HELK Installation and Configuration – A Hunting I Will Go!

Since I wanted to extend the break from my assembly journey, I figured I would share my HELK installation and configuration guide.

HELK Installation - Introduction

If you read my DEF CON post this year, then you know I took the SpecterOps Adversary Tactics: Red Team Operations course.

During this course, the instructors were using HELK (among other things), to do their hunting of us. After talking with Brian and Will after the course, I decided to set up instance of it in my home lab. I'd never done blue team work before, and only performed true stealthy assessments a few times in my career.

Setting up and using HELK will not only allow me to see what the hunters see, but also improve my tradecraft!

VM Setup

First, I setup a new VM for the HELK server in ESXi. Based on the requirements, I decided to give it 16GB of RAM and a 200GB hard drive. I've got the space, though that means it will be living on spinning disks instead of my SSDs.

HELK Installation - VM Configuration

Next, I added my Ubuntu 16.04 Server ISO to its disk drive.

HELK Installation - Ubuntu ISO

Once the machine booted, I went through a standard Ubuntu installation.

HELK Installation - Ubuntu installation

I then updated all the installed packages, just to prevent any headaches down the road.

HELK Installation - Updates

Finally, I gave my new server a static IP address in my router.

HELK Installation - Static IP

HELK Installation

With the VM configured, I pulled down the HELK repository.

Next, I ran the helk_install.sh script.

HELK Installation - Installer

Like the documentation specified, you can keep an eye on the progress via /var/log/helk-install.log.

HELK Installation - Progress logs

Once the install was complete, I was able to visit my Kibana dashboard using the provided URLs/credentials!

HELK Installation - Kibana

Helk Usage and Monitoring

While I still have some more blog posts planned for feeding the HELK, I wanted to offer a small preview of what it looks like after ingesting some logs.

HELK Installation - Logs

This is a quick example of my HELK installation being fed by Sysmon and Winlogbeat.

HELK Installation - Conclusion

The HELK installation process was incredibly easy, and I'm excited to start hunting myself.

My goal is to configure and automate an entire Windows domain lab for both offensive and defensive purposes. If you have any recommendations or tips on using Terraform, then I'd love to hear them.

Stay tuned for some upcoming posts on Sysmon, Winlogbeat, and actually using HELK!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (currently GXPN) or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.