Aktaion: Open Source Tool For "Micro Behavior Based" Exploit Detection and Automated GPO Policy Generation
Aktaion is a lightweight JVM based project for detecting exploits (and more generally attack behaviors). The project is meant to be a learning/teaching tool on how to blend multiple security signals and behaviors into an expressive framework for intrusion detection. The cool thing about the project is it provides an expressive mechanism to add high level IOCs (micro beahviors) such as timing behavior of a certain malware family.
http://www.github.com/jzadeh/Atkaion
You can find the latest Spark documentation, including a programming guide, on the project web page This README file only contains basic setup instructions.
Atkaion is built using Simple Build Tool. To build Atkaion use the assembly command via:
sbt assembly
To run the jar from the command line the following dependencies are required for scoring a PCAP:
BRO
Java 1.8
Rough Notes for building on IntelliJ (Mac/Windows):
Step 1: Download the Java JDK for java 1.8 : java 1.8.0_102-b14 http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
Step 2: Install scala https://www.scala-lang.org/download/2.11.8.html
Step 3: SBT 0.13.12
http://www.scala-sbt.org/download.html
Step 4: Clone the software repo: https://github.com/jzadeh/Aktaion.git or just copy the indivual build.sbt file at the root of the project and the assembly plugin in the project/ subfolder.
Step 5: Run the command sbt at the root of the directory.
Step 6. Type compile at the sbt prompt if step 5 did not fail(there are no scripts at this point) make sure you don’t hit any erros here either.
Step 7: IntelliJ Community Edition (Free) https://www.jetbrains.com/idea/
Step 8: Install the Scala plugin for IntelliJ https://confluence.jetbrains.com/display/SCA/Scala+Plugin+for+IntelliJ+IDEA
Step 9: Optional install sbt plugin for IntelliJ
For OS X the simple homebrew method has been tested:
Install Homebrew ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install )" Brew install scala 2.11.8 Brew install sbt 0.13.8 Brew install bro git clone [email protected]:jzadeh/Aktaion.git cd Atkaion sbt assembly
Python dependencies 2.70 Pip install paramiko
Python 2.70 dependencies Pip install paramiko https://github.com/unixist/cryptostalker
Some caveats about the Active Defense Script
- It can be run from Security Onion https://securityonion.net/
- You will need to create a GPO prior to executing the script and reference it in the name (I.E ' -Name antimal ')
- Script will only work if you have SSH in your Server (You can use FreeSSH or OpenSSH)
- You will have to create an ssh account linked to AD with the proper permissions to execute powershell scripts
- If this is going to be implemented in production, it is recommended to do it with Service Account. Below the Microsoft recommended steps. https://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx