304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

HELK Installation - Logs

HELK Installation and Configuration – A Hunting I Will Go!

Since I wanted to extend the break from my assembly journey, I figured I would share my HELK installation and configuration guide.

HELK Installation – Introduction

If you read my DEF CON post this year, then you know I took the SpecterOps Adversary Tactics: Red Team Operations course.

During this course, the instructors were using HELK (among other things), to do their hunting of us. After talking with Brian and Will after the course, I decided to set up instance of it in my home lab. I’d never done blue-team work before and only performed true stealthy assessments a few times in my career.

Setting up and using HELK will not only allow me to see what the hunters see but also improve my tradecraft!

VM Setup

First, I set up a new VM for the HELK server in ESXi. Based on the requirements, I decided to give it 16GB of RAM and a 200GB hard drive. I’ve got the space, though that means it will be living on spinning disks instead of my SSDs.

HELK Installation - VM Configuration

Next, I added my Ubuntu 16.04 Server ISO to its disk drive.

HELK Installation - Ubuntu ISO

Once the machine booted, I went through a standard Ubuntu installation.

HELK Installation - Ubuntu installation

I then updated all the installed packages, just to prevent any headaches down the road.

HELK Installation - Updates

Finally, I gave my new server a static IP address in my router.

HELK Installation - Static IP

HELK Installation

With the VM configured, I pulled down the HELK repository.

Next, I ran the script.

HELK Installation - Installer

Like the documentation specified, you can keep an eye on the progress via /var/log/helk-install.log.

HELK Installation - Progress logs

Once the install was complete, I was able to visit my Kibana dashboard using the provided URLs/credentials!

HELK Installation - Kibana

Helk Usage and Monitoring

While I still have some more blog posts planned for feeding the HELK, I wanted to offer a small preview of what it looks like after ingesting some logs.

HELK Installation - Logs

This is a quick example of my HELK installation being fed by Sysmon and Winlogbeat.

HELK Installation – Conclusion

The HELK installation process was incredibly easy, and I’m excited to start hunting myself.

My goal is to configure and automate an entire Windows domain lab for both offensive and defensive purposes. If you have any recommendations or tips on using Terraform, then I’d love to hear them.

Stay tuned for some upcoming posts on Sysmon, Winlogbeat, and actually using HELK!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.