this should fetch server v2 implants back into redelk

outflanknl / RedELK

Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.

BSD 3-Clause "New" or "Revised" License

2.35k stars 371 forks source link

this should fetch server v2 implants back into redelk #292

Closed xychix closed 1 year ago

xychix commented 1 year ago

This should fetch server v2 implants back into redelk main.log seems te be unused in new stage1 server.

MarcOverIP commented 1 year ago

Incomplete. Need to doublecheck if the scripts that are running in the background on the c2server are ok with these new paths. So the cron job and the script in /usr/share/redelk/bin/copydownloads_outflankstage1.sh Also the ruby scripts that generate the hyperlink in Kibana need to be updated to reflect the new path.

MarcOverIP commented 1 year ago

To check:

[x] c2server : filebeat config
[x] c2server : cron job rsync command
[x] c2server : copy script for downloads issued by cronjob
[x] elkserver : logstash ruby script for logpath
[x] elkserver : logstash ruby script for downloadpath

Waiting for bug fix in Stage1 regarding logging of downloaded files.

maxgrim commented 1 year ago

File URL in dashboard is incorrect. RedELK creates an URL for downloads/[uid]_[filename] whereas it should be downloads/[uid] (e.g. downloads/N6Q37TKNAZ_whisker.exe instead of downloads/N6Q37TKNAZ).

MarcOverIP commented 1 year ago

File URL in dashboard is incorrect. RedELK creates an URL for downloads/[uid]_[filename] whereas it should be downloads/[uid] (e.g. downloads/N6Q37TKNAZ_whisker.exe instead of downloads/N6Q37TKNAZ).

After review, this is fixed by the background running bash script that copies downloads/N6Q37TKNAZ to downloads/N6Q37TKNAZ_whisker.exe.

PR looks good. Merging.