search

outflanknl / RedELK

Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.
BSD 3-Clause "New" or "Revised" License
2.35k stars 371 forks source link

Check for consistent usage of c2.log.type field #273

Closed MarcOverIP closed 1 year ago

MarcOverIP commented 2 years ago

Check if terms used in c2.log.type are consistent across multiple C2 frameworks. Especially pay attention to beacon, implant_input and implant_task

MarcOverIP commented 1 year ago

The main difference is that CS starts with c2.log.type=beacon instead of implant like Stage1. Because of some incorrect logstash filtering of Cobalt Strike logs, for every log that starts with [note] the value of c.2.log.type stays beacon

Frankly, this is good enough. Closing this issue now.

Stage1

events (becomes one of)

implant (becomes one of)

Cobalt Strike

events (becomes one of)

beacon (becomes one of)

screenshots (stays the same) keystrokes (stays the same) downloads (stays the same) credentials (stays the same)

PoSHC2

events (becomes one of)