From the course: Complete Guide to Open Source Security
Join today to access over 24,500 courses taught by industry experts.
Detecting exploitation with the ELK Stack
From the course: Complete Guide to Open Source Security
Detecting exploitation with the ELK Stack
- [Instructor] We're at the monitoring screen in ELK stack, and have a 15-minute realtime window showing our earlier reconnaissance stage of the attack. Let's now start stage two. As we watch the display, we start to see a lot of messages for app01. If we open one, we can see this as an SSH logging event, and we can see it's got a failure outcome. On the second page, we can see the related user is Akhtar, so let's add related user to our display, and event outcome. We'll also now, and set our source IP to our attacker's source to find out what our attacker is doing. So we can now see we have a continuous stream of events with a failure outcome. This is, in fact, our Hydra attacks against app01. We've now seen a success in the attack, and we're now seeing some activity against our gym website. With an upload of a PHP file, we can see the PHP file, kamehameha.PHP, has been put into the upload. We'll stop our real-time activity, and we'll change our filter to be source IP 192.168.1.100…
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
-
-
-
-
-
-
-
(Locked)
Installing the ELK Stack SIEM8m 19s
-
(Locked)
Upgrading Kibana to HTTPS5m 39s
-
(Locked)
Configuring log integrations3m 48s
-
(Locked)
Installing the Fleet server2m 51s
-
(Locked)
Enrolling hosts into the Fleet server6m 58s
-
(Locked)
Enhancing your logs9m 19s
-
(Locked)
Detecting reconnaissance with the ELK Stack7m 20s
-
(Locked)
Detecting exploitation with the ELK Stack4m 56s
-
(Locked)
Monitoring alerts with the ELK Stack4m 39s
-
(Locked)
-
-
-
-
-
-