RedELK v0.9 releases: tool for Red Teams used for tracking and alarming about Blue Team activities
Red Team’s SIEM – an easy deployable tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability for the Red Team in long-term operations.
Goal of the project
Short: a Red Team’s SIEM.
Longer: a Red Team’s SIEM that serves three goals:
- Enhanced usability and overview for the red team operators by creating a central location where all relevant operational logs from multiple teamservers are collected and enriched. This is great for historic searching within the operation as well as giving a read-only view on the operation (e.g. for the White Team). Especially useful for multi-scenario, multi-teamserver, multi-member and multi-month operations. Also, super easy ways for viewing all screenshots, IOCs, keystrokes output, etc. \o/
- Spot the Blue Team by having a central location where all traffic logs from redirectors are collected and enriched. Using specific queries it’s now possible to detect that the Blue Team is investigating your infrastructure.
- Out-of-the-box usable by being easy to install and deploy, as well as having ready-made views, dashboards and alarms.
Here’s a conceptual overview of how RedELK works.
RedELK uses the typical components Filebeat (shipping), Logstash (filtering), Elasticsearch (storage) and Kibana (viewing). Rsync is used for a second syncing of teamserver data: logs, keystrokes, screenshots, etc. Nginx is used for authentication to Kibana, as well as serving the screenshots, beaconlogs, keystrokes in an easy way in the operator’s browser.
A set of python scripts are used for the heavy enriching of the log data, and for Blue Team detection.
- default index issue. Automate the selection of the rtops-* index as the default one in Kibana. This is a manual step at this moment.
- Include the real external IP address of a beacon. As Cobalt Strike has no knowledge of the real external IP address of a beacon session, we need to get this form the traffic index. So far, we have not found a true 100% reliable way for doing this.
- Support for Apache redirectors. Fully tested and working filebeat and logstash configuration files that support Apache-based redirectors. Possibly additional custom log configuration needed for Apache. Low priority.
- Solve rsyslog max log line issue. Rsyslog (default syslog service on Ubuntu) breaks long syslog lines. Depending on the CS profile you use, this can become an issue. As a result, the parsing of some of the fields are properly parsed by logstash, and thus not properly included in elasticsearch.
- Ingest manual IOC data. When you are uploading a document, or something else, outside of Cobalt Strike, it will not be included in the IOC list. We want an easy way to have these manual IOCs also included. One way would be to enter the data manually in the activity log of Cobalt Strike and have a logstash filter to scrape the info from there.
- Ingest e-mails. Create input and filter rules for IMAP mailboxes. This way, we can use the same easy ELK interface for having an overview of sent emails, and replies.
- User-agent checks. Tagging and alarming on suspicious user-agents. This will probably be divided in hardcoded stuff like curl, wget, etc connecting with the proper C2 URL’s, but also more dynamic analysis of suspicious user-agents.
- DNS traffic analyses. Ingest, filter and query for suspicious activities on the DNS level. This will take considerable work due to a large amount of noise/bogus DNS queries performed by scanners and online DNS inventory services.
- Other alarm channels. Think Slack, Telegram, whatever another way you want for receiving alarms.
- Fine-grained authorisation. A possibility of blocking certain views, searches, and dashboards, or masking certain details in some views. Useful for situations where you don’t want to give out all information to all visitors.
- Support for Cobalt Strike 3.14
- Upgraded jvm to OpenJDK 11.0
- Upgraded Filebeat, Elasticsearch, Logstash and Kibana to 6.8.2
- Support for Cobalt Strike Downloads: downloaded files from each teamserver can be searched and downloaded directly from the RedELK Kibana interface. No more need to login to each teamserver to search and download files.
- Support for MITRE ATT&CK numbers in Cobalt Strike’s task output. This is indexed as field “attack_technique”. Fancy visuals are not yet included in this release.
- New alarm: rogue user-agents that connect to your C2 backend. Basic list (e.g. curl*, python*) is pre populated on /etc/redelk/rogue_useragents.conf
- Support for Cobalt Strike SMB and TCP type beacons. Regardless of type (SMB or TCP) linked beacons are now tracked in ES field ‘beacon_linked’ (true/false). Parent or child state is tracked in the field ‘beacon_linkmode’ (child or parent) and IP address of the parent/child is tracked in the fields ‘target_linkparentnode’ and ‘target_linkchildnode’.
- Full support for changed logging in Cobalt Strike version 3.14. This includes more log files, structured time format logging as well as changed timestamp to now include (UTC) time zone. Thanks @fastlorenzo for quick fix on the time zone part.
- Modified hyperlinks in Kibana to screenshots, log files, etc. to include the new timestamp as used in Cobalt Strike version 3.14.
- Cobalt Strike profiles are rsynced to RedELK server. Interpretation and full inclusion in RedELK is to be done at a later moment.
- Much improved error checking and reporting in installation scripts.
- Installer now checks state of Kibana before continuing and inserting templates.
- Improved pre-install checks, e.g. already installed packages and existing directories.
- Version of ELK packages is fixed instead of installing the latest available version.
- Installer now better states essential manual post-installation steps.
- Fixed bug that made installers crash with ‘unsupported locale settings’ in some circumstances. Locale is now set explicitly during installation.
- Ownership and permission of logstash certificates are now set to work on Ubuntu 18.04 and higher.
- Modified Cobalt Strike logstash rules to use UTC instead of system’s time zone.
- Fixed bugs in ES template to now have every IP address defined as type IP address.
- Many, many under the hood optimizations and bugfixes of python scripts used for enrichment and alarming.
- Added tracking of IP addresses for which alarms are sent; 1 alarm per applicable IP address.
- RedELK now tracks abuse.ch for known botnet IP addresses SSL certs of botnets. Data goes to /etc/redelk/abuse*.conf files. Alarming to be done in later release.
Copyright (c) 2018, Outflank B.V.
All rights reserved.