outflanknl / redelk Goto Github PK

c2.message field is currently of type keyword, which does not accept length >32k (UTF8).
This should be switched to text type.

Both Apache and HAPRoxy logstash rules add ASN info to sourceip. However, when there is a CND involved, the wrong source field is used. Resulting in ASN info for the IP of the CDN instead of the real source (x-forwarded-for) address.

Instead of using the ruby script to add some metadata (like the beacon details) to log entries, it's possible to use logstash's elasticsearch filter and directly query the elasticsearch database.

I'm currently doing this for several points:

1. Adding beacon data from beacon_id:

After elkserver/logstash/conf.d/50-c2-cobaltstrike.conf#L89 and elkserver/logstash/conf.d/50-c2-cobaltstrike.conf#L253 added the following:

    # enrich the beacon data using the retrieved beacon_id
    elasticsearch {
      hosts => "127.0.0.1"
      index => "beacondb"
      query => "beacon_id:%{beacon_id}"
      fields => {
        "target_hostname" => "target_hostname"
        "target_ipext" => "target_ipext"
        "target_os" => "target_os"
        "target_osversion" => "target_osversion"
        "target_osbuild" => "target_osbuild"
        "target_pid" => "target_pid"
        "target_user" => "target_user"
      }
      result_size => 1
      enable_sort => false
      user => ["logstash"]
      password => ["{{elk_logstash_system_password}}"]
    }

This does the lookup directly from ES and can then be removed from the ruby script used to enrich the data.

2. Added new indices for the different IP lists:

I've added new indices to have the different IP lists stored, and after elkserver/logstash/conf.d/20-redir-haproxy.conf#L154, I've added the following:

     # matches the source ip with any ip in the different ip lists
     elasticsearch {
       hosts => "127.0.0.1"
       index => "iplist_*"
       query => "ip:%{src_ip}"
       fields => { "type" => "iplist" }
       result_size => 1
       enable_sort => false
       user => ["logstash"]
       password => ["{{elk_logstash_system_password}}"]
     }

     # unknown IP
     if ![iplist] {
       # checking with greynoise
       ruby { 
         path => "/usr/share/redelk/bin/greynoise.rb"
       }
     } else {
       mutate {
         add_tag => [ "iplist_%{iplist}" ]
       }
     }

This allows normally to get rid of ´elkserver/scripts/enrich.py´ and do most of the processing in logstash. Please note that you still need to maintain your different ´iplist_*´ indices (like tor, redteam ips, etc.).

I'll be happy to integrate those changes in a PR if you see a use of this.

I was actually wondering if there is a specific reason of not using logstash to do that processing?

Auto start dockers at boot

Hey guys,

I think there might be a bug in the install-c2server-cobaltstrike.sh script. I got a curious error when running the install routine. From the redelk-install.log file:

I think the issue has to do with this block in the script itself:

When I changed it to set the destination path to filebeat.yml instead of just being copied as filebeat_cobatlstrike.yml, the routine worked.

Thanks for all the hard work!
Jason

HAProxy, and possibly others report a HTTP status code of "-1" when there was an error. Current Logstash grok filters use POSINT, which will fail in this case.

Solution: replace the filter with INT instead of POSINT

install-elkserver.sh now pulls the latest version of the docker images of neo4j and jupyter notebooks. We should set those to version numbers that we know that work.

The install ELK script for RedELK version 2 - BETA 1 uses the invalid --quiet argument:

root@ELK:~/elkserver# docker pull --quiet jupyter/scipy-notebook
unknown flag: --quiet
See 'docker pull --help'.
root@ELK:~/elkserver# docker pull --help

Usage:	docker pull [OPTIONS] NAME[:TAG|@DIGEST]

Pull an image or a repository from a registry

Options:
  -a, --all-tags                Download all tagged images in the repository
      --disable-content-trust   Skip image verification (default true)
root@ELK:~/elkserver# docker version
Client:
 Version:           18.09.1
 API version:       1.39
 Go version:        go1.11.6
 Git commit:        4c52b90
 Built:             Sun, 14 Jun 2020 22:12:29 +0200
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.09.1
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.11.6
  Git commit:       4c52b90
  Built:            Sun Jun 14 20:12:29 2020
  OS/Arch:          linux/amd64
  Experimental:     false

I just adjusted the script to remove the flag and continue on.

