Comments (41)
MarcOverIP
commented on June 6, 2024
Seems like a challenge to install this on a non-internet connected teamserver, but doable with some manual actions.
What version are you trying to install?
Also, any error in the install log should be a red flag. You say there are many so let's start there. Can you paste the installation log?
Also, check the log of logstash on the elkserver, as well as filebeat on the teamserver.
from redelk.
6r0k3d
commented on June 6, 2024
Ha, yes, challenge is an understatement. Unfortunately I don't get to choose for this one. I'm on RedELK version 1.1.
Configs + Log Files:
config.cnf (I used the example cert data while figuring out how to set this up)
[req_distinguished_name]
C = NL
ST = Noord-Holland
L = Amsterdam
O = Outflank B.V.
OU = IT-OPS
CN = outflank.nl
emailAddress = [email protected]
...
[alt_names]
# Enter the valid IP or DNS where the teamservers and redirectors can reach your ELK server in the fields below. If not done correclty, Logstash on your ELK server will crash with cryptic errors.
# DNS.1 =
# DNS.2 =
IP.1 = 10.10.6.40
output from initial-setup.sh
This script will generate necessary keys RedELK deployments
Will generate TLS certificates for the following DNS names and/or IP addresses:
IP.1 = 10.10.6.40
teamserver install log
As mentioned, of note:
-
GPG key add failed
-
apt-transport-https failed
(unrelated, I'll submit a PR later, but it looks like apt-transport-https is built in to apt now. When I first tried building this and saw the transport-https failure, I tried to manually install, and doing that results in removing apt.
https://ubuntu.pkgs.org/18.04/ubuntu-universe-amd64/apt-transport-https_1.6.1_all.deb.html) -
filebeat install failed
-
rush install failed
Sep 12 19:47 RedELK teamserver installer - Starting installer
Warning: apt-key output should not be parsed (stdout is not a terminal)
gpg: no valid OpenPGP data found.
Sep 12 19:47 RedELK teamserver installer - * ERROR : Could not add GPG key (Error Code: 2).
Reading package lists...
Building dependency tree...
Reading state information...
The following NEW packages will be installed:
apt-transport-https
0 upgraded, 1 newly installed, 0 to remove and 853 not upgraded.
Need to get 153 kB of archives.
After this operation, 160 kB of additional disk space will be used.
Err:1 http://http.kali.org/kali kali-rolling/main amd64 apt-transport-https all 2.0.2
Temporary failure resolving 'http.kali.org'
E: Failed to fetch http://http.kali.org/kali/pool/main/a/apt/apt-transport-https_2.0.2_all.deb Temporary failure resolving 'http.kali.org'
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
Sep 12 19:47 RedELK teamserver installer - * ERROR : Could not install apt-transport-https (Error Code: 100).
Err:1 https://artifacts.elastic.co/packages/6.x/apt stable InRelease
Temporary failure resolving 'artifacts.elastic.co'
Err:2 http://http.kali.org/kali kali-rolling InRelease
Temporary failure resolving 'http.kali.org'
Reading package lists...
W: Failed to fetch http://http.kali.org/kali/dists/kali-rolling/InRelease Temporary failure resolving 'http.kali.org'
W: Failed to fetch https://artifacts.elastic.co/packages/6.x/apt/dists/stable/InRelease Temporary failure resolving 'artifacts.elastic.co'
W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists...
Building dependency tree...
Reading state information...
E: Unable to locate package filebeat
Sep 12 19:47 RedELK teamserver installer - * ERROR : Could not install filebeat (Error Code: 100).
Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /lib/systemd/system/filebeat.service.
User scponly already exists
Reading package lists...
Building dependency tree...
Reading state information...
Suggested packages:
xinetd | inetutils-inetd
The following NEW packages will be installed:
rush
0 upgraded, 1 newly installed, 0 to remove and 853 not upgraded.
Need to get 148 kB of archives.
After this operation, 586 kB of additional disk space will be used.
Err:1 http://http.kali.org/kali kali-rolling/main amd64 rush amd64 1.8+dfsg-1.1
Temporary failure resolving 'http.kali.org'
E: Failed to fetch http://http.kali.org/kali/pool/main/r/rush/rush_1.8+dfsg-1.1_amd64.deb Temporary failure resolving 'http.kali.org'
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
Sep 12 19:47 RedELK teamserver installer - * ERROR : Could not install rush (Error Code: 100).
Since this box is not connected to the internet, the failures didn't surprise me. I SCPed the relevent filebeat files from the redirector box which does have internet access:
1 + 2: Not applicable, didn't use apt-get to get filebeat
3. Filebeat
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2020-09-12 23:06:46 CEST; 16h ago
Docs: https://www.elastic.co/products/beats/filebeat
Main PID: 218578 (filebeat)
Tasks: 16 (limit: 9461)
Memory: 15.9M
CGroup: /system.slice/filebeat.service
└─218578 /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
filebeat.yml
filebeat.prospectors:
- type: log
scan_frequency: 5s
enabled: true
fields_under_opt: true
paths:
- /opt/cobaltstrike/logs/*/events.log
fields:
infralogtype: rtops
cslogtype: events
- type: log
scan_frequency: 5s
enabled: true
fields_under_opt: true
paths:
- /opt/cobaltstrike/logs/*/weblog.log
fields:
infralogtype: rtops
cslogtype: weblog
- type: log
scan_frequency: 5s
enabled: true
fields_under_opt: true
paths:
- /opt/cobaltstrike/logs/*/downloads.log
fields:
infralogtype: rtops
cslogtype: downloads
- type: log
scan_frequency: 5s
enabled: true
fields_under_opt: true
paths:
- /opt/cobaltstrike/logs/*/*/beacon_*.log
# Since Cobalt Strike version 3.14 the time format in the logs is changed. Here we use regex 'or' function (expr1)|(expr2) to match new or old format
multiline.pattern: '(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\sUTC\s\[)|(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\s\[)' # match "06/19 12:32:56 UTC [" or "06/19 12:32:56 ["
multiline.negate: true
multiline.match: after
fields:
infralogtype: rtops
cslogtype: beacon
- type: log
scan_frequency: 5s
enabled: true
fields_under_opt: true
paths:
- /opt/cobaltstrike/logs/*/*/keystrokes/keystrokes_*.txt
# Since Cobalt Strike version 3.14 the time format in the logs is changed. Here we use regex 'or' function (expr1)|(expr2) to match new or old format
multiline.pattern: '(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\sUTC\s\[)|(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\s\[)' # match "06/19 12:32:56 UTC [" or "06/19 12:32:56 ["
multiline.negate: true
multiline.match: after
fields:
infralogtype: rtops
cslogtype: keystrokes
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 3
name: "c2main"
fields_under_opt: true
fields:
attackscenario: cert
harvester.limit: 1
output.logstash:
hosts: ["10.10.6.40"]
ssl.certificate_authorities: ["/etc/filebeat/redelkCA.crt"]
filebeat log before I realized it was collecting from /root/cobaltstrike:
2020-09-12T19:47:54.460+0200 INFO instance/beat.go:280 Setup Beat: filebeat; Version: 6.8.2
2020-09-12T19:47:54.461+0200 INFO [publisher] pipeline/module.go:110 Beat name: c2main
2020-09-12T19:47:54.461+0200 WARN [cfgwarn] beater/filebeat.go:81 DEPRECATED: prospectors are deprecated, Use `inputs` instead. Will be removed in version: 7.0.0
2020-09-12T19:47:54.461+0200 ERROR fileset/modules.go:118 Not loading modules. Module directory not found: /usr/share/filebeat/module
2020-09-12T19:47:54.461+0200 INFO [monitoring] log/log.go:117 Starting metrics logging every 30s
2020-09-12T19:47:54.461+0200 INFO instance/beat.go:402 filebeat start running.
2020-09-12T19:47:54.461+0200 INFO registrar/registrar.go:134 Loading registrar data from /var/lib/filebeat/registry
2020-09-12T19:47:54.461+0200 INFO registrar/registrar.go:141 States Loaded from registrar: 0
2020-09-12T19:47:54.461+0200 WARN beater/filebeat.go:367 Filebeat is unable to load the Ingest Node pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the Ingest Node pipelines or are using Logstash pipelines, you can ignore this warning.
2020-09-12T19:47:54.462+0200 INFO crawler/crawler.go:72 Loading Inputs: 5
2020-09-12T19:47:54.462+0200 INFO log/input.go:148 Configured paths: [/root/cobaltstrike/logs/*/events.log]
2020-09-12T19:47:54.462+0200 INFO input/input.go:114 Starting input of type: log; ID: 10957483967685222109
2020-09-12T19:47:54.463+0200 INFO log/input.go:148 Configured paths: [/root/cobaltstrike/logs/*/weblog.log]
2020-09-12T19:47:54.463+0200 INFO input/input.go:114 Starting input of type: log; ID: 15283180532609862469
2020-09-12T19:47:54.463+0200 INFO log/input.go:148 Configured paths: [/root/cobaltstrike/logs/*/downloads.log]
2020-09-12T19:47:54.463+0200 INFO input/input.go:114 Starting input of type: log; ID: 10896975195802211199
2020-09-12T19:47:54.464+0200 INFO log/input.go:148 Configured paths: [/root/cobaltstrike/logs/*/*/beacon_*.log]
2020-09-12T19:47:54.464+0200 INFO input/input.go:114 Starting input of type: log; ID: 10537426590393115941
2020-09-12T19:47:54.465+0200 INFO log/input.go:148 Configured paths: [/root/cobaltstrike/logs/*/*/keystrokes/keystrokes_*.txt]
2020-09-12T19:47:54.465+0200 INFO input/input.go:114 Starting input of type: log; ID: 10438182087855099472
2020-09-12T19:47:54.465+0200 INFO crawler/crawler.go:106 Loading and starting Inputs completed. Enabled inputs: 5
2020-09-12T19:47:54.465+0200 INFO cfgfile/reload.go:150 Config reloader started
2020-09-12T19:47:54.465+0200 INFO cfgfile/reload.go:205 Loading of config files completed.
2020-09-12T19:48:24.464+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":40,"time":{"ms":40}},"total":{"ticks":50,"time":{"ms":53},"value":50},"user":{"ticks":10,"time":{"ms":13}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":6},"info":{"ephemeral_id":"17f98e5b-c12d-455a-90ae-4895bda32430","uptime":{"ms":30028}},"memstats":{"gc_next":4194304,"memory_alloc":3393976,"memory_total":4926648,"rss":24563712}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0},"reloads":1},"output":{"type":"logstash"},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":4},"load":{"1":0.11,"15":0.01,"5":0.05,"norm":{"1":0.0275,"15":0.0025,"5":0.0125}}}}}}
After updating filebeat.yml to collect logs from /opt/cobaltstrike
2020-09-12T20:35:27.135+0200 WARN [cfgwarn] beater/filebeat.go:81 DEPRECATED: prospectors are deprecated, Use `inputs` instead. Will be removed in version: 7.0.0
2020-09-12T20:35:27.135+0200 ERROR fileset/modules.go:118 Not loading modules. Module directory not found: /usr/share/filebeat/module
2020-09-12T20:35:27.135+0200 INFO [monitoring] log/log.go:117 Starting metrics logging every 30s
2020-09-12T20:35:27.136+0200 INFO instance/beat.go:402 filebeat start running.
