The Hunting ELK (HELK)#

The Hunting ELK or simply the HELK is one of the first open source hunt platforms with advanced analytics capabilities such as SQL declarative language, graphing, structured streaming, and even machine learning via Jupyter notebooks and Apache Spark over an ELK stack. This project was developed primarily for research, but due to its flexible design and core components, it can be deployed in larger environments with the right configurations and scalable infrastructure.


  • Python : Python is a programming language that lets you work quickly and integrate systems more effectively.

  • Docker CE : Docker Community Edition (CE) is ideal for developers and small teams looking to get started with Docker and experimenting with container-based apps (Installed by HELK).

  • Docker Compose : a tool for defining and running multi-container Docker applications (Installed by HELK).

Install HELK#

Download the HELK. Make sure you have enough memory to run the basic build. You can run it with 5-6GB of RAM now (More information here).

$ git clone
$ cd HELK/docker

Update HELK’s basic docker-compose file. You just need to add the following right before ulimits. Similar to how it is set for the Logstash docker service

  - "9200:9200"

Run the HELK’s install script

$ sudo ./helk_install

Use the defaults (Option 1 and Basic license)

**          HELK - THE HUNTING ELK          **
**                                          **
** Author: Roberto Rodriguez (@Cyb3rWard0g) **
** HELK build version: v0.1.7-alpha02262019 **
** HELK ELK version: 6.6.1                  **
** License: GPL-3.0                         **

[HELK-INSTALLATION-INFO] HELK being hosted on a Linux box
[HELK-INSTALLATION-INFO] Available Memory: 12541 MBs
[HELK-INSTALLATION-INFO] You're using ubuntu version xenial

*      HELK - Docker Compose Build Choices          *


Enter build choice [ 1 - 2]: 1
[HELK-INSTALLATION-INFO] Set HELK elastic subscription (basic or trial): basic
[HELK-INSTALLATION-INFO] Set HELK IP. Default value is your current IP:
[HELK-INSTALLATION-INFO] Set HELK Kibana UI Password: hunting
[HELK-INSTALLATION-INFO] Verify HELK Kibana UI Password: hunting
[HELK-INSTALLATION-INFO] Installing htpasswd..
[HELK-INSTALLATION-INFO] Installing docker via convenience script..
[HELK-INSTALLATION-INFO] Installing docker-compose..
[HELK-INSTALLATION-INFO] Checking local vm.max_map_count variable and setting it to 4120294
[HELK-INSTALLATION-INFO] Building & running HELK from helk-kibana-analysis-basic.yml file..

Download Security Datasets#

Download the mordor repo and choose your technique:

$ curl -LJO
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  639k  100  639k    0     0  1797k      0 --:--:-- --:--:-- --:--:-- 1792k

Decompress the specific mordor log file

$ unzip 
  inflating: empire_dcsync_dcerpc_drsuapi_DsGetNCChanges_2020-09-21185829.json

Ship Data to HELK#

$ mordor/scripts/data-shippers/ --url http://localhost:9200 inputs empire_dcsync_dcerpc_drsuapi_DsGetNCChanges_2020-09-21185829.json

If you are using a fresh HELK install, then you should not have hundres of events in a few indices. Without accessing the Kibana interface, you can simply access the helk-elasticsearch docker container and use its APIs to see data available in it:

sudo docker exec -ti helk-elasticsearch bash
[root@6f8ff404383a elasticsearch] curl http://localhost:9200/_cat/indices?v

Output Example:

health status index                                         uuid                   pri rep docs.count docs.deleted store.size
green  open   .monitoring-logstash-7-2020.09.04             0wtkIPo-RxCZ1qRzxQTBoA   1   0       1085            0     34.9mb         34.9mb
green  open   .monitoring-kibana-7-2020.09.04               O73EUP4iREu1ZhfKI9iFrQ   1   0          5            0     90.8kb         90.8kb
green  open   logs-endpoint-winevent-additional-2019.03.01  GKlzhBx5RAii6hlHe7aTmQ   1   0         21            6    110.8kb        110.8kb
green  open   .apm-agent-configuration                      HfOnH3kOQgacIKGUNJWq9w   1   0          0            0       283b           283b
yellow open   mitre-attack-2020.09.04                       IIc2OSzqQc6NVZnOfQx-dQ   1   1       8624            0     25.7mb         25.7mb
green  open   .kibana_1                                     TiRgVYzYTByIDTPmh8afNA   1   0        276            2    274.9kb        274.9kb
green  open   logs-endpoint-winevent-sysmon-2019.03.01      qpoKrgjCQHKaNGSyPzGAIQ   1   0        323           70    596.3kb        596.3kb
green  open   logs-endpoint-winevent-sysmon-1990.12.18      QywJ1MqmSxKT4jRK0BiynQ   1   0          1            1     55.1kb         55.1kb
green  open   .monitoring-es-7-2020.09.04                   plh8oVR1QomWHr0QxPTxag   1   0         17            1      1.1mb          1.1mb
green  open   .kibana_task_manager_1                        s5b-0WjHR4OgXNtITmqDJg   1   0          2            0       34kb           34kb
green  open   logs-endpoint-winevent-security-2019.03.01    wK9G1vP5Qiy9HLLn6Q2tIw   1   0        178          265      504kb          504kb
green  open   logs-endpoint-winevent-powershell-2019.03.01  CziOhDQnT3-KhWm1FjGbwg   1   0       4583            0     39.8mb         39.8mb
green  open   logs-endpoint-winevent-system-2019.03.01      kgVBuZiETjCQOZmyOhIlBA   1   0         62            4    201.1kb        201.1kb
green  open   logs-endpoint-winevent-wmiactivity-2019.03.01 Z_umc3lEQHyBfNWIRAcWFw   1   0         14            0     49.5kb         49.5kb

Additional Access#

If your HELK instance is only accessible via SSH, you can create port forwarding with the following command to access the Kibana interface:

ssh -N -L 8080: -L 4043: <USER>@<IP-OF-HELK-SERVER>

Explore Data#

Browse to your Kibana Discover view and start going through the data

You could look for potential DCSync actvity from a non-Domain-Controller account with the following query in Kibana:

event_id:4662 AND object_properties:("*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*" OR "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*" OR "*89e95b76-444d-4c62-991a-0facbeda640c*")