic Red Team (ART), Elastic Detection RTA, and APTSimulator
• Uses Terraform templates to automatically deploy in Azure with VMs
• Terraform templates write customizable Ansible Playbook configuration
• Azure NSGs and AWS Security Groups can whitelist your source prefix (for added security)
• The following ports are opened through Azure and AWS Security Groups for ingress TCP traffic: RDP (3389), WinRM HTTP (5985), WinRM HTTPS (5986), SSH (22), HTTPS (443), Spark (8080), KQL (8088), Zookeeper (2181), Velociraptor GUI (8889), Velociraptor Agent (8000)
• Approximate build time: 16 minutes
• Approximate Monthly Cost: $ per month

Download & Use

Copyright (c) 2021 Jason Ostrom