2020-09-12T20:35:27.136+0200 INFO registrar/registrar.go:134 Loading registrar data from /var/lib/filebeat/registry
2020-09-12T20:35:27.136+0200 INFO registrar/registrar.go:141 States Loaded from registrar: 0
2020-09-12T20:35:27.136+0200 WARN beater/filebeat.go:367 Filebeat is unable to load the Ingest Node pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the Ingest Node pipelines or are using Logstash pipelines, you can ignore this warning.
2020-09-12T20:35:27.136+0200 INFO crawler/crawler.go:72 Loading Inputs: 5
2020-09-12T20:35:27.137+0200 INFO log/input.go:148 Configured paths: [/opt/cobaltstrike/logs/*/events.log]
2020-09-12T20:35:27.137+0200 INFO input/input.go:114 Starting input of type: log; ID: 1606239087251668652
2020-09-12T20:35:27.137+0200 INFO log/input.go:148 Configured paths: [/opt/cobaltstrike/logs/*/weblog.log]
2020-09-12T20:35:27.137+0200 INFO input/input.go:114 Starting input of type: log; ID: 5755712550402058376
2020-09-12T20:35:27.139+0200 INFO log/input.go:148 Configured paths: [/opt/cobaltstrike/logs/*/downloads.log]
2020-09-12T20:35:27.139+0200 INFO input/input.go:114 Starting input of type: log; ID: 2293190375744009869
2020-09-12T20:35:27.139+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/events.log
2020-09-12T20:35:27.155+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200909/events.log
2020-09-12T20:35:27.156+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200911/events.log
2020-09-12T20:35:27.157+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200912/events.log
2020-09-12T20:35:27.157+0200 INFO log/input.go:148 Configured paths: [/opt/cobaltstrike/logs/*/*/beacon_*.log]
2020-09-12T20:35:27.157+0200 INFO input/input.go:114 Starting input of type: log; ID: 12414764114003662895
2020-09-12T20:35:27.157+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/downloads.log
2020-09-12T20:35:27.158+0200 INFO log/input.go:148 Configured paths: [/opt/cobaltstrike/logs/*/*/keystrokes/keystrokes_*.txt]
2020-09-12T20:35:27.158+0200 INFO input/input.go:114 Starting input of type: log; ID: 7218035168341614709
2020-09-12T20:35:27.164+0200 INFO crawler/crawler.go:106 Loading and starting Inputs completed. Enabled inputs: 5
2020-09-12T20:35:27.164+0200 INFO cfgfile/reload.go:150 Config reloader started
2020-09-12T20:35:27.164+0200 INFO cfgfile/reload.go:205 Loading of config files completed.
2020-09-12T20:35:27.165+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/192.168.209.1/beacon_1288869646.log
2020-09-12T20:35:27.171+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/200.20.110.10/beacon_1753137188.log
2020-09-12T20:35:27.171+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_1555961078.log
2020-09-12T20:35:27.176+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/200.20.110.10/beacon_16270558.log
2020-09-12T20:35:27.176+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200909/200.20.110.10/beacon_1567680264.log
2020-09-12T20:35:27.176+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_2062197716.log
2020-09-12T20:35:27.176+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/unknown/beacon_1891838738.log
2020-09-12T20:35:27.210+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_312701618.log
2020-09-12T20:35:27.213+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/unknown/beacon_1924002462.log
2020-09-12T20:35:27.214+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_1662536538.log
2020-09-12T20:35:27.214+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_338527496.log
2020-09-12T20:35:27.218+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/unknown/beacon_312701618.log
2020-09-12T20:35:27.219+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/200.20.110.10/beacon_1891838738.log
2020-09-12T20:35:27.221+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_764433830.log
2020-09-12T20:35:27.222+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_1378743354.log
2020-09-12T20:35:27.222+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_1924002462.log
2020-09-12T20:35:28.157+0200 INFO pipeline/output.go:95 Connecting to backoff(async(tcp://10.10.6.40:5044))
2020-09-12T20:35:28.425+0200 INFO pipeline/output.go:105 Connection to backoff(async(tcp://10.10.6.40:5044)) established
2020-09-12T20:35:57.139+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":170,"time":{"ms":171}},"total":{"ticks":540,"time":{"ms":543},"value":540},"user":{"ticks":370,"time":{"ms":372}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":28},"info":{"ephemeral_id":"dbea8895-9273-4e7b-a556-ff65dc82e07e","uptime":{"ms":30023}},"memstats":{"gc_next":16303360,"memory_alloc":11831448,"memory_total":28971432,"rss":36413440}},"filebeat":{"events":{"added":667,"done":667},"harvester":{"open_files":21,"running":21,"started":21}},"libbeat":{"config":{"module":{"running":0},"reloads":1},"output":{"events":{"acked":646,"batches":2,"total":646},"read":{"bytes":1335},"type":"logstash","write":{"bytes":93420}},"pipeline":{"clients":5,"eve
Output of filebeat -c /etc/filebeat/filebeat.yml -e -d "*"
2020-09-13T16:28:10.324+0200 DEBUG [processors] processors/processor.go:66 Processors:
2020-09-13T16:28:10.324+0200 DEBUG [input] log/input.go:187 Start next scan
2020-09-13T16:28:10.324+0200 DEBUG [input] log/config.go:201 recursive glob enabled
2020-09-13T16:28:10.325+0200 DEBUG [input] log/input.go:417 Check file for harvesting: /opt/cobaltstrike/logs/200913/200.20.110.10/beacon_1467649820.log
2020-09-13T16:28:10.325+0200 DEBUG [input] log/input.go:507 Update existing file for harvesting: /opt/cobaltstrike/logs/200913/200.20.110.10/beacon_1467649820.log, offset: 201
2020-09-13T16:28:10.325+0200 DEBUG [input] log/input.go:561 File didn't change: /opt/cobaltstrike/logs/200913/200.20.110.10/beacon_1467649820.log
2020-09-13T16:28:10.325+0200 DEBUG [input] log/input.go:417 Check file for harvesting: /opt/cobaltstrike/logs/200909/200.20.110.10/beacon_1567680264.log
2020-09-13T16:28:10.325+0200 DEBUG [input] log/input.go:507 Update existing file for harvesting: /opt/cobaltstrike/logs/200909/200.20.110.10/beacon_1567680264.log, offset: 22895
2020-09-13T16:28:10.325+0200 DEBUG [input] log/input.go:561 File didn't change: /opt/cobaltstrike/logs/200909/200.20.110.10/beacon_1567680264.log
2020-09-13T16:28:10.325+0200 DEBUG [input] log/input.go:417 Check file for harvesting: /opt/cobaltstrike/logs/200910/200.20.110.10/beacon_16270558.log
2020-09-13T16:28:10.325+0200 DEBUG [input] log/input.go:507 Update existing file for harvesting: /opt/cobaltstrike/logs/200910/200.20.110.10/beacon_16270558.log, offset: 378
2020-09-13T16:28:10.325+0200 DEBUG [input] log/input.go:561 File didn't change: /opt/cobaltstrike/logs/200910/200.20.110.10/beacon_16270558.log
2020-09-13T16:28:10.325+0200 DEBUG [input] log/input.go:417 Check file for harvesting: /opt/cobaltstrike/logs/200910/200.20.110.10/beacon_1753137188.log
2020-09-13T16:28:10.325+0200 DEBUG [input] log/input.go:507 Update existing file for harvesting: /opt/cobaltstrike/logs/200910/200.20.110.10/beacon_1753137188.log, offset: 10163
2020-09-13T16:28:10.325+0200 DEBUG [input] log/input.go:561 File didn't change: /opt/cobaltstrike/logs/200910/200.20.110.10/beacon_1753137188.log
2020-09-13T16:28:10.325+0200 DEBUG [input] log/input.go:160 exclude_files: []. Number of stats: 23
2020-09-13T16:28:10.325+0200 DEBUG [input] log/input.go:181 input with previous states loaded: 0
2020-09-13T16:28:10.326+0200 INFO log/input.go:148 Configured paths: [/opt/cobaltstrike/logs/*/*/keystrokes/keystrokes_*.txt]
2020-09-13T16:28:10.325+0200 DEBUG [input] log/input.go:417 Check file for harvesting: /opt/cobaltstrike/logs/200910/unknown/beacon_312701618.log
2020-09-13T16:28:10.326+0200 DEBUG [input] log/input.go:507 Update existing file for harvesting: /opt/cobaltstrike/logs/200910/unknown/beacon_312701618.log, offset: 91
2020-09-13T16:28:10.326+0200 DEBUG [input] log/input.go:561 File didn't change: /opt/cobaltstrike/logs/200910/unknown/beacon_312701618.log
2020-09-13T16:28:10.326+0200 DEBUG [input] log/input.go:417 Check file for harvesting: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_1378743354.log
2020-09-13T16:28:10.326+0200 DEBUG [input] log/input.go:507 Update existing file for harvesting: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_1378743354.log, offset: 6434
2020-09-13T16:28:10.326+0200 DEBUG [input] log/input.go:561 File didn't change: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_1378743354.log
2020-09-13T16:28:10.326+0200 INFO input/input.go:114 Starting input of type: log; ID: 7218035168341614709
- rush.rc (I modified while testing bc I was getting the following error from the RedELK rsync cronjob in getremotelogs.log)
rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
rsync error: error in rsync protocol data stream (code 12) at io.c(235) [Receiver=3.1.2]
Sun Sep 13 00:54:02 CEST 2020 ######## Done with rsync
You are not permitted to execute this command.
Contact the systems administrator for further assistance.
rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
rsync error: error in rsync protocol data stream (code 12) at io.c(235) [Receiver=3.1.2]
You are not permitted to execute this command.
Contact the systems administrator for further assistance.
rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
rsync error: error in rsync protocol data stream (code 12) at io.c(235) [Receiver=3.1.2]
You are not permitted to execute this command.
Contact the systems administrator for further assistance.
rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
rsync error: error in rsync protocol data stream (code 12) at io.c(235) [Receiver=3.1.2]
rush.rc
debug 3
rule rsync
command ^rsync --server --sender
uid >= 1000
set[0] /usr/bin/rsync
#match[$] ^~/.*
#match[$] ! \.\.
#transform[$] s,^~/,./,
umask 002
chdir /opt/cobaltstrike
After making these changes to rush.rc, getremotelogs.log had the following:
(I have 2 teamservers, I'm currently only working through setting up the 10.10.6.75)
sent 39 bytes received 1,267 bytes 870.67 bytes/sec
total size is 451,659 speedup is 345.83
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1668) [generator=3.1.2]
Permission denied, please try again.
Permission denied, please try again.
