espy icon indicating copy to clipboard operation
espy copied to clipboard

Published 20 hours ago verified publisher icon activecm

Winlogbeat configuration prone to Man-in-the-Middle attacks

Open cr-secion opened this issue 2 years ago • 0 comments

The agent installation script install-sysmon-beats.ps1 sets a winlogbeat configuration on the client that renders the TLS encryption useless, making the communication between client/agent and espy server prone to MitM. This is caused by the following configuration segment:

  ssl:
    enabled: true
    verification_mode: none

The obvious way to solve this would be to set verification_mode to full or strict and install a properly signed server certificate to the espy server, but this may not be possible in every environment and would also require manual installation procedures for every espy server, so it does not scale very well.

Proposed Solution

I will detail an alternative approach, that I've successfully implemented in a prototype shellscript (that got a little ugly). TL;DR is that I use a local CA on the espy server and bake the corresponding cert into a install-sysmon-beats.ps1 and enable client cert auth as a bonus. This means, that I actually generate a custom powershell-installer ON the espy server, that afterwards can get deployed to the Windows clients.

  1. If not present, generate a CA cert and key in /etc/espy/certificates/ca/ca.{crt,key}
  2. If not present, use the CA to generate a servercert and key in /etc/espy/certificates/redis.{crt,key}
  3. If not present, use the CA to generate a client cert and key in /etc/espy/certificates/client.{crt,key,pass}
  4. In /etc/espy/redis.conf, set tls-cert-file, tls-key-file to the corresponding paths
  5. In /etc/espy/redis.conf, set ca-cert-file /etc/espy/certificates/ca/ca.crt and tls-auth-clients yes
  6. Put the CA cert, the client cert+key+pass into install-sysmon-beats.ps1 and set verification_mode to certificate in the winlogbeat config.

verification_mode: certificate only verifies that the signature is from a trusted CA, but ignores the hostname/FQDN (so it works regardless of IP, hostname or FQDN is used to communicate with the redis service). Note that the certificate mode requires a more recent winlogbeat version than the one currently downloaded from the script, as I pointed out in https://github.com/activecm/espy/issues/36. The corresponding new ssl section in the redis config looks like the following (this is from my ps1-installer-template, therefore REPLACE_whatnot would get filled in by the shellscript):

  ssl:
    enabled: true
    supported_protocols: [TLSv1.3]
    verification_mode: certificate
    certificate_authorities:
      - |
REPLACE_CACERT
    certificate: |
REPLACE_CLIENTCERT
    key: |
REPLACE_CLIENTKEY
    key_passphrase: `"`${CLIENTKEY_PASSWORD}`"

Obviously step 3 and 5 are optional as they implement additional client certificate checks. This is useful especially if the redis port gets exposed to the internet, as only configured clients are able to establish a TLS connection, which reduces the attack surface.

Cheers Clemens

cr-secion avatar Apr 13 '22 16:04 cr-secion