search

outflanknl / RedELK

Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.
BSD 3-Clause "New" or "Revised" License
2.36k stars 370 forks source link

Support for Covenant C2 framework #23

Open MarcOverIP opened 4 years ago

MarcOverIP commented 4 years ago

Have full support for the Covenant C2 framework (https://github.com/cobbr/Covenant).

I will need help from others with understanding the exact way of logging performed by Covenant; I have 0 experience with Covenant.

If Covenant is able to log to text based log files, it is to be expected we can align to the current setup of including Cobalt Strike logs into RedELK. That would mean the following things to be required to be created:

  1. Filebeat config to read the log file of Covenant on the c2 server
  2. Logstash rules that receive and filter the log lines
  3. Cron scripts running on the c2 server to copy relevant files (screenshots, downloaded files, etc) from the Covenant directory to the /home/scponly directory
  4. Modified rsync script on elkserver to copy files from /home/scponly on c2 server.
  5. Review of field names in rtops- index to check if they are relevant for c2 in general, or (still) are too Cobalt Strike dedicated.
  6. Update on documentation.

My main problem at this moment is that I have no experience with Covenant and don't have access to demo logs that I can test with.

Any help with above steps is well received. Help with access to demo logs would also work.

fastlorenzo commented 4 years ago

I did some checks and it looks like Covenant doesn't have text log files, everything is stored in a sqlite file. I have also 0 experience with Covenant except the new install I just performed.

We could have 2 options there:

  1. Add support for text logs to Covenant
  2. Make a script that will periodically query the sqlite database and append the changes in a structured manner to a text log file
MarcOverIP commented 4 years ago

Would have my preference to - just as with other C2s that RedELK supports - keep the way of logging part of the codebase of the actual C2 itself and not part of RedELK. That would mean your option 1. All the other steps form my initial post is then still left on the RedELK side.

It would make sense to make an issue at the Covenant side, so I did: https://github.com/cobbr/Covenant/issues/221

MarcOverIP commented 4 years ago

Update: the roadmap for the 0.7 release of Covenant now includes extra logging. When that is out, we can start working on the RedELK side.

fastlorenzo commented 4 years ago

Awesome, that'd be great to have it in, I'll work on it when it's released