[email protected]: Permission denied (publickey,password).
rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
rsync error: unexplained error (code 255) at io.c(235) [Receiver=3.1.2]
Sun Sep 13 16:08:02 CEST 2020 ######## Done with rsync
receiving incremental file list
rsync: recv_generator: mkdir "/var/www/html/cslogs/c2-a/downloads" failed: Permission denied (13)
*** Skipping any contents from this failed directory ***
downloads/
sent 28 bytes received 441 bytes 938.00 bytes/sec
total size is 9,908,099,486 speedup is 21,126,011.70
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1668) [generator=3.1.2]
receiving incremental file list
rsync: link_stat "/opt/cobaltstrike/profiles" failed: No such file or directory (2)
sent 8 bytes received 95 bytes 206.00 bytes/sec
total size is 0 speedup is 0.00
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1668) [Receiver=3.1.2]
rsync: [Receiver] write error: Broken pipe (32)
Sun Sep 13 16:08:02 CEST 2020 ######## Done with rsync
I realized as I was putting this together the owner of /var/www/html/cslogs/c2-a was root, so i changed that to redelk and now have this in getremotelogs.log, though I'm still not seeing anything in Kibana:
logs/200910/200.20.110.6/beacon_1924002462.log
logs/200910/200.20.110.6/beacon_2062197716.log
logs/200910/200.20.110.6/beacon_312701618.log
logs/200910/200.20.110.6/beacon_338527496.log
logs/200910/200.20.110.6/beacon_764433830.log
logs/200910/unknown/
logs/200910/unknown/beacon_1891838738.log
logs/200910/unknown/beacon_1924002462.log
logs/200910/unknown/beacon_312701618.log
logs/200911/
logs/200911/events.log
logs/200911/weblog_443.log
logs/200912/
logs/200912/events.log
logs/200913/
logs/200913/events.log
logs/200913/weblog_80.log
logs/200913/200.20.110.10/
logs/200913/200.20.110.10/beacon_1467649820.log
sent 597 bytes received 454,208 bytes 303,203.33 bytes/sec
total size is 451,659 speedup is 0.99
receiving incremental file list
downloads/
downloads/31366ebee
downloads/36adf9940
downloads/58e4096ea
downloads/5a24a2c0c
downloads/634a93ade
downloads/6928d40d8
Sun Sep 13 16:22:01 CEST 2020 ######## Start of rsync to 10.10.6.70
Sun Sep 13 16:22:01 CEST 2020 ######## Start of rsync to 10.10.6.75
Permission denied, please try again.
Permission denied, please try again.
RedELK logstash-plain.log
The DNS lookup failures don't surprise me since this box doesn't have internet access.
[2020-09-13T03:41:34,443][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.8.2"}
[2020-09-13T03:42:00,574][INFO ][logstash.filters.ruby.script] Test run complete {:script_path=>"/etc/logstash/ruby-scripts/makebeaconlogpath.rb", :results=>{:passed=>0, :failed=>0, :errored=>0}}
[2020-09-13T03:42:00,726][INFO ][logstash.filters.ruby.script] Test run complete {:script_path=>"/etc/logstash/ruby-scripts/makescreenshotpath.rb", :results=>{:passed=>0, :failed=>0, :errored=>0}}
[2020-09-13T03:42:00,770][INFO ][logstash.filters.ruby.script] Test run complete {:script_path=>"/etc/logstash/ruby-scripts/makekeystrokespath.rb", :results=>{:passed=>0, :failed=>0, :errored=>0}}
[2020-09-13T03:42:00,840][INFO ][logstash.filters.ruby.script] Test run complete {:script_path=>"/etc/logstash/ruby-scripts/makedownloadspath.rb", :results=>{:passed=>0, :failed=>0, :errored=>0}}
[2020-09-13T03:42:01,091][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2020-09-13T03:42:02,549][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://127.0.0.1:9200/]}}
[2020-09-13T03:42:02,859][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://127.0.0.1:9200/"}
[2020-09-13T03:42:02,930][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2020-09-13T03:42:02,934][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6}
[2020-09-13T03:42:02,996][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//127.0.0.1:9200"]}
[2020-09-13T03:42:03,027][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://127.0.0.1:9200/]}}
[2020-09-13T03:42:03,037][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://127.0.0.1:9200/"}
[2020-09-13T03:42:03,047][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2020-09-13T03:42:03,048][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6}
[2020-09-13T03:42:03,055][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//127.0.0.1:9200"]}
[2020-09-13T03:42:03,070][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://127.0.0.1:9200/]}}
[2020-09-13T03:42:03,080][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://127.0.0.1:9200/"}
[2020-09-13T03:42:03,088][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2020-09-13T03:42:03,088][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6}
[2020-09-13T03:42:03,094][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//127.0.0.1:9200"]}
[2020-09-13T03:42:03,733][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-City.mmdb"}
[2020-09-13T03:42:03,773][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/GeoLite2-dbs/GeoLite2-ASN.mmdb"}
[2020-09-13T03:42:03,930][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-City.mmdb"}
[2020-09-13T03:42:03,932][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/GeoLite2-dbs/GeoLite2-ASN.mmdb"}
[2020-09-13T03:42:03,934][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-City.mmdb"}
[2020-09-13T03:42:03,935][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/GeoLite2-dbs/GeoLite2-ASN.mmdb"}
[2020-09-13T03:42:04,056][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-City.mmdb"}
[2020-09-13T03:42:04,058][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/GeoLite2-dbs/GeoLite2-ASN.mmdb"}
[2020-09-13T03:42:04,061][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-City.mmdb"}
[2020-09-13T03:42:04,062][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/GeoLite2-dbs/GeoLite2-ASN.mmdb"}
[2020-09-13T03:42:05,608][INFO ][logstash.inputs.beats ] Beats inputs: Starting input listener {:address=>"0.0.0.0:5044"}
[2020-09-13T03:42:05,653][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x265be677 run>"}
[2020-09-13T03:42:05,872][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2020-09-13T03:42:05,882][INFO ][org.logstash.beats.Server] Starting server on port: 5044
[2020-09-13T03:42:06,274][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2020-09-13T04:16:08,961][WARN ][logstash.runner ] SIGTERM received. Shutting down.
[2020-09-13T04:16:14,269][WARN ][org.logstash.execution.ShutdownWatcherExt] {"inflight_count"=>0, "stalling_threads_info"=>{}}
[2020-09-13T04:16:14,272][ERROR][org.logstash.execution.ShutdownWatcherExt] The shutdown process appears to be stalled due to busy or blocked plugins. Check the logs for more information.
[2020-09-13T04:16:15,554][INFO ][logstash.pipeline ] Pipeline has terminated {:pipeline_id=>"main", :thread=>"#<Thread:0x265be677 run>"}
[2020-09-13T04:16:15,560][INFO ][logstash.runner ] Logstash shut down.
[2020-09-13T04:17:10,453][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.8.2"}
[2020-09-13T04:17:49,089][INFO ][logstash.filters.ruby.script] Test run complete {:script_path=>"/etc/logstash/ruby-scripts/makebeaconlogpath.rb", :results=>{:passed=>0, :failed=>0, :errored=>0}}
[2020-09-13T04:17:49,257][INFO ][logstash.filters.ruby.script] Test run complete {:script_path=>"/etc/logstash/ruby-scripts/makescreenshotpath.rb", :results=>{:passed=>0, :failed=>0, :errored=>0}}
[2020-09-13T04:17:49,311][INFO ][logstash.filters.ruby.script] Test run complete {:script_path=>"/etc/logstash/ruby-scripts/makekeystrokespath.rb", :results=>{:passed=>0, :failed=>0, :errored=>0}}
[2020-09-13T04:17:49,352][INFO ][logstash.filters.ruby.script] Test run complete {:script_path=>"/etc/logstash/ruby-scripts/makedownloadspath.rb", :results=>{:passed=>0, :failed=>0, :errored=>0}}
[2020-09-13T04:17:49,544][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2020-09-13T04:17:50,465][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://127.0.0.1:9200/]}}
[2020-09-13T04:17:50,767][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://127.0.0.1:9200/"}
[2020-09-13T04:17:50,899][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2020-09-13T04:17:50,908][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6}
[2020-09-13T04:17:50,992][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//127.0.0.1:9200"]}
[2020-09-13T04:17:51,032][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://127.0.0.1:9200/]}}
[2020-09-13T04:17:51,051][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://127.0.0.1:9200/"}
[2020-09-13T04:17:51,062][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2020-09-13T04:17:51,064][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6}
[2020-09-13T04:17:51,072][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//127.0.0.1:9200"]}
[2020-09-13T04:17:51,084][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://127.0.0.1:9200/]}}
[2020-09-13T04:17:51,096][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://127.0.0.1:9200/"}
[2020-09-13T04:17:51,105][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2020-09-13T04:17:51,107][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6}
[2020-09-13T04:17:51,115][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//127.0.0.1:9200"]}
[2020-09-13T04:17:51,592][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-City.mmdb"}
[2020-09-13T04:17:51,632][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/GeoLite2-dbs/GeoLite2-ASN.mmdb"}
[2020-09-13T04:17:51,805][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-City.mmdb"}
[2020-09-13T04:17:51,807][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/GeoLite2-dbs/GeoLite2-ASN.mmdb"}
[2020-09-13T04:17:51,811][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-City.mmdb"}
[2020-09-13T04:17:51,814][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/GeoLite2-dbs/GeoLite2-ASN.mmdb"}
[2020-09-13T04:17:51,957][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-City.mmdb"}
[2020-09-13T04:17:51,960][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/GeoLite2-dbs/GeoLite2-ASN.mmdb"}
[2020-09-13T04:17:51,964][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-City.mmdb"}
[2020-09-13T04:17:51,966][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/GeoLite2-dbs/GeoLite2-ASN.mmdb"}
[2020-09-13T04:17:53,536][INFO ][logstash.inputs.beats ] Beats inputs: Starting input listener {:address=>"0.0.0.0:5044"}
[2020-09-13T04:17:53,589][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x17f10622 run>"}
[2020-09-13T04:17:53,800][INFO ][org.logstash.beats.Server] Starting server on port: 5044
[2020-09-13T04:17:53,795][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2020-09-13T04:17:54,210][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2020-09-13T05:03:47,702][WARN ][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"redirtraffic.sourcedns", :value=>"52.255.172.144"}
[2020-09-13T05:21:55,067][WARN ][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"redirtraffic.sourcedns", :value=>"195.54.160.21"}
[2020-09-13T05:53:10,089][WARN ][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"redirtraffic.sourcedns", :value=>"5.235.253.66"}
[2020-09-13T06:00:45,104][WARN ][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"redirtraffic.sourcedns", :value=>"41.71.6.162"}
[2020-09-13T06:13:56,577][WARN ][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"redirtraffic.sourcedns", :value=>"40.74.228.98"}
from redelk.
MarcOverIP
commented on June 6, 2024
So ES is running ok, and Kibana is running as well. The issue is with filebeat on you teamserver, correct?
The installer scripts are just there to make your life easier. Sure there are many edge cases where things could be different. For one, although Kali is apt based, its not a tested distribution. Ergo, your mileage may vary.
I assume you went through the installer script by hand and fixed any error for each and every step? Are you also sure you are installing the proper version (defined in the installer)?
I see an error on the filebeat log: ERROR fileset/modules.go:118 Not loading modules. Module directory not found: /usr/share/filebeat/module
That would be the first thing to investigate imho.
Also it might be interesting to clean the harvesting registry file of filebeat. Right now, the log indicates that filebeat thinks it already sent those logs to logstash. Stop filebeat, remove the registry file, and restart filebeat.
Check the filebeat logs then, there really should be an recording of it trying to connect to tcp://10.10.6.4:5044.