I just starting following the conversations to support Covenant C2 (#23) and immediately saw the same issues exist for Mythic (everything in a DB, no log files). I'd love to see Mythic support for RedELK, so can you all outline exactly what you'll need from Mythic to support log ingestion?

For Ghostwriter, we went the route of building Mythic Sync as a standalone tool that connects and listens for events to get the data where we want it, but isn't an ideal solution.

Is the list below (from Covenant Feature Request) the same items you'll need from Mythic/any other C2?

• Filebeat config to read the log file of Covenant on the c2 server
• Logstash rules that receive and filter the log lines
• Cron scripts running on the c2 server to copy relevant files (screenshots, downloaded files, etc) from the Covenant directory to the /home/scponly directory
• Modified rsync script on elkserver to copy files from /home/scponly on c2 server.
• Review of field names in rtops- index to check if they are relevant for c2 in general, or (still) are too Cobalt Strike dedicated.
• Update on documentation

CC @its_a_feature

The install ELK script for RedELK version 2 - BETA 1 uses the invalid --quiet argument:

root@ELK:~/elkserver# docker pull --quiet jupyter/scipy-notebook
unknown flag: --quiet
See 'docker pull --help'.
root@ELK:~/elkserver# docker pull --help

Usage:	docker pull [OPTIONS] NAME[:TAG|@DIGEST]

Pull an image or a repository from a registry

Options:
  -a, --all-tags                Download all tagged images in the repository
      --disable-content-trust   Skip image verification (default true)
root@ELK:~/elkserver# docker version
Client:
 Version:           18.09.1
 API version:       1.39
 Go version:        go1.11.6
 Git commit:        4c52b90
 Built:             Sun, 14 Jun 2020 22:12:29 +0200
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.09.1
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.11.6
  Git commit:       4c52b90
  Built:            Sun Jun 14 20:12:29 2020
  OS/Arch:          linux/amd64
  Experimental:     false

I just adjusted the script to remove the flag and continue on.

Thanks for this AWESOME project <3 FTW Elastic ELK

Hope you can help me with creating a user to only has read privileges to see example: Screenshots from some filters or scenario ? i don't know if that feature is already done.

Thanks

full integration test of the entire set

create the redelk images in docker

Support for Mythic C2 - https://github.com/its-a-feature/Mythic

I just starting following the conversations to support Covenant C2 (#23) and immediately saw the same issues exist for Mythic (everything in a DB, no log files). I'd love to see Mythic support for RedELK, so can you all outline exactly what you'll need from Mythic to support log ingestion?

For Ghostwriter, we went the route of building Mythic Sync as a standalone tool that connects and listens for events to get the data where we want it, but isn't an ideal solution.

Is the list below (from Covenant Feature Request) the same items you'll need from Mythic/any other C2?

• Filebeat config to read the log file of Covenant on the c2 server
• Logstash rules that receive and filter the log lines
• Cron scripts running on the c2 server to copy relevant files (screenshots, downloaded files, etc) from the Covenant directory to the /home/scponly directory
• Modified rsync script on elkserver to copy files from /home/scponly on c2 server.
• Review of field names in rtops- index to check if they are relevant for c2 in general, or (still) are too Cobalt Strike dedicated.
  • https://raw.githubusercontent.com/outflanknl/RedELK/master/elkserver/templates/redelk_kibana_index_rtops.json
• Update on documentation

CC @its_a_feature

• an env.tmpl file
• adjust installer scripts to modify the env.tmpl file and export it as .env file

In the current setup, only the folder containing the certificates can be passed as an environment variable.

This should be changed to add the possibility to pass the full path to the certificate, ca and key files instead.

