“HELK’ing” Your macOS Red Team Tools For Detections

This post builds on content from 4n7m4n’s prior blog post “Acting Red — Seeing Blue” (link). Specifically, I automated HELK server standup using terraform to stand up your HELK server in Digital Ocean with the appropriate specs as well as with firewall rules to protect access to your HELK server. And of course Roberto Rodriguez is the brains behind HELK, so shoutout to Roberto for the great work!

HELK Server

Preparation Steps

1. You will need a Digital Ocean account if you do not have one already. Once created, you will need to create an ssh key pair and then upload the public key to your Digital Ocean control panel (once logged in: Settings → Security →Add ssh key)
2. You will also need to create a Digital Ocean Personal Access Token (once logged in: API → Tokens/Keys → Generate New Token)

Steps After Set Your Digital Ocean Account Is Set Up:

First, Pull down my HELK-automation github repo. This repo contains a folder named “HELK-Server” that has the scripts for automation of standing up the HELK server in Digital Ocean. A summary of the contents is below:

• init.tf: This is the terraform config file for the HELK Server in Digital Ocean
• run.sh: This is the script that you run, which takes inputs from you to configure init.tf.
• 0098-all-filter.conf: This is a local copy of the HELK 0098-all-filter.conf file with an additional json section added for esf logs.
• orig/init-orig.tf: This is a clean init.tf copy that is used for initialization after everything is run

Steps:

1. Execute run.sh:

chmod +x run.sh && ./run.sh

run.sh script info:

1. If terraform is not installed, it will attempt to install it for you (on Linux or MacOS)
2. You will then be prompted to enter the following info:

• name (inside of Digital Ocean) that you want to call your HELK server
• name (inside of Digital Ocean) that you want to call your Firewall that will protect the HELK server
• source IP address that you want to ssh into your HELK server from
• source IP address of the macOS host that you will send endpoint security logs from
• Digital Ocean Personal Access Token
• Name of your Digital Ocean public ssh key inside of your Digital Ocean control panel
• Path to the private key that pairs with the public ssh key in your Digital Ocean control panel

Then the script will make some variable replacements and have terraform spin up your Digital Ocean droplet and download HELK. Note: This spins up an Ubuntu 20.04 x64 with 8GB of RAM, 160GB drive, and 4 AMD CPUs (costs $0.071/hour or $48/mo) in Digital Ocean zone SFO3.

— — — — — — —

Once the host is up, you can follow the steps noted by 4n7m4n in his original blog. To recap, follow these steps to complete HELK installation:

• ssh into your new HELK Digital Ocean droplet
• Run the helk_install.sh script:

HELK/docker/./helk_install.sh

• Enter “1” for the “Enter build choice [ 1 — 4 ]” option

• Enter the IP address of your Digital Ocean droplet for the “Set HELK IP” option. By default it should already pull this but double check to make sure.

• Set the password for your “helk” user (this will be used later to login via the https site)
• It will then finish installation and stand up HELK. What’s also nice is my run.sh script has terraform protect the new HELK server behind a DigitalOcean firewall so that only the source IPs specified can access it.

Next you can browse to your new HELK server over https and login using the helk username and password you set and you’ll see the main HELK dashboard (where your logs will show up later):

Now that the HELK server is set up and ready to receive logs, let’s look at the client side next

macOS Test Client

Next, I also automated some of the steps that 4n7m4n laid out for setting up the client side to send Endpoint Security logs to the HELK server.

My HELK-automation github repo contains a “macOS-client” folder. This folder contains the following contents to help with automation on the macOS side:

• filebeat-setup.sh (downloads and runs filebeat on the macOS client. filebeat is dropped to the macOS-client directory). The script also prompts you for the IP address of your new HELK Digital Ocean server from above and takes that IP and puts it into the filebeat.yml file. Then filebeat is executed and pointed to the filebeat.yml file
• fb.yml (this is a local copy that the script uses to make variable replacements and copies over to filebeat.yml for filebeat execution. This contains the path to the esf.log file, which I set to /tmp/esf.log. This is where the endpoint security logs will be written to and shipped to HELK)
• ESF-setup.sh (this downloads Objective See’s ProcessMonitor tool, which will be used to gather endpoint security events from the macOS test host)

Steps:

1. run filebeat-setup.sh
2. run ESF-setup.sh — note: ProcessMonitor will require full disk access to capture endpoint security events. So once this script is done give ProcessMonitor.app full disk access and then:

cd ProcessMonitor.app/Contents/MacOS
sudo ./ProcessMonitor > /tmp/esf.log

That’s it for the client side!

Viewing ESF Logs From Your macOS Endpoint

Now everything should be all set up for you to view the ESF logs coming from your macOS endpoint into HELK.

• Browse to https://[your_HELK_IP]
• Login with helk:[the_pw_you_set]
• Click the compass icon to view logs

This makes for an easy way to run macOS red team capabilities and see what the endpoint security framework logs look like. Some good candidate red team tools for testing on macOS include:

• https://github.com/its-a-feature/Mythic (and using several different JXA scripts such as https://github.com/D00MFist/PersistentJXA,
• https://github.com/cedowens/JXA-Firefox
• https://github.com/cedowens/SwiftBelt-JXA
• https://github.com/cedowens/Swift-Attack
• https://github.com/cedowens/MacC2

Happy Hunting!