Open MarcOverIP opened 4 years ago
I did some checks and it looks like Covenant doesn't have text log files, everything is stored in a sqlite file. I have also 0 experience with Covenant except the new install I just performed.
We could have 2 options there:
Would have my preference to - just as with other C2s that RedELK supports - keep the way of logging part of the codebase of the actual C2 itself and not part of RedELK. That would mean your option 1. All the other steps form my initial post is then still left on the RedELK side.
It would make sense to make an issue at the Covenant side, so I did: https://github.com/cobbr/Covenant/issues/221
Update: the roadmap for the 0.7 release of Covenant now includes extra logging. When that is out, we can start working on the RedELK side.
Awesome, that'd be great to have it in, I'll work on it when it's released
Have full support for the Covenant C2 framework (https://github.com/cobbr/Covenant).
I will need help from others with understanding the exact way of logging performed by Covenant; I have 0 experience with Covenant.
If Covenant is able to log to text based log files, it is to be expected we can align to the current setup of including Cobalt Strike logs into RedELK. That would mean the following things to be required to be created:
My main problem at this moment is that I have no experience with Covenant and don't have access to demo logs that I can test with.
Any help with above steps is well received. Help with access to demo logs would also work.