I would like to see the following alarms added as part of alarm.py:

1. alarm for status change of domain classifications in bluecheck index. Alarm on any change!
2. alarm when a domain has a 'bad' classification. Bad is defined in the list that is already added as comment to alarm_check4 in alarm.py. This list of bad words comes from a review of classes defined by the domain checkers as currently supported by chameleon.py
3. alarm when an ip listed in /etc/redelk/iplist_blueteams.conf touches any part of our infra, so regardless of proxy destiantion. As one may have collected a list of egress IPs of blue teams during the years, this alarm may serve as an early warning for any type of investigation. Im not sure this list should be pre-populated as part of the RedELK package. But having the option to have alarms from a specific IP can be very useful
4. alarm when any connection is sent to proxy destionation 'alarm'. This is a hardcoded name. But is allows the red team operators to still get an alarm fromout redelk when specific logical on the redirector has determined this should get an alarm.

Desired modifications to alarm.py are:

5. when reading config files, adhere to comments mid-line. So stop reading after a # character
6. be able to read IP subnets in config files and translate as such in ES queries. This should not be that hard as ES is IP and subnet aware.

The logging of the different internal scripts (enrich, alarm, etc) should be standardized and ingested back into ES.

The main idea being to have a view on the status of RedELK itself (e.g. making a dashboard + adding alerting in case of issues)

I followed the instruction to set up redelk. I have my certificate based on ip address. I have kibana dashboard up but I don't see my team server logs and my redirs logs getting populated. When I dig deeper in logs, I found logstash is having ssl issue.

Handling exception: javax.net.ssl.SSLHandshakeException: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER

I added ssl_verify_mode => none in the 10-inputs.conf file but didn't help.
I change TLS to 1.2 an regenerate the certs but didn't help as well.
This is the new config.cnf the character "-" is because data cant be public.

[req]
default_bits = 2048
prompt = no
default_md = sha256
x509_extensions = v3_req
distinguished_name = dn

[dn]
C = -
ST = -
L = -
O = -
OU = -
CN = http://www.-
emailAddress = -

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = XXX.XXX.XXX.XXX
DNS.2 = XXX.XXX.XXX.XXX
IP.1 = XXX.XXX.XXX.XXX

Any tips? All is ubuntu 18.04 #16

The following ES index templates are missing:

• credentials
• bluecheck
• email

We should parse the useragent info from the redirector logs so RedELK shows system info directly in Kibana. This can be done using the logstash useragent filter (https://www.elastic.co/guide/en/logstash/current/plugins-filters-useragent.html)

From the log file it is possible to correlate the [input] (which contains the user that created a task) and the related [task] entry.
I implemented it locally in logstash, I will create a PR when I have a bit more time.

One attention point is that it will query for the [input] entry with the same timestamp and beaconid, so multiple results could be found if 2 tasks are launched at the same exact time on the same beacon (which is normally less likely to happen).

I wonder if we can remove the following:

1. Every installer sets the timezone at the beginning of the installation. Its hardcoded at Europe/Amsterdam right now, albeit via an easy to change variable. However, Im not sure its even necessary to set the timezone and I wonder if it can be removed as the time parsing in logstash seems to work OK.
2. I wonder if /etc/redelk/known_testsystems.conf serves any good. It once started as a way to detect sandboxes. But I believe the alarm on unknown IP c2 destination is more helpful, or a new alarm to an 'alarm' backend. Does this serve any purpose? Do people use it?
3. destination.ip in logstash' redirector config doesn't seem to be used. Can it be removed?

I've been at this for 2 days now. Can't seem to get any teamserver logs into Kibana. I'm sure its something simple I've overlooked, but I'm not sure where I have left to check.

Cobaltstrike is running on a Kali box out of /opt, so I've manually updated the filebeat.yml to point to /opt/cobaltstrike/logs. The box does not have a direct internet connection, so to install beats I SCPed the filebeat binary and the filebeat.service files from the install on a redirector. For installation I just used the install from RedELK.