Rsync is not an issue right now as it only syncs screenshot, keystroke files, etc to the redelk server. The logs of CS are ingested via the filebeat->logstash->es path.
from redelk.
6r0k3d
commented on June 6, 2024
Correct, as far as I can tell the issue is with filebeat. It looks like its forwarding data, or trying to forward the data, and its not getting received. Any chance the issue is with the enriching scripts? Could the files be getting shipped proeprly, but enriching fails, and they don't get loaded?
I manually reinstalled filebeat by curling down the filebeat-6.8.2 package and then SCPing the deb file to Kali. Reinstalled that, then re-ran the teamserver install script, and then modified the filebeat.yml to point to /opt instead of /root.
Ended up with the following filebeat logs but still no rtops data visible in Kibana. It looks like the files get harvested, then gets closed with no activity to the log file.
2020-09-14T14:27:58.952+0200 INFO instance/beat.go:611 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2020-09-14T14:27:58.953+0200 INFO instance/beat.go:618 Beat UUID: 6df99dbd-1b1a-419f-ad82-02414e9fdf5e
2020-09-14T14:27:58.953+0200 INFO [seccomp] seccomp/seccomp.go:116 Syscall filter successfully installed
2020-09-14T14:27:58.953+0200 INFO [beat] instance/beat.go:931 Beat info
{"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "6df99dbd-1b1a-419f-ad82-02414e9fdf5e"}}}
2020-09-14T14:27:58.953+0200 INFO [beat] instance/beat.go:940 Build info
{"system_info": {"build": {"commit": "0ffbeab5a52fa93586e4178becf1252e6a837028", "libbeat": "6.8.2", "time": "2019-07-24T14:24:45.000Z", "version": "6.8.2"}}}
2020-09-14T14:27:58.953+0200 INFO [beat] instance/beat.go:943 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":4,"version":"go1.10.8"}}}
2020-09-14T14:27:58.955+0200 INFO [beat] instance/beat.go:947 Host info
{"system_info": {"host": {"architecture":"x86_64","boot_time":"2020-09-02T05:17:13+02:00","containerized":false,"name":"MINIT-57318","ip":["127.0.0.1/8","10.10.6.75/24"],"kernel_version":"5.4.0-kali3-amd64","mac":["00:0c:29:e1:79:a6"],"os":{"family":"","platform":"kali","name":"Kali GNU/Linux","version":"2020.1","major":2020,"minor":1,"patch":0,"codename":"kali-rolling"},"timezone":"CEST","timezone_offset_sec":7200,"id":"9f83511a03634ff686e46a64cac18bd4"}}}
2020-09-14T14:27:58.955+0200 INFO [beat] instance/beat.go:976 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 473012, "ppid": 1, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2020-09-14T14:27:58.080+0200"}}}
2020-09-14T14:27:58.955+0200 INFO instance/beat.go:280 Setup Beat: filebeat; Version: 6.8.2
2020-09-14T14:27:58.956+0200 INFO [publisher] pipeline/module.go:110 Beat name: c2main
2020-09-14T14:27:58.956+0200 WARN [cfgwarn] beater/filebeat.go:81 DEPRECATED: prospectors are deprecated, Use `inputs` instead. Will be removed in version: 7.0.0
2020-09-14T14:27:58.957+0200 INFO [monitoring] log/log.go:117 Starting metrics logging every 30s
2020-09-14T14:27:58.957+0200 INFO instance/beat.go:402 filebeat start running.
2020-09-14T14:27:58.957+0200 INFO registrar/registrar.go:134 Loading registrar data from /var/lib/filebeat/registry
2020-09-14T14:27:58.957+0200 INFO registrar/registrar.go:141 States Loaded from registrar: 0
2020-09-14T14:27:58.957+0200 WARN beater/filebeat.go:367 Filebeat is unable to load the Ingest Node pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the Ingest Node pipelines or are using Logstash pipelines, you can ignore this warning.
2020-09-14T14:27:58.958+0200 INFO crawler/crawler.go:72 Loading Inputs: 5
2020-09-14T14:27:58.958+0200 INFO log/input.go:148 Configured paths: [/opt/cobaltstrike/logs/*/events.log]
2020-09-14T14:27:58.958+0200 INFO input/input.go:114 Starting input of type: log; ID: 1606239087251668652
2020-09-14T14:27:58.959+0200 INFO log/input.go:148 Configured paths: [/opt/cobaltstrike/logs/*/weblog.log]
2020-09-14T14:27:58.959+0200 INFO input/input.go:114 Starting input of type: log; ID: 5755712550402058376
2020-09-14T14:27:58.959+0200 INFO log/input.go:148 Configured paths: [/opt/cobaltstrike/logs/*/downloads.log]
2020-09-14T14:27:58.959+0200 INFO input/input.go:114 Starting input of type: log; ID: 2293190375744009869
2020-09-14T14:27:58.960+0200 INFO log/input.go:148 Configured paths: [/opt/cobaltstrike/logs/*/*/beacon_*.log]
2020-09-14T14:27:58.960+0200 INFO input/input.go:114 Starting input of type: log; ID: 12414764114003662895
2020-09-14T14:27:58.960+0200 INFO log/input.go:148 Configured paths: [/opt/cobaltstrike/logs/*/*/keystrokes/keystrokes_*.txt]
2020-09-14T14:27:58.960+0200 INFO input/input.go:114 Starting input of type: log; ID: 7218035168341614709
2020-09-14T14:27:58.961+0200 INFO crawler/crawler.go:106 Loading and starting Inputs completed. Enabled inputs: 5
2020-09-14T14:27:58.963+0200 INFO cfgfile/reload.go:150 Config reloader started
2020-09-14T14:27:58.963+0200 INFO cfgfile/reload.go:205 Loading of config files completed.
2020-09-14T14:27:58.963+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/events.log
2020-09-14T14:27:58.964+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_764433830.log
2020-09-14T14:27:58.964+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200911/events.log
2020-09-14T14:27:58.988+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/downloads.log
2020-09-14T14:27:58.992+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200912/events.log
2020-09-14T14:27:59.012+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200913/events.log
2020-09-14T14:27:59.013+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200909/events.log
2020-09-14T14:27:59.053+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/200.20.110.10/beacon_1891838738.log
2020-09-14T14:27:59.053+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_1662536538.log
2020-09-14T14:27:59.054+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_338527496.log
2020-09-14T14:27:59.056+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/unknown/beacon_1891838738.log
2020-09-14T14:27:59.058+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200909/200.20.110.10/beacon_1567680264.log
2020-09-14T14:27:59.057+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/unknown/beacon_1924002462.log
2020-09-14T14:27:59.061+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_2062197716.log
2020-09-14T14:27:59.061+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_1378743354.log
2020-09-14T14:27:59.064+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_312701618.log
2020-09-14T14:27:59.064+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/200.20.110.10/beacon_16270558.log
2020-09-14T14:27:59.065+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/unknown/beacon_312701618.log
2020-09-14T14:27:59.065+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_1924002462.log
2020-09-14T14:27:59.065+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200913/200.20.110.10/beacon_1467649820.log
2020-09-14T14:27:59.065+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/192.168.209.1/beacon_1288869646.log
2020-09-14T14:27:59.065+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_1555961078.log
2020-09-14T14:27:59.066+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200910/200.20.110.10/beacon_1753137188.log
2020-09-14T14:27:59.993+0200 INFO pipeline/output.go:95 Connecting to backoff(async(tcp://10.10.6.40:5044))
2020-09-14T14:28:00.245+0200 INFO pipeline/output.go:105 Connection to backoff(async(tcp://10.10.6.40:5044)) established
2020-09-14T14:28:28.960+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":230,"time":{"ms":231}},"total":{"ticks":530,"time":{"ms":534},"value":530},"user":{"ticks":300,"time":{"ms":303}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":30},"info":{"ephemeral_id":"240fada4-cd38-4e2f-b62f-9b982fe63932","uptime":{"ms":30026}},"memstats":{"gc_next":8054336,"memory_alloc":4464208,"memory_total":29525640,"rss":38793216}},"filebeat":{"events":{"added":674,"done":674},"harvester":{"open_files":23,"running":23,"started":23}},"libbeat":{"config":{"module":{"running":0},"reloads":1},"output":{"events":{"acked":651,"batches":2,"total":651},"read":{"bytes":1335},"type":"logstash","write":{"bytes":90698}},"pipeline":{"clients":5,"events":{"active":0,"filtered":23,"published":651,"retry":634,"total":674},"queue":{"acked":651}}},"registrar":{"states":{"current":23,"update":674},"writes":{"success":9,"total":9}},"system":{"cpu":{"cores":4},"load":{"1":0.12,"15":0.03,"5":0.08,"norm":{"1":0.03,"15":0.0075,"5":0.02}}}}}}
2020-09-14T14:28:58.960+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":260,"time":{"ms":34}},"total":{"ticks":570,"time":{"ms":49},"value":570},"user":{"ticks":310,"time":{"ms":15}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":30},"info":{"ephemeral_id":"240fada4-cd38-4e2f-b62f-9b982fe63932","uptime":{"ms":60025}},"memstats":{"gc_next":8054336,"memory_alloc":6631448,"memory_total":31692880}},"filebeat":{"harvester":{"open_files":23,"running":23}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":23}},"system":{"load":{"1":0.14,"15":0.03,"5":0.09,"norm":{"1":0.035,"15":0.0075,"5":0.0225}}}}}}
2020-09-14T14:29:28.960+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":290,"time":{"ms":26}},"total":{"ticks":640,"time":{"ms":59},"value":640},"user":{"ticks":350,"time":{"ms":33}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":30},"info":{"ephemeral_id":"240fada4-cd38-4e2f-b62f-9b982fe63932","uptime":{"ms":90025}},"memstats":{"gc_next":8065152,"memory_alloc":5586120,"memory_total":34022920}},"filebeat":{"harvester":{"open_files":23,"running":23}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":23}},"system":{"load":{"1":0.09,"15":0.03,"5":0.08,"norm":{"1":0.0225,"15":0.0075,"5":0.02}}}}}}
2020-09-14T14:29:58.959+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":320,"time":{"ms":34}},"total":{"ticks":690,"time":{"ms":56},"value":690},"user":{"ticks":370,"time":{"ms":22}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":30},"info":{"ephemeral_id":"240fada4-cd38-4e2f-b62f-9b982fe63932","uptime":{"ms":120026}},"memstats":{"gc_next":8035376,"memory_alloc":4538544,"memory_total":36362544}},"filebeat":{"harvester":{"open_files":23,"running":23}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":23}},"system":{"load":{"1":0.12,"15":0.03,"5":0.09,"norm":{"1":0.03,"15":0.0075,"5":0.0225}}}}}}
2020-09-14T14:30:28.959+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":350,"time":{"ms":33}},"total":{"ticks":740,"time":{"ms":52},"value":740},"user":{"ticks":390,"time":{"ms":19}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":30},"info":{"ephemeral_id":"240fada4-cd38-4e2f-b62f-9b982fe63932","uptime":{"ms":150027}},"memstats":{"gc_next":8035376,"memory_alloc":6600192,"memory_total":38424192}},"filebeat":{"harvester":{"open_files":23,"running":23}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":23}},"system":{"load":{"1":0.07,"15":0.03,"5":0.08,"norm":{"1":0.0175,"15":0.0075,"5":0.02}}}}}}
2020-09-14T14:30:58.959+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":400,"time":{"ms":42}},"total":{"ticks":800,"time":{"ms":58},"value":800},"user":{"ticks":400,"time":{"ms":16}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":30},"info":{"ephemeral_id":"240fada4-cd38-4e2f-b62f-9b982fe63932","uptime":{"ms":180025}},"memstats":{"gc_next":8114416,"memory_alloc":5438016,"memory_total":40749448}},"filebeat":{"harvester":{"open_files":23,"running":23}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":23}},"system":{"load":{"1":0.1,"15":0.03,"5":0.08,"norm":{"1":0.025,"15":0.0075,"5":0.02}}}}}}
2020-09-14T14:31:28.959+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":430,"time":{"ms":37}},"total":{"ticks":850,"time":{"ms":56},"value":850},"user":{"ticks":420,"time":{"ms":19}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":30},"info":{"ephemeral_id":"240fada4-cd38-4e2f-b62f-9b982fe63932","uptime":{"ms":210026}},"memstats":{"gc_next":7987744,"memory_alloc":4347096,"memory_total":43091408}},"filebeat":{"harvester":{"open_files":23,"running":23}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":23}},"system":{"load":{"1":0.06,"15":0.03,"5":0.08,"norm":{"1":0.015,"15":0.0075,"5":0.02}}}}}}
