RedELK Versions Save

Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.

v2.0.0-beta.6

2 years ago

Version 2.0.0 BETA6

  • New alarm: alarm when traffic is hit to any redir backend that has 'alarm' in it. Allows for flexibility in smarter redir logic.
  • Chained X-Forwarded-For IPs are now also stored, in field source.ip_otherproxies in redirtraffic index.
  • Outflank Security Tooling specific: Stage1 C2 operator name recorded.
  • Outflank Security Tooling specific: Data from BlueCheck CertCheck, BlueCheck PasswordChangeCheck and BlueCheck SecurityToolCheck now properly stored in ElasticSearch.
  • LogStash config now mounted by default, allowing for easier modification of the config.
  • Template updates.
  • Fixed bug on storage of www-data/c2logs directory.
  • Fixed bug to make email alarms working again.
  • Several smaller bugfixes.

v2.0.0-beta.5

2 years ago

Version 2.0.0 BETA5

  • log4shell fix: bumped ELK stack to 7.16.3
  • Further Docker and memory tunings
  • Moved Greynoise support to community API and allowing a custom API key in config file
  • Fixed bug on updated API for VirusTotal and IBM X-Force alarms
  • Fixed bug to make domain classifications via Chameleon.py work again.
  • Moved Filebeat config files to config directory for easier support of multiple C2s on same machine
  • Installer script enhancement, a.o. to check if accounts already exist on elkserver
  • Numerous enhancement for easier development, e.g. pylint and Kibana port accessible from localhost
  • Many bug fixes

v2.0.0-beta.4

3 years ago

Version 2.0.0 BETA4

  • Many bug fixes
  • Migrated background enrichment and alarm scripts to new modular setup
  • Added support for Cobalt Strike 4.2 and 4.3
  • Added sample data ingestor when running in dev mode
  • Made sure Kibana searches Red Team Operations and Redirector Traffic are presented on top of list
  • Included an ES password import for Jupyter notebooks
  • Maximized the logging of docker logs
  • Migrated to official Neo4j container instead of old BloodHound container
  • Updated the RedELK Kibana app to include management of IP lists inside Kibana

What's new?

  • Updates release notes for v2 beta4 @MarcOverIP (#168)
  • Fix es fields @fastlorenzo (#169)
  • Fixed rsync @fastlorenzo (#166)
  • Fix logging @fastlorenzo (#165)
  • Revert neo4j changes @fastlorenzo (#164)
  • Updated neo4j container + added behind Nginx @fastlorenzo (#162)
  • Nginx full config optional (via installer) @fastlorenzo (#152)
  • Revert "Moved to neo4j official docker to fix #159" @MarcOverIP (#161)
  • Moved to neo4j official docker to fix #159 @fastlorenzo (#160)
  • Added possibility to set remote base path to get logs from @fastlorenzo (#154)
  • Fixed Kibana dashboard links @fastlorenzo (#156)
  • Added option to set docker max log size @fastlorenzo (#157)
  • Fixed date parsing for HAProxy @fastlorenzo (#147)
  • Migrate enrich.py to modular system @fastlorenzo (#117)
  • yolo script for resetting index to RW @xychix (#145)
  • Fix certbot-nginx-ssl issues and improved installer script @MarcOverIP (#128)
  • Update filebeat_cobaltstrike.yml @ceramic-skate0 (#136)
  • Update getremotelogs.sh to accept custom a SSH port @yamakadi (#135)
  • Issue #41 item 4 added an alarm, patched a few others @xychix (#118)
  • Refreshed index patterns @fastlorenzo (#121)
  • Updated templates for bluecheck, email and credentials @MarcOverIP (#123)
  • logstash email index fields renaming @MarcOverIP (#122)
  • Fixed missing logger initialisation @fastlorenzo (#120)
  • Added localhost as valid hostname @fastlorenzo (#119)
  • Updated helper script @fastlorenzo (#116)
  • Template updates regarding CS4.2 and other tuning @MarcOverIP (#115)
  • Randomize Neo4j password at install @fastlorenzo (#99)
  • Added dry-run mode @fastlorenzo (#100)
  • [dev] Add sample data ingestor @fastlorenzo (#82)
  • Upgrade to Elastic 7.10 @fastlorenzo (#112)
  • Fix search with free text @fastlorenzo (#113)
  • Fix for dev and non-existent domain @fastlorenzo (#111)
  • Added TLS support for nginx @fastlorenzo (#79)
  • Cobalt Strike 4.2 support @MarcOverIP (#110)
  • BUGFIX: installer bash syntax error @xychix (#107)