I've tested the yaml with filebeat -c /etc/filebeat/filebeat.yml -e -d "*"
This shows the harvester checking all the correct logfiles for updates, so I'm pretty sure filebeats is working, it just doesn't seem like its showing in Kibana.

I've gone through all the debugging here: https://www.digitalocean.com/community/tutorials/how-to-troubleshoot-common-elk-stack-issues

Went through the troubleshooting steps from Part 2 of the walkthrough (https://outflank.nl/blog/2020/02/28/redelk-part-2-getting-you-up-and-running/). There are errors in the install log, including failure to add the GPG key, install apt-transport-https, install filebeat, and install rush. As mentioned before, I manually moved those binaries over since the system doesnt have internet. There are issues in logstash-plain.log, but those are DNS timeout issues on resolving addresses from redirectors. greping for rtop turned up no results. The output.logstash hosts field is set to the correct ip address, and I'm not seeing any SSL errors. There were some testing beacon logs from 2 days ago that haven't loaded, and I tested a new beacon after installing filebeats on the teamserver, and I'm not seeing any data.

Tried to go through all the rush settings / edit rush.rc, but wasn't really sure how exactly that was working, or if that had anything to do with the logs getting to Kibana.

Removing the filters for Red Team Operations on Kibana doesn't help. I'm able to get data in from the redirector, just not seeing anything from the teamserver.

Really excited to read that, according to the latest release, support for Nginx has been added!

I have searched for any updates in the wiki and blog posts but I can only assume time hasn't allowed for that :)

Would you be able to share the config line to set Nginx to use the right logging format?

Thanks

Currently, the default neo4j password is hardcoded to BloodHound in the .env.tpml file.

A randomized password should be created at install (similar as with the ES users).

Have full support for the PoshC2 framework (https://github.com/nettitude/PoshC2).

I will need help from others with understanding the exact way of logging performed by PoshC2.

Cobalt Strike logs from ssh sessions are not included in RedELK. I believe this requires:

1. A change to the filebeat configuration (ssh logs are in a different file that is now completely missed by filebeat)
2. A good look at the CS logstash rules to see if we need to set tags, change fields and as they are always linked to other beacons the proper way of filling the relevant fields for linking.

root@kronlab:/opt/ferramentas/tools/RedELK# ./initial-setup.sh
This script will generate necessary keys RedELK deployments
[X] ERROR missing parameter
[X] require 1st parameter: path of openssl config file
root@kronlab:/opt/ferramentas/tools/RedELK#

I'm execute commands: ./initial-setup.sh certs/config.cnf when appear this problem, I set is DNS1：redelk.totallynotavirus.nl.I'm a rookie. I'm asking for your help. Thank you

Filebeat fails to connect to logstash on a vanilla install on Ubuntu 18.04. Solution is to change ownership of the .crt and .key file to the logstash user per: logstash-plugins/logstash-input-beats#197 (comment)

chown logstash /etc/logstash/certs/elkserver.key
chown logstash /etc/logstash/certs/elkserver.crt

Redir logs: /var/log/filebeat/filebeat:

INFO    pipeline/output.go:95   Connecting to backoff(async(tcp://<RedELK>:5044))
ERROR   pipeline/output.go:100  Failed to connect to backoff(async(tcp://<RedELK>:5044)): dial tcp <RedELK>:5044: connect: connection refused
INFO    pipeline/output.go:93   Attempting to reconnect to backoff(async(tcp://<RedELK>:5044)) with 1 reconnect attempt(s)
ERROR   pipeline/output.go:100  Failed to connect to backoff(async(tcp://<RedELK>:5044)): dial tcp <RedELK>:5044: connect: connection refused
INFO    pipeline/output.go:93   Attempting to reconnect to backoff(async(tcp://<RedELK>:5044)) with 2 reconnect attempt(s)
INFO    pipeline/output.go:105  Connection to backoff(async(tcp://<RedELK>:5044)) established