2020-09-14T14:31:58.960+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":460,"time":{"ms":32}},"total":{"ticks":900,"time":{"ms":50},"value":900},"user":{"ticks":440,"time":{"ms":18}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":30},"info":{"ephemeral_id":"240fada4-cd38-4e2f-b62f-9b982fe63932","uptime":{"ms":240025}},"memstats":{"gc_next":7987744,"memory_alloc":6497752,"memory_total":45242064}},"filebeat":{"harvester":{"open_files":23,"running":23}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":23}},"system":{"load":{"1":0.03,"15":0.03,"5":0.07,"norm":{"1":0.0075,"15":0.0075,"5":0.0175}}}}}}
2020-09-14T14:32:28.959+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":500,"time":{"ms":32}},"total":{"ticks":970,"time":{"ms":59},"value":970},"user":{"ticks":470,"time":{"ms":27}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":30},"info":{"ephemeral_id":"240fada4-cd38-4e2f-b62f-9b982fe63932","uptime":{"ms":270025}},"memstats":{"gc_next":8062672,"memory_alloc":5327800,"memory_total":47401648}},"filebeat":{"harvester":{"open_files":23,"running":23}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":23}},"system":{"load":{"1":0.02,"15":0.02,"5":0.06,"norm":{"1":0.005,"15":0.005,"5":0.015}}}}}}
2020-09-14T14:32:58.960+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":530,"time":{"ms":33}},"total":{"ticks":1020,"time":{"ms":57},"value":1020},"user":{"ticks":490,"time":{"ms":24}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":30},"info":{"ephemeral_id":"240fada4-cd38-4e2f-b62f-9b982fe63932","uptime":{"ms":300026}},"memstats":{"gc_next":8040432,"memory_alloc":4378544,"memory_total":49832848}},"filebeat":{"harvester":{"open_files":23,"running":23}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":23}},"system":{"load":{"1":0.01,"15":0.02,"5":0.05,"norm":{"1":0.0025,"15":0.005,"5":0.0125}}}}}}
2020-09-14T14:33:04.000+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200910/downloads.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:04.020+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200911/events.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:04.020+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200912/events.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:04.020+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200910/events.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:04.029+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200913/events.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:04.040+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200909/events.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:04.071+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200910/unknown/beacon_1924002462.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:04.071+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200910/unknown/beacon_1891838738.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:04.072+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200910/200.20.110.10/beacon_1891838738.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:04.079+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200910/unknown/beacon_312701618.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:04.083+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200909/200.20.110.10/beacon_1567680264.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:04.083+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_1378743354.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:04.085+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_338527496.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:04.085+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200910/200.20.110.10/beacon_16270558.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:04.090+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_2062197716.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:04.090+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200910/192.168.209.1/beacon_1288869646.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:04.093+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200913/200.20.110.10/beacon_1467649820.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:04.098+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_1924002462.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:04.100+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200910/200.20.110.10/beacon_1753137188.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:04.108+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_1662536538.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:04.115+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_312701618.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:04.136+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_764433830.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:04.148+0200 INFO log/harvester.go:280 File is inactive: /opt/cobaltstrike/logs/200910/200.20.110.6/beacon_1555961078.log. Closing because close_inactive of 5m0s reached.
2020-09-14T14:33:28.959+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":550,"time":{"ms":17}},"total":{"ticks":1070,"time":{"ms":48},"value":1070},"user":{"ticks":520,"time":{"ms":31}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":7},"info":{"ephemeral_id":"240fada4-cd38-4e2f-b62f-9b982fe63932","uptime":{"ms":330026}},"memstats":{"gc_next":8040432,"memory_alloc":6672128,"memory_total":52126432}},"filebeat":{"events":{"added":23,"done":23},"harvester":{"closed":23,"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0,"filtered":23,"total":23}}},"registrar":{"states":{"current":23,"update":23},"writes":{"success":23,"total":23}},"system":{"load":{"1":0.07,"15":0.02,"5":0.06,"norm":{"1":0.0175,"15":0.005,"5":0.015}}}}}}
2020-09-14T14:33:58.959+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":550},"total":{"ticks":1100,"time":{"ms":29},"value":1100},"user":{"ticks":550,"time":{"ms":29}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":7},"info":{"ephemeral_id":"240fada4-cd38-4e2f-b62f-9b982fe63932","uptime":{"ms":360026}},"memstats":{"gc_next":4952432,"memory_alloc":3718568,"memory_total":54272048}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":23}},"system":{"load":{"1":0.09,"15":0.03,"5":0.07,"norm":{"1":0.0225,"15":0.0075,"5":0.0175}}}}}}
2020-09-14T14:34:28.959+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":560,"time":{"ms":13}},"total":{"ticks":1130,"time":{"ms":28},"value":1130},"user":{"ticks":570,"time":{"ms":15}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":7},"info":{"ephemeral_id":"240fada4-cd38-4e2f-b62f-9b982fe63932","uptime":{"ms":390025}},"memstats":{"gc_next":4878144,"memory_alloc":3913688,"memory_total":56507904}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":23}},"system":{"load":{"1":0.06,"15":0.02,"5":0.06,"norm":{"1":0.015,"15":0.005,"5":0.015}}}}}}
2020-09-14T14:34:58.959+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":570,"time":{"ms":13}},"total":{"ticks":1150,"time":{"ms":28},"value":1150},"user":{"ticks":580,"time":{"ms":15}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":7},"info":{"ephemeral_id":"240fada4-cd38-4e2f-b62f-9b982fe63932","uptime":{"ms":420025}},"memstats":{"gc_next":4926624,"memory_alloc":3945824,"memory_total":58588432}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":23}},"system":{"load":{"1":0.2,"15":0.04,"5":0.1,"norm":{"1":0.05,"15":0.01,"5":0.025}}}}}}
2020-09-14T14:35:28.960+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":580,"time":{"ms":5}},"total":{"ticks":1190,"time":{"ms":29},"value":1190},"user":{"ticks":610,"time":{"ms":24}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":7},"info":{"ephemeral_id":"240fada4-cd38-4e2f-b62f-9b982fe63932","uptime":{"ms":450026}},"memstats":{"gc_next":4864096,"memory_alloc":4076952,"memory_total":60827200,"rss":-1839104}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":23}},"system":{"load":{"1":0.18,"15":0.04,"5":0.11,"norm":{"1":0.045,"15":0.01,"5":0.0275}}}}}}
2020-09-14T14:35:58.959+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":590,"time":{"ms":9}},"total":{"ticks":1210,"time":{"ms":28},"value":1210},"user":{"ticks":620,"time":{"ms":19}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":7},"info":{"ephemeral_id":"240fada4-cd38-4e2f-b62f-9b982fe63932","uptime":{"ms":480025}},"memstats":{"gc_next":4883648,"memory_alloc":4108176,"memory_total":62899600}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":23}},"system":{"load":{"1":0.1,"15":0.04,"5":0.09,"norm":{"1":0.025,"15":0.01,"5":0.0225}}}}}}
2020-09-14T14:36:28.959+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":600,"time":{"ms":10}},"total":{"ticks":1240,"time":{"ms":28},"value":1240},"user":{"ticks":640,"time":{"ms":18}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":7},"info":{"ephemeral_id":"240fada4-cd38-4e2f-b62f-9b982fe63932","uptime":{"ms":510025}},"memstats":{"gc_next":4984512,"memory_alloc":4201632,"memory_total":65054872}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":23}},"system":{"load":{"1":0.06,"15":0.04,"5":0.08,"norm":{"1":0.015,"15":0.01,"5":0.02}}}}}}
2020-09-14T14:36:58.959+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":620,"time":{"ms":26}},"total":{"ticks":1260,"time":{"ms":29},"value":1260},"user":{"ticks":640,"time":{"ms":3}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":7},"info":{"ephemeral_id":"240fada4-cd38-4e2f-b62f-9b982fe63932","uptime":{"ms":540025}},"memstats":{"gc_next":4926288,"memory_alloc":4258088,"memory_total":67212752}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":23}},"system":{"load":{"1":0.04,"15":0.03,"5":0.07,"norm":{"1":0.01,"15":0.0075,"5":0.0175}}}}}}
2020-09-14T14:37:28.959+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":630,"time":{"ms":4}},"total":{"ticks":1300,"time":{"ms":26},"value":1300},"user":{"ticks":670,"time":{"ms":22}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":7},"info":{"ephemeral_id":"240fada4-cd38-4e2f-b62f-9b982fe63932","uptime":{"ms":570026}},"memstats":{"gc_next":4897888,"memory_alloc":4240432,"memory_total":69365736}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":23}},"system":{"load":{"1":0.02,"15":0.03,"5":0.07,"norm":{"1":0.005,"15":0.0075,"5":0.0175}}}}}}
2020-09-14T14:37:58.959+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":640,"time":{"ms":10}},"total":{"ticks":1330,"time":{"ms":29},"value":1330},"user":{"ticks":690,"time":{"ms":19}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":7},"info":{"ephemeral_id":"240fada4-cd38-4e2f-b62f-9b982fe63932","uptime":{"ms":600025}},"memstats":{"gc_next":4965104,"memory_alloc":4276888,"memory_total":71524048}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":23}},"system":{"load":{"1":0.01,"15":0.03,"5":0.06,"norm":{"1":0.0025,"15":0.0075,"5":0.015}}}}}}
2020-09-14T14:38:28.959+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":640,"time":{"ms":5}},"total":{"ticks":1350,"time":{"ms":28},"value":1350},"user":{"ticks":710,"time":{"ms":23}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":7},"info":{"ephemeral_id":"240fada4-cd38-4e2f-b62f-9b982fe63932","uptime":{"ms":630026}},"memstats":{"gc_next":4952992,"memory_alloc":4267904,"memory_total":73677960}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":23}},"system":{"load":{"1":0.01,"15":0.02,"5":0.05,"norm":{"1":0.0025,"15":0.005,"5":0.0125}}}}}}
2020-09-14T14:38:58.959+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":650,"time":{"ms":7}},"total":{"ticks":1380,"time":{"ms":27},"value":1380},"user":{"ticks":730,"time":{"ms":20}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":7},"info":{"ephemeral_id":"240fada4-cd38-4e2f-b62f-9b982fe63932","uptime":{"ms":660026}},"memstats":{"gc_next":4970720,"memory_alloc":4366008,"memory_total":76004696}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":23}},"system":{"load":{"1":0.08,"15":0.03,"5":0.06,"norm":{"1":0.02,"15":0.0075,"5":0.015}}}}}}
After removing the registry and running filebeat -c /etc/filebeat/filebeat.yml -e -d "*" I can see the logs being published:
2020-09-14T14:59:10.440+0200 DEBUG [multiline] multiline/multiline.go:175 Multiline event flushed because timeout reached.
