Red team tooling support
RedELK currently supports:
| reverse proxy | Level of support |
|---|---|
| HAProxy | full support - requires modified default log format |
| Apache | full support - requires modified default log format |
| Nginx | full support - requires modified default log format |
| RedWarden | in development |
Important: RedELK requires modified logging of the defaults of your redirector tech in order to get more and relevant info. You can find an example configuration files in the Redirector installation section and in the example-data-and-configs folder
RedELK currently supports:
| C2 framework | Level of support |
|---|---|
| Cobalt Strike | full support (logs, keystrokes, screenshots, etc) |
| Outflank Stage 1 C2 | full support |
| PoshC2 | Basic support (logs). Working on keystrokes, screenshots, etc |
| Sliver | in development |
| Covenant | in development |
| Mythic C2 | in development |
Want to add your own C2 framework, or want to help us? See the section on this sectionbelow for guidance.
When adding support for a new C2, you should start with basic support before going for full support. Basic means basic all kinds of basic log parsing. Full support works on top of log parsing and includes also downloading of screenshots, keystrokes, any type of custom scripting required for that C2, etc.
Start with basic support
- Your C2 needs to generate sufficient logging of most important actions. How much is sufficient? Cobalt Strike is descent example on the amount of info. You can check here for the list of fields that RedELK understands for c2 logs. The more your C2 supports, the better. Some of these fields can be considered too much for basic support, eg
creds.*,c2.listener.*andscreenshot.*. It's OK if you want to include these fields now, but can also be done at a later moment if you want. - On the c2server side we need to make sure the logs are ingested by the RedELK component running on the c2 server. We do this by creating a filebeat config file with correct parameters. You can check here for a few examples.
- On the ELK server side the logs need to be parsed. We do this with Logstash. So we need to create Logstash filter rules. This is where the field list of step 1 comes into play. See the Cobalt Strike one as example. If you put them in the
elkserver/mounts/logstash-config/redelk-main/conf.d/directory, they are automatically picked-up by Logstash. - Enrichment is required if not every C2 log line contains all relevant info. For example, with Cobalt Strike only the initial beacon line contains the info on username and implant hostname. If your C2 has all the info per log line, awesome, no need for enrichment. However, if RedELK needs to copy the info from an initial line to all subsequent lines, enrichment is needed. This requires three files:
Full Support
- On c2 server side, a cron job runs that copies some basic log files from the source C2 dir to a dedicated directory. This dedicated dir lateron gets synced back to the RedELK server for easy viewing of the full log files straight from the Kibana interface. See example here.
- Same as previous step we might need extra scripts to gather other relevant data of your C2. This depends on the C2. Some examples here.
- On the RedELK server side we want some scripts for Logstash to insert URL paths for the extra fun things like screenshots, keylog transcripts, credentials, etc. Some examples here.
- Revisit the fields skipped in step 3 to make sure we get maximum value from the logs.
Now, this isn't too hard if you have some experience with the ELK stack. I expect only a few hours of work for getting to basic support. The examples of other C2s can be very valuable. So you might be able to produce this all yourself. If not, please create an issue and the maintainers can help you out..