logstash logs: /var/log/logstash/logstash-plain.log

[ERROR][logstash.inputs.beats    ] Looks like you either have a bad certificate, an invalid key or your private key was not in PKCS8 format.
[WARN ][io.netty.channel.ChannelInitializer] Failed to initialize a channel. Closing: [id: 0xb7d6cfd3, L:/<RedLK>:5044 - R:/<Redir>:46340]
java.lang.IllegalArgumentException: File does not contain valid private key: /etc/logstash/certs/elkserver.key
        at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:267) ~[netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:90) ~[netty-all-4.1.18.Final.jar:4.1.18.Final]
        at org.logstash.netty.SslSimpleBuilder.build(SslSimpleBuilder.java:112) ~[logstash-input-beats-5.1.6.jar:?]
        at org.logstash.beats.Server$BeatsInitializer.initChannel(Server.java:131) ~[logstash-input-beats-5.1.6.jar:?]
        at org.logstash.beats.Server$BeatsInitializer.initChannel(Server.java:101) [logstash-input-beats-5.1.6.jar:?]
        at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:113) [netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:105) [netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:606) [netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.channel.DefaultChannelPipeline.access$000(DefaultChannelPipeline.java:46) [netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1412) [netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1131) [netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:656) [netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:510) [netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:423) [netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:482) [netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163) [netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:403) [netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:463) [netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [netty-all-4.1.18.Final.jar:4.1.18.Final]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_191]
Caused by: java.security.KeyException: could not find key file: /etc/logstash/certs/elkserver.key
        at io.netty.handler.ssl.PemReader.readPrivateKey(PemReader.java:114) ~[netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.handler.ssl.SslContext.toPrivateKey(SslContext.java:1014) ~[netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:265) ~[netty-all-4.1.18.Final.jar:4.1.18.Final]
        ... 20 more

The email template for the new alarms doesn't display well in Outlook (ok in Roundcube and Outlook mobile)

I followed the instruction to set up redelk. I have my certificate based on ip address. I have kibana dashboard up but I don't see my team server logs getting populated. When I dig deeper in logs, I found logstash is having ssl issue.

Caused by: javax.net.ssl.SSLHandshakeException: error:10000412:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_CERTIFICATE

I added ssl_verify_mode => none in the 10-inputs.conf file but didn't help. Any tips?

I collect suricata logs on my target facing interface to be aware of what traffic I send and receive. For trade craft I like to know if I tripped a IDS rule. I would like to be able to ingest these logs into redelk.

adjust the docker files for non dev (full and limited) to use the right docker tags.

Currently, the redirector traffic dashboard only shows maps, it would be good to also add some details underneath (ex: saved search, alarm numbers, etc.)

First off, this is a genius project! Great use of Elastic ELK.

• 1. I should be able to send you something to set the default kibana index once I get back to my main computer this weekend.
• 2. Have you thought about doing OCR on the images? and adding to another field in elasticsearch? If you have, let me know I can send you stuff to help with that.
• 3. Have you thought about adding JA3 hashes? If you have, let me know I can send you stuff to help with that. Should be able to be done with packetbeats and some proxies.
• 4. Are you able to explain more what is going on with not being able to get the true source IP coorelated/added? Trying to see if I could help anyway.
• 5. To solve "Ingest manual IOC data", you should be able to create a directory and point logstash or beats at it. Any new files added should automatically be parsed by logstash/beats file input.
• 6. To add more useragent info using logstash useragent parser: https://www.elastic.co/guide/en/logstash/current/plugins-filters-useragent.html
• 7. To help with "Other alarm channels", you could add in https://github.com/Yelp/elastalert
• 8. Have you thought about using translate plugin or even elasticsearch analyzers to make more sense out of keystroke logs? For example, you could create a custom elasticsearch analyzer on the keystroke field (still keep the raw/original key stroke field) and place it in say "keystrokes.analyzed". Your analyzer could essentially allow you easily query keystroke by splitting up in known english or even add other languages.
     Also, you could create an even more customized one that essentially creates tokens on 2-3 characters in a row. Would be useful to query large strings/things by matching on only 2/3 characters.
     The other languge analyzers would be really great usecase of Elastic because of its many language supports:
     https://www.elastic.co/guide/en/elasticsearch/plugins/current/analysis-kuromoji.html
     https://www.elastic.co/guide/en/elasticsearch/reference/current/analysis-lang-analyzer.html