2020-09-14T14:59:10.440+0200 DEBUG [publish] pipeline/processor.go:309 Publish event: {
"@timestamp": "2020-09-14T12:59:05.440Z",
"@metadata": {
"beat": "filebeat",
"type": "doc",
"version": "6.8.2"
},
"source": "/opt/cobaltstrike/logs/200910/200.20.110.6/beacon_312701618.log",
"fields": {
"attackscenario": "cert",
"infralogtype": "rtops",
"cslogtype": "beacon"
},
"prospector": {
"type": "log"
},
"input": {
"type": "log"
},
"beat": {
"name": "c2main",
"hostname": "--",
"version": "6.8.2"
},
"host": {
"name": "c2main"
},
"offset": 18786,
"log": {
"file": {
"path": "/opt/cobaltstrike/logs/200910/200.20.110.6/beacon_312701618.log"
},
"flags": [
"multiline"
]
},
"message": "09/10 14:27:34 UTC [output]\nstarted download of c:\\users\\Victim\\Desktop\\large_file\\test005 (751619279 bytes)\n"
}
2020-09-14T14:59:10.463+0200 DEBUG [multiline] multiline/multiline.go:175 Multiline event flushed because timeout reached.
2020-09-14T14:59:10.463+0200 DEBUG [publish] pipeline/processor.go:309 Publish event: {
"@timestamp": "2020-09-14T12:59:05.459Z",
"@metadata": {
"beat": "filebeat",
"type": "doc",
"version": "6.8.2"
},
"source": "/opt/cobaltstrike/logs/200910/200.20.110.6/beacon_1555961078.log",
"offset": 138555,
"message": "09/10 18:17:13 UTC [output]\nreceived output:\n\n\n %&&@@@&& \n &&&&&&&%%%, #&&@@@@@@%%%%%%###############% \n &%& %&%% &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%\n%%%%%%%%%%%######%%%#%%####% &%%**# @////(((&%%%%%%######################(((((((((((((((((((\n#%#%%%%%%%#######%#%%####### %&%,,,,,,,,,,,,,,,, @////(((&%%%%%#%#####################(((((((((((((((((((\n#%#%%%%%%#####%%#%#%%####### %%%,,,,,, ,,. ,, @////(((&%%%%%%%######################(#(((#(#((((((((((\n#####%%%#################### &%%...... ... .. @////(((&%%%%%%%###############%######((#(#(####((((((((\n#######%##########%######### %%%...... ... .. @////(((&%%%%%#########################(#(#######((#####\n###%##%%#################### &%%............... @////(((&%%%%%%%%##############%#######(#########((#####\n#####%###################### %%%.. @////(((&%%%%%%%################ \n &%& %%%%% Seatbelt %////(((&%%%%%%%%#############* \n &%%&&&%%%%% v1.0.0 ,(((&%%%%%%%%%%%%%%%%%, \n #%%%%##, \n\n\nAvailable commands (+ means remote usage is supported):\n\n + AMSIProviders - Providers registered for AMSI\n + AntiVirus - Registered antivirus (via WMI)\n AppLocker - AppLocker settings, if installed\n ARPTable - Lists the current ARP table and adapter information (equivalent to arp -a)\n AuditPolicies - Enumerates classic and advanced audit policy settings\n + AuditPolicyRegistry - Audit settings via the registry\n + AutoRuns - Auto run executables/scripts/programs\n ChromeBookmarks - Parses any found Chrome bookmark files\n ChromeHistory - Parses any found Chrome history files\n ChromePresence - Checks if interesting Google Chrome files exist\n CloudCredentials - AWS/Google/Azure cloud credential files\n CredEnum - Enumerates the current user's saved credentials using CredEnumerate()\n CredGuard - CredentialGuard configuration\n dir - Lists files/folders. By default, lists users' downloads, documents, and desktop folders (arguments == [directory] [depth] [regex] [boolIgnoreErrors]\n + DNSCache - DNS cache entries (via WMI)\n + DotNet - DotNet versions\n DpapiMasterKeys - List DPAPI master keys\n EnvironmentPath - Current environment %PATH$ folders and SDDL information\n EnvironmentVariables - Current user environment variables\n ExplicitLogonEvents - Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days.\n ExplorerMRUs
from redelk.
MarcOverIP
commented on June 6, 2024
Did you remove the registry files (var/lib/filebeat/registry)? Otherwise filebeat still thinks there is nothing to ship as there is no 'new' data. I believe these are not removed when you apt purge the package.
It's not the enrichment scripts. Even if they fail there should be data in ES.
Run the following to check if there is any data in rtops index: curl -XGET 'localhost:9200/_cat/indices/?v&s=index' When successful it lists rtops-%somedate
You can also uncomment lines 17-19 at the logstash config file 90-output.conf and see what data is coming out of logstash. Should read something like below - of course restart logstash.
if [infralogtype] == "rtops" {
file {
path => "/tmp/logstashout.txt"
}
}
from redelk.
6r0k3d
commented on June 6, 2024
curl output
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open .kibana_1 pFSaOlu2SpGa_7aFIN7X0A 1 0 26 1 84.5kb 84.5kb
green open .kibana_task_manager LbcmY0ELRJ-PALAF-fGc1g 1 0 2 0 13kb 13kb
green open .tasks 5KTHYtCvRuSy4MSP6-8rNg 1 0 16641 0 3.7mb 3.7mb
yellow open redirtraffic-2020.09.11 lWmoroe-R2CVzZn2YCtAMw 5 1 35 1 260.5kb 260.5kb
yellow open redirtraffic-2020.09.12 y07ypkHKQkiMKQB0NTui-A 5 1 75 8 972kb 972kb
yellow open redirtraffic-2020.09.13 -3j9TYUMR-mR4Xeog_iF0w 5 1 2112 185 1.8mb 1.8mb
yellow open redirtraffic-2020.09.14 -8R00nxLRvGnHeOo337bOA 5 1 276 52 1mb 1mb
from redelk.
MarcOverIP
commented on June 6, 2024
OK so no CS data is entering ES.
How about the /tmp/logstashout.txt after the filebeat registry file was deleted?
from redelk.
6r0k3d
commented on June 6, 2024
(sigh) think I found it with the extra logging. Looks like an SSL error
The cert is the one generated by the install script. Does this mean I need to update openssl on the teamserver?
[2020-09-14T14:35:08,293][INFO ][org.logstash.beats.BeatsHandler] [local: 0.0.0.0:5044, remote: 10.10.6.75:45842] Handling exception: javax.net.ssl.SSLHandshakeException: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER
[2020-09-14T14:35:08,296][WARN ][io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
from redelk.
MarcOverIP
commented on June 6, 2024
Typical issue indeed. But it surprises me as filebeat should report such an issue in its logs.
just copy over the ca file from the redirector to the teamserver as that one works. Other option is to disable ssl - not recommended.
from redelk.
6r0k3d
commented on June 6, 2024
Interesting. So I copied over redelkCA.crt from the redirector to the teamserver, deleted the registry, and restarted filebeat, and now I'm seeing Failed to connect in the filebeat logs. It's just one cert right? I'll try moving the cert from RedELK over see if that fixes it. Just checked file ownership and its root/root
from redelk.
MarcOverIP
commented on June 6, 2024
clients (filebeats) only require the CA file to check the cert chain. Its the clients verifying if the system they are shipping to is trusted. The ELK server uses the certs created by the CA file.
Its best to follow exactly as the installer scripts do, but in essence its just the CA file that filebeat needs. Also, make sure the certs have proper (limited) access rights, or it will be ignored by filebeat. There should be chmod command in the installer script.
Overall, I feel you: debugging different pieces of the ELK is not easy. Most error messages are not really helpful.
from redelk.
fastlorenzo
commented on June 6, 2024
Something else you can do is to run logstash with debug logging enabled (don't forget to disable it afterwards).
from redelk.
MarcOverIP
commented on June 6, 2024
Can we close this one now its a simple tls cert issue?
from redelk.
6r0k3d
commented on June 6, 2024
Not sure? I'm less convinced its TLS right now. In an effort to see if I could just get logs in, I turned off TLS (I think? Maybe I missed an SSL config option that needed disabling elsewhere). I had no ERROR lines on the filebeat test, and I'm not seeing anything hitting Logstash-plain. Interestingly, I'm not seeing any output after uncommenting the 90-outputs.conf /tmp/logstash.txt (I made a mistake earlier, the SSL log error from earlier was in logstash-plain.)
Not sure how to interpret that, but maybe logstash isn't picking up the config from /etc/logstash/conf.d? Added a screenshot of the logstash service status too which has a warning about an illegal reflective access.