v2.0.0-beta.3

3 years ago

version 2.0.0 BETA3

  • Dockerized the installation on the elkserver components
  • Enabled X-pack on ELK stack
  • RedELK Kibana app is included by default
  • New format for alarm emails
  • Structured and increased configurable options in redelk config file config.json
  • Restructured enrich and alarm python scripts
  • Added rudimentary uninstall scripts for redirs, c2servers and elkserver

v2.0-beta2

3 years ago

Version 2.0 BETA2

  • Elastic stack upgraded to version 7.9.2
  • Added nginx availability of Neo4J Browser
  • Dashboard overview now has seperate list of 'external' tools, i.e. ATT&CK Navigator, Jupyter Notebooks and Neo4J Browser
  • Restructuring of python scripts for alarming; now has a modular setup
  • Added support for Alarms via Microsoft Teams
  • Overall python scripts clean up
  • Removed Docker 19.x specific commands to support ao Debian 10
  • More settings configurable via alarm.json.config file, e.g. ES connections tring
  • elkinstaller script bugfixes

v2.0-beta1

3 years ago

First BETA release of the new version 2.

RedELK release notes

version 2.0 BETA1

  • Elastic stack upgraded to version 7.8
  • Use Elasticsearch ILM to manage indices
  • Elastic stack field naming overhaul:
    • Indices rtops and beacondb (now implantsdb) are now C2 framework agnostic instead of Cobalt Strike terms specific
    • Field names adhere to ECS naming standard as much as possible
    • Field names and their types are now defined in ES templates and Kibana index patterns
    • Documented all field in names and types
  • First step of support for PoshC2 C2 framework. Thanks @benpturner for the heavy lifting
  • Offensive hunting tools are now installed on the RedELK server
    • Neo4J for BloodHound integration
    • Jupyter notenbooks for custom searching and data handling
    • These two are installed by default unless you pass the 'limited' parameter to the elkserver installer
    • Elkserver installer is now aware of amount of memory and adjusts memory settings of ES, NEO4j and ES to optimized values.
  • Cobalt Strike specific changes:
    • Support for Cobalt Strike 4.1
    • Credentials store is periodically read, parsed and sent to the RedELK server where it is stored in a new index called credentials.
    • Ssh beacon logs are now also ingested
    • CS listener info is also parsed and stored Other:
    • Outflank PS-Tools output is now parsed and stored in extra fields inside the rtops index
    • Integrated and adjusted chameleon.py (thanks @DomChell) for performing domain classification checks
    • Emails from IMAP mailboxes can now be ingested and dispalyed in RedELK
    • Added several dashboards, vizualisations and searches
    • added Useragent info to incoming traffic on redirectors Bugfixes:
    • Fixed double space bug in Apache catch-all Grok rule
    • Fix for incorrect GeoIP ASN lookup when using an CDN
    • Fixed several parsing bugs for CS
    • Fixed several parsing bugs for HAProxy

v1.1

3 years ago

version 1.1

  • Added support for Cobalt Strike 4.1. Thanks to @fastlorenzo
  • HTTP status code parsing improved to better handle non-RFC approved logging by some redir programs
  • Fix for supporting underscores in hostnames, although not allowed by RFC. Thanks to @jaredhaight

v1.0.3

3 years ago

version 1.0.3

  • Added support for Nginx redirectors thanks to @sunnyneo

v1.0.2

4 years ago

version 1.0.2

  • Fixed silly bug in enrich.py that disabled Greynoise enrichment

1.0.1

4 years ago

version 1.0.1

* Fixed bug in logstash filter rule when Apache doesn't have a hostname configured
* Tuned verbosity of Alarm.py