I really think you will be able to make sifting through the data even easier and better with all the custom analyzers and use cases of Elastic. Example, I know there are really great use cases of using Elastic essentially as a "file share" / file storage search. Including for microsoft office, images, pdf searching for text. Also, many projects based on images that could be used on the screenshot stuff.

There is so much potential with this already great project.
Keep up the amazing work.

Cobalt Strike version 3.14 changed a bit in the format of the logging. The logstash grok parsing rules in RedELK need to be updated to reflect the new logging of ver 3.14.

Currently, if you run RedELK with Cobalt Strike v3.14, the logs will be there, but there is no knowledge of sub fields. As a result, enrichment also fails.

we should have the option to run the installer in 'dry run' mode (for example to create the .env file with randomized passwords, but not deploying directly so variables in .env file can be adjusted)

Kibana does not show target_user, target_hostname,... at screenshots search. It only show at log metadata.
I don't understand how to have field target_user, target_hostname so screenshot log doesn't contain field to parse to target_user, target_hostname.
Hoping to hear from you soon.

The current way CS credentials are extracted is creating duplicates in ES, which should be fixed.

Have full support for the Covenant C2 framework (https://github.com/cobbr/Covenant).

I will need help from others with understanding the exact way of logging performed by Covenant; I have 0 experience with Covenant.

If Covenant is able to log to text based log files, it is to be expected we can align to the current setup of including Cobalt Strike logs into RedELK. That would mean the following things to be required to be created:

1. Filebeat config to read the log file of Covenant on the c2 server
2. Logstash rules that receive and filter the log lines
3. Cron scripts running on the c2 server to copy relevant files (screenshots, downloaded files, etc) from the Covenant directory to the /home/scponly directory
4. Modified rsync script on elkserver to copy files from /home/scponly on c2 server.
5. Review of field names in rtops- index to check if they are relevant for c2 in general, or (still) are too Cobalt Strike dedicated.
6. Update on documentation.

My main problem at this moment is that I have no experience with Covenant and don't have access to demo logs that I can test with.

Any help with above steps is well received. Help with access to demo logs would also work.

Can we automate searching for valuable strings in downloaded files? Eg password, pwd, connectionstring, etc? Possibly make an extra config file in /etc/redelk/loot.comf (or any other better name) where the operator can enter other terms he may be interested in, e.g. in case of local language translations for 'password'

Questions that come up thinking about this:

1. Do we store in an extra index, e.g. called loot? I think this is not necessarily required although IM ok if it does.
2. Do you want an alarm every time something is found, or will this potentially overload you with alarms?
3. How do we technically do this? Perhaps simple local (python) script that periodically scans the downloaded files directory, excludes c2implant logs, and outputs to a log file that is ingested by logstash on the redelk server?
4. Can we do the same for logged keystrokes? One thing that we do want to have in the keystroke loot checking is the title of the screen where the interesting data was found, and/or the content of the keystroke log when the interesting data was the name of a program you are interested in, e.g. content that was entered in a keepass window.
5. How can we set this up as much C2 dependent as possible?

Thanks for putting this together. Much, much appreciated. I was able to fix another problem I had. But, I was curious why my beacons location is not showing up on the map. Is there something I need to add to the script? Also, I haven't added anything to the redirector, I appreciate some clarity on that too :)

The ES template for redirtraffic should be checked and fixed (e.g. source.geo data mapping is incorrect)

It would be great to have several additional dashboard to show (for example):

• Tasks launched on all/a specific beacon
• Downloads
• Keystrokes
• Users connecting to CS
• TTPs used
• ...

I'm currently trying to create some of them, I will add them in a PR when they are stable.