Logstash 10-inputs.conf
# Part of RedELK
#
# In this file we configure the logstash inputs
#
# Author: Outflank B.V. / Marc Smeets
#
input {
beats {
port => 5044
#ssl => false
#ssl_certificate => "/etc/logstash/certs/elkserver.crt"
#ssl_key => "/etc/logstash/certs/elkserver.key"
client_inactivity_timeout => 84600
#ssl_handshake_timeout => 30000
}
}
Filebeats.yml
filebeat.prospectors:
- type: log
scan_frequency: 5s
enabled: true
fields_under_opt: true
paths:
- /opt/cobaltstrike/logs/*/events.log
fields:
infralogtype: rtops
cslogtype: events
- type: log
scan_frequency: 5s
enabled: true
fields_under_opt: true
paths:
- /opt/cobaltstrike/logs/*/weblog.log
fields:
infralogtype: rtops
cslogtype: weblog
- type: log
scan_frequency: 5s
enabled: true
fields_under_opt: true
paths:
- /opt/cobaltstrike/logs/*/downloads.log
fields:
infralogtype: rtops
cslogtype: downloads
- type: log
scan_frequency: 5s
enabled: true
fields_under_opt: true
paths:
- /opt/cobaltstrike/logs/*/*/beacon_*.log
# Since Cobalt Strike version 3.14 the time format in the logs is changed. Here we use regex 'or' function (expr1)|(expr2) to match new or old format
multiline.pattern: '(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\sUTC\s\[)|(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\s\[)' # match "06/19 12:32:56 UTC [" or "06/19 12:32:56 ["
multiline.negate: true
multiline.match: after
fields:
infralogtype: rtops
cslogtype: beacon
- type: log
scan_frequency: 5s
enabled: true
fields_under_opt: true
paths:
- /opt/cobaltstrike/logs/*/*/keystrokes/keystrokes_*.txt
# Since Cobalt Strike version 3.14 the time format in the logs is changed. Here we use regex 'or' function (expr1)|(expr2) to match new or old format
multiline.pattern: '(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\sUTC\s\[)|(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\s\[)' # match "06/19 12:32:56 UTC [" or "06/19 12:32:56 ["
multiline.negate: true
multiline.match: after
fields:
infralogtype: rtops
cslogtype: keystrokes
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 3
name: "kali"
fields_under_opt: true
fields:
attackscenario: CAA-test
harvester.limit: 1
ssl.enabled: false
output.logstash:
hosts: ["10.10.6.40:5044"]
#ssl.verification_mode: none
#ssl.certificate_authorities: ["/etc/filebeat/redelkCA.crt"]
Logstash-plain.log
[2020-09-15T03:14:20,898][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.8.2"}
[2020-09-15T03:14:48,869][INFO ][logstash.filters.ruby.script] Test run complete {:script_path=>"/etc/logstash/ruby-scripts/makebeaconlogpath.rb", :results=>{:passed=>0, :failed=>0, :errored=>0}}
[2020-09-15T03:14:49,107][INFO ][logstash.filters.ruby.script] Test run complete {:script_path=>"/etc/logstash/ruby-scripts/makescreenshotpath.rb", :results=>{:passed=>0, :failed=>0, :errored=>0}}
[2020-09-15T03:14:49,165][INFO ][logstash.filters.ruby.script] Test run complete {:script_path=>"/etc/logstash/ruby-scripts/makekeystrokespath.rb", :results=>{:passed=>0, :failed=>0, :errored=>0}}
[2020-09-15T03:14:49,212][INFO ][logstash.filters.ruby.script] Test run complete {:script_path=>"/etc/logstash/ruby-scripts/makedownloadspath.rb", :results=>{:passed=>0, :failed=>0, :errored=>0}}
[2020-09-15T03:14:49,490][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2020-09-15T03:14:50,396][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://127.0.0.1:9200/]}}
[2020-09-15T03:14:50,714][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://127.0.0.1:9200/"}
[2020-09-15T03:14:50,793][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2020-09-15T03:14:50,798][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6}
[2020-09-15T03:14:50,860][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//127.0.0.1:9200"]}
[2020-09-15T03:14:50,894][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://127.0.0.1:9200/]}}
[2020-09-15T03:14:50,906][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://127.0.0.1:9200/"}
[2020-09-15T03:14:50,917][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2020-09-15T03:14:50,918][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6}
[2020-09-15T03:14:50,929][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//127.0.0.1:9200"]}
[2020-09-15T03:14:50,944][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://127.0.0.1:9200/]}}
[2020-09-15T03:14:50,954][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://127.0.0.1:9200/"}
[2020-09-15T03:14:50,963][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2020-09-15T03:14:50,964][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6}
[2020-09-15T03:14:50,970][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//127.0.0.1:9200"]}
[2020-09-15T03:14:51,550][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-City.mmdb"}
[2020-09-15T03:14:51,589][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/GeoLite2-dbs/GeoLite2-ASN.mmdb"}
[2020-09-15T03:14:51,759][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-City.mmdb"}
[2020-09-15T03:14:51,760][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/GeoLite2-dbs/GeoLite2-ASN.mmdb"}
[2020-09-15T03:14:51,762][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-City.mmdb"}
[2020-09-15T03:14:51,763][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/GeoLite2-dbs/GeoLite2-ASN.mmdb"}
[2020-09-15T03:14:51,906][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-City.mmdb"}
[2020-09-15T03:14:51,909][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/GeoLite2-dbs/GeoLite2-ASN.mmdb"}
[2020-09-15T03:14:51,910][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-City.mmdb"}
[2020-09-15T03:14:51,912][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/GeoLite2-dbs/GeoLite2-ASN.mmdb"}
[2020-09-15T03:14:53,467][INFO ][logstash.inputs.beats ] Beats inputs: Starting input listener {:address=>"0.0.0.0:5044"}
[2020-09-15T03:14:53,497][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x27282c7a run>"}
[2020-09-15T03:14:53,637][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2020-09-15T03:14:53,689][INFO ][org.logstash.beats.Server] Starting server on port: 5044
[2020-09-15T03:14:54,295][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
2020-09-15T03:22:11.561+0200 INFO instance/beat.go:611 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2020-09-15T03:22:11.561+0200 DEBUG [beat] instance/beat.go:648 Beat metadata path: /var/lib/filebeat/meta.json
2020-09-15T03:22:11.561+0200 INFO instance/beat.go:618 Beat UUID: 5db0c467-b78c-4489-9305-f218c93e1ba7
2020-09-15T03:22:11.561+0200 DEBUG [seccomp] seccomp/seccomp.go:109 Loading syscall filter {"seccomp_filter": {"no_new_privs":true,"flag":"tsync","policy":{"default_action":"errno","syscalls":[{"names":["accept","accept4","access","arch_prctl","bind","brk","clock_gettime","clone","close","connect","dup","dup2","epoll_create","epoll_create1","epoll_ctl","epoll_pwait","epoll_wait","exit","exit_group","fchdir","fchmod","fchown","fcntl","fdatasync","flock","fstat","fstatfs","fsync","ftruncate","futex","getcwd","getdents","getdents64","geteuid","getgid","getpeername","getpid","getppid","getrandom","getrlimit","getrusage","getsockname","getsockopt","gettid","gettimeofday","getuid","inotify_add_watch","inotify_init1","inotify_rm_watch","ioctl","kill","listen","lseek","lstat","madvise","mincore","mkdirat","mmap","mprotect","munmap","nanosleep","newfstatat","open","openat","pipe","pipe2","poll","ppoll","pread64","pselect6","pwrite64","read","readlink","readlinkat","recvfrom","recvmmsg","recvmsg","rename","renameat","rt_sigaction","rt_sigprocmask","rt_sigreturn","sched_getaffinity","sched_yield","sendfile","sendmmsg","sendmsg","sendto","set_robust_list","setitimer","setsockopt","shutdown","sigaltstack","socket","splice","stat","statfs","sysinfo","tgkill","time","tkill","uname","unlink","unlinkat","wait4","waitid","write","writev"],"action":"allow"}]}}}
2020-09-15T03:22:11.562+0200 INFO [seccomp] seccomp/seccomp.go:116 Syscall filter successfully installed
2020-09-15T03:22:11.562+0200 INFO [beat] instance/beat.go:931 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "5db0c467-b78c-4489-9305-f218c93e1ba7"}}}
2020-09-15T03:22:11.562+0200 INFO [beat] instance/beat.go:940 Build info {"system_info": {"build": {"commit": "0ffbeab5a52fa93586e4178becf1252e6a837028", "libbeat": "6.8.2", "time": "2019-07-24T14:24:45.000Z", "version": "6.8.2"}}}
2020-09-15T03:22:11.562+0200 INFO [beat] instance/beat.go:943 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":4,"version":"go1.10.8"}}}
2020-09-15T03:22:11.563+0200 INFO [beat] instance/beat.go:947 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2020-09-02T05:35:23+02:00","containerized":false,"name":"kali","ip":["127.0.0.1/8","10.10.6.65/24"],"kernel_version":"5.4.0-kali3-amd64","mac":["00:0c:29:1a:c2:9c"],"os":{"family":"","platform":"kali","name":"Kali GNU/Linux","version":"2020.1","major":2020,"minor":1,"patch":0,"codename":"kali-rolling"},"timezone":"CEST","timezone_offset_sec":7200,"id":"9f83511a03634ff686e46a64cac18bd4"}}}
2020-09-15T03:22:11.563+0200 INFO [beat] instance/beat.go:976 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/etc/filebeat", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 158648, "ppid": 141065, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2020-09-15T03:22:10.700+0200"}}}
2020-09-15T03:22:11.564+0200 INFO instance/beat.go:280 Setup Beat: filebeat; Version: 6.8.2
2020-09-15T03:22:11.564+0200 DEBUG [beat] instance/beat.go:301 Initializing output plugins
2020-09-15T03:22:11.564+0200 DEBUG [processors] processors/processor.go:66 Processors:
2020-09-15T03:22:11.564+0200 DEBUG [publish] pipeline/consumer.go:137 start pipeline event consumer
2020-09-15T03:22:11.565+0200 INFO [publisher] pipeline/module.go:110 Beat name: kali
2020-09-15T03:22:11.565+0200 WARN [cfgwarn] beater/filebeat.go:81 DEPRECATED: prospectors are deprecated, Use `inputs` instead. Will be removed in version: 7.0.0
2020-09-15T03:22:11.565+0200 INFO [monitoring] log/log.go:117 Starting metrics logging every 30s
2020-09-15T03:22:11.565+0200 INFO instance/beat.go:402 filebeat start running.
2020-09-15T03:22:11.566+0200 INFO registrar/registrar.go:97 No registry file found under: /var/lib/filebeat/registry. Creating a new registry file.
