search

outflanknl / RedELK

Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.
BSD 3-Clause "New" or "Revised" License
2.35k stars 371 forks source link

Permission and Implant Log URL issue #261

Closed sunnyneo closed 2 years ago

sunnyneo commented 2 years ago

It's important to ensure [log][file][path] is groked before cs_makebeaconlogpath.rb , otherwise there will be a misalignment between the Implant URL, [implant][log_file] and [log][file][path] for beacons that are running for multiple days as the [log][file][path] will take the value from where the beacon was first established as shown below.

"implant.log_file": [
      "/c2logs/CS/cobaltstrike/logs/220516/x.x.x.x/beacon_1223281090.log"
    ],
    "log.file.path": [
        "/opt/cobaltstrike/logs/220603/x.x.x.x/beacon_1223281090.log"
    ],

I also have issue, accessing the beacon logs via Kibana due to permission issues, and prior to this, I solved it by adding a cron job that does chown every min which is messy. By making the /var/www/html/cslog folder owned by redelk:www-data would make more sense since only redelk is making changing to the folders and SGID is set to propagate www-data group ownership for files created subsequently without having to chmod/chown down the road..

Lastly I had issue with the RedELK cron job not activating in redelk-base due to permissive file permission and I changed it to 600 to make sure only the file owner can make changes to it.

MarcOverIP commented 2 years ago

Thanks you bringing this up. I need to investigate this, as this previously did not show up as an issue, nor on our own installations.

MarcOverIP commented 2 years ago

Thank you Sunny, once again!