2020-09-15T03:22:11.566+0200 DEBUG [registrar] registrar/registrar.go:400 Write registry file: /var/lib/filebeat/registry
root@redirector2:/tmp# clear
root@redirector2:/tmp# head -100 filebeat.debug
2020-09-15T03:22:11.561+0200 INFO instance/beat.go:611 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2020-09-15T03:22:11.561+0200 DEBUG [beat] instance/beat.go:648 Beat metadata path: /var/lib/filebeat/meta.json
2020-09-15T03:22:11.561+0200 INFO instance/beat.go:618 Beat UUID: 5db0c467-b78c-4489-9305-f218c93e1ba7
2020-09-15T03:22:11.561+0200 DEBUG [seccomp] seccomp/seccomp.go:109 Loading syscall filter {"seccomp_filter": {"no_new_privs":true,"flag":"tsync","policy":{"default_action":"errno","syscalls":[{"names":["accept","accept4","access","arch_prctl","bind","brk","clock_gettime","clone","close","connect","dup","dup2","epoll_create","epoll_create1","epoll_ctl","epoll_pwait","epoll_wait","exit","exit_group","fchdir","fchmod","fchown","fcntl","fdatasync","flock","fstat","fstatfs","fsync","ftruncate","futex","getcwd","getdents","getdents64","geteuid","getgid","getpeername","getpid","getppid","getrandom","getrlimit","getrusage","getsockname","getsockopt","gettid","gettimeofday","getuid","inotify_add_watch","inotify_init1","inotify_rm_watch","ioctl","kill","listen","lseek","lstat","madvise","mincore","mkdirat","mmap","mprotect","munmap","nanosleep","newfstatat","open","openat","pipe","pipe2","poll","ppoll","pread64","pselect6","pwrite64","read","readlink","readlinkat","recvfrom","recvmmsg","recvmsg","rename","renameat","rt_sigaction","rt_sigprocmask","rt_sigreturn","sched_getaffinity","sched_yield","sendfile","sendmmsg","sendmsg","sendto","set_robust_list","setitimer","setsockopt","shutdown","sigaltstack","socket","splice","stat","statfs","sysinfo","tgkill","time","tkill","uname","unlink","unlinkat","wait4","waitid","write","writev"],"action":"allow"}]}}}
2020-09-15T03:22:11.562+0200 INFO [seccomp] seccomp/seccomp.go:116 Syscall filter successfully installed
2020-09-15T03:22:11.562+0200 INFO [beat] instance/beat.go:931 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "5db0c467-b78c-4489-9305-f218c93e1ba7"}}}
2020-09-15T03:22:11.562+0200 INFO [beat] instance/beat.go:940 Build info {"system_info": {"build": {"commit": "0ffbeab5a52fa93586e4178becf1252e6a837028", "libbeat": "6.8.2", "time": "2019-07-24T14:24:45.000Z", "version": "6.8.2"}}}
2020-09-15T03:22:11.562+0200 INFO [beat] instance/beat.go:943 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":4,"version":"go1.10.8"}}}
2020-09-15T03:22:11.563+0200 INFO [beat] instance/beat.go:947 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2020-09-02T05:35:23+02:00","containerized":false,"name":"kali","ip":["127.0.0.1/8","10.10.6.65/24"],"kernel_version":"5.4.0-kali3-amd64","mac":["00:0c:29:1a:c2:9c"],"os":{"family":"","platform":"kali","name":"Kali GNU/Linux","version":"2020.1","major":2020,"minor":1,"patch":0,"codename":"kali-rolling"},"timezone":"CEST","timezone_offset_sec":7200,"id":"9f83511a03634ff686e46a64cac18bd4"}}}
2020-09-15T03:22:11.563+0200 INFO [beat] instance/beat.go:976 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/etc/filebeat", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 158648, "ppid": 141065, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2020-09-15T03:22:10.700+0200"}}}
2020-09-15T03:22:11.564+0200 INFO instance/beat.go:280 Setup Beat: filebeat; Version: 6.8.2
2020-09-15T03:22:11.564+0200 DEBUG [beat] instance/beat.go:301 Initializing output plugins
2020-09-15T03:22:11.564+0200 DEBUG [processors] processors/processor.go:66 Processors:
2020-09-15T03:22:11.564+0200 DEBUG [publish] pipeline/consumer.go:137 start pipeline event consumer
2020-09-15T03:22:11.565+0200 INFO [publisher] pipeline/module.go:110 Beat name: kali
2020-09-15T03:22:11.565+0200 WARN [cfgwarn] beater/filebeat.go:81 DEPRECATED: prospectors are deprecated, Use `inputs` instead. Will be removed in version: 7.0.0
2020-09-15T03:22:11.565+0200 INFO [monitoring] log/log.go:117 Starting metrics logging every 30s
2020-09-15T03:22:11.565+0200 INFO instance/beat.go:402 filebeat start running.
2020-09-15T03:22:11.566+0200 INFO registrar/registrar.go:97 No registry file found under: /var/lib/filebeat/registry. Creating a new registry file.
2020-09-15T03:22:11.566+0200 DEBUG [registrar] registrar/registrar.go:400 Write registry file: /var/lib/filebeat/registry
2020-09-15T03:22:11.570+0200 DEBUG [registrar] registrar/registrar.go:393 Registry file updated. 0 states written.
2020-09-15T03:22:11.570+0200 INFO registrar/registrar.go:134 Loading registrar data from /var/lib/filebeat/registry
2020-09-15T03:22:11.570+0200 INFO registrar/registrar.go:141 States Loaded from registrar: 0
2020-09-15T03:22:11.570+0200 WARN beater/filebeat.go:367 Filebeat is unable to load the Ingest Node pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the Ingest Node pipelines or are using Logstash pipelines, you can ignore this warning.
2020-09-15T03:22:11.570+0200 INFO crawler/crawler.go:72 Loading Inputs: 5
2020-09-15T03:22:11.570+0200 DEBUG [registrar] registrar/registrar.go:267 Starting Registrar
2020-09-15T03:22:11.571+0200 DEBUG [processors] processors/processor.go:66 Processors:
2020-09-15T03:22:11.571+0200 DEBUG [input] log/config.go:201 recursive glob enabled
2020-09-15T03:22:11.571+0200 DEBUG [input] log/input.go:160 exclude_files: []. Number of stats: 0
2020-09-15T03:22:11.571+0200 DEBUG [input] log/input.go:181 input with previous states loaded: 0
2020-09-15T03:22:11.571+0200 INFO log/input.go:148 Configured paths: [/opt/cobaltstrike/logs/*/events.log]
2020-09-15T03:22:11.571+0200 INFO input/input.go:114 Starting input of type: log; ID: 1606239087251668652
2020-09-15T03:22:11.571+0200 DEBUG [processors] processors/processor.go:66 Processors:
2020-09-15T03:22:11.571+0200 DEBUG [input] log/input.go:187 Start next scan
2020-09-15T03:22:11.572+0200 DEBUG [input] log/config.go:201 recursive glob enabled
2020-09-15T03:22:11.572+0200 DEBUG [input] log/input.go:417 Check file for harvesting: /opt/cobaltstrike/logs/200909/events.log
2020-09-15T03:22:11.572+0200 DEBUG [input] log/input.go:490 Start harvester for new file: /opt/cobaltstrike/logs/200909/events.log
2020-09-15T03:22:11.572+0200 DEBUG [input] log/input.go:160 exclude_files: []. Number of stats: 0
2020-09-15T03:22:11.572+0200 DEBUG [input] log/input.go:181 input with previous states loaded: 0
2020-09-15T03:22:11.572+0200 INFO log/input.go:148 Configured paths: [/opt/cobaltstrike/logs/*/weblog.log]
2020-09-15T03:22:11.572+0200 INFO input/input.go:114 Starting input of type: log; ID: 5755712550402058376
2020-09-15T03:22:11.572+0200 DEBUG [harvester] log/harvester.go:499 Setting offset for file based on seek: /opt/cobaltstrike/logs/200909/events.log
2020-09-15T03:22:11.572+0200 DEBUG [harvester] log/harvester.go:485 Setting offset for file: /opt/cobaltstrike/logs/200909/events.log. Offset: 0
2020-09-15T03:22:11.572+0200 DEBUG [harvester] log/harvester.go:400 Update state: /opt/cobaltstrike/logs/200909/events.log, offset: 0
2020-09-15T03:22:11.572+0200 DEBUG [input] file/states.go:68 New state added for /opt/cobaltstrike/logs/200909/events.log
2020-09-15T03:22:11.572+0200 DEBUG [processors] processors/processor.go:66 Processors:
2020-09-15T03:22:11.572+0200 DEBUG [publish] pipeline/client.go:193 Pipeline client receives callback 'onFilteredOut' for event: %+v{0001-01-01 00:00:00 +0000 UTC null null { false 0xc420562340 /opt/cobaltstrike/logs/200909/events.log 0 2020-09-15 03:22:11.5721488 +0200 CEST m=+0.035017226 -1ns log map[] 3673397-65025}}
2020-09-15T03:22:11.572+0200 DEBUG [input] log/input.go:417 Check file for harvesting: /opt/cobaltstrike/logs/200914/events.log
2020-09-15T03:22:11.572+0200 DEBUG [input] log/input.go:490 Start harvester for new file: /opt/cobaltstrike/logs/200914/events.log
2020-09-15T03:22:11.572+0200 DEBUG [input] log/config.go:201 recursive glob enabled
2020-09-15T03:22:11.572+0200 DEBUG [input] log/input.go:160 exclude_files: []. Number of stats: 0
2020-09-15T03:22:11.572+0200 DEBUG [harvester] log/harvester.go:499 Setting offset for file based on seek: /opt/cobaltstrike/logs/200914/events.log
2020-09-15T03:22:11.572+0200 DEBUG [harvester] log/harvester.go:485 Setting offset for file: /opt/cobaltstrike/logs/200914/events.log. Offset: 0
2020-09-15T03:22:11.572+0200 DEBUG [acker] beater/acker.go:64 stateful ack {"count": 1}
2020-09-15T03:22:11.573+0200 DEBUG [registrar] registrar/registrar.go:345 Processing 1 events
2020-09-15T03:22:11.573+0200 DEBUG [input] file/states.go:68 New state added for /opt/cobaltstrike/logs/200909/events.log
2020-09-15T03:22:11.573+0200 DEBUG [registrar] registrar/registrar.go:315 Registrar state updates processed. Count: 1
2020-09-15T03:22:11.573+0200 DEBUG [registrar] registrar/registrar.go:400 Write registry file: /var/lib/filebeat/registry
2020-09-15T03:22:11.572+0200 DEBUG [harvester] log/harvester.go:400 Update state: /opt/cobaltstrike/logs/200914/events.log, offset: 0
2020-09-15T03:22:11.573+0200 DEBUG [input] file/states.go:68 New state added for /opt/cobaltstrike/logs/200914/events.log
2020-09-15T03:22:11.572+0200 DEBUG [input] log/input.go:181 input with previous states loaded: 0
2020-09-15T03:22:11.573+0200 DEBUG [publish] pipeline/client.go:193 Pipeline client receives callback 'onFilteredOut' for event: %+v{0001-01-01 00:00:00 +0000 UTC null null { false 0xc4205624e0 /opt/cobaltstrike/logs/200914/events.log 0 2020-09-15 03:22:11.57271194 +0200 CEST m=+0.035580368 -1ns log map[] 3673401-65025}}
2020-09-15T03:22:11.574+0200 DEBUG [acker] beater/acker.go:64 stateful ack {"count": 1}
2020-09-15T03:22:11.574+0200 DEBUG [input] log/input.go:208 input states cleaned up. Before: 2, After: 2, Pending: 0
2020-09-15T03:22:11.572+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200909/events.log
2020-09-15T03:22:11.574+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200914/events.log
2020-09-15T03:22:11.574+0200 INFO [detect_null_bytes] debug/debug.go:95 Starting debug reader with a buffer size of 16384 and max failures of 100
2020-09-15T03:22:11.572+0200 DEBUG [input] log/input.go:187 Start next scan
2020-09-15T03:22:11.575+0200 DEBUG [publish] pipeline/processor.go:309 Publish event: {
"@timestamp": "2020-09-15T01:22:11.574Z",
"@metadata": {
"beat": "filebeat",
"type": "doc",
"version": "6.8.2"
},
"offset": 0,
"log": {
"file": {
"path": "/opt/cobaltstrike/logs/200909/events.log"
}
},
"message": "09/09 15:07:46 UTC *** joined",
"prospector": {
"type": "log"
},
"beat": {
"name": "kali",
"hostname": "kali",
"version": "6.8.2"
},
"host": {
"name": "kali"
},
"source": "/opt/cobaltstrike/logs/200909/events.log",
"input": {
"type": "log"
},
"fields": {
"cslogtype": "events",
"attackscenario": "test",
Curl Indices
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open .kibana_1 pFSaOlu2SpGa_7aFIN7X0A 1 0 26 1 84.6kb 84.6kb
green open .kibana_task_manager LbcmY0ELRJ-PALAF-fGc1g 1 0 2 0 13kb 13kb
green open .tasks 5KTHYtCvRuSy4MSP6-8rNg 1 0 17985 1 2.1mb 2.1mb
yellow open redirtraffic-2020.09.11 lWmoroe-R2CVzZn2YCtAMw 5 1 35 1 260.5kb 260.5kb
yellow open redirtraffic-2020.09.12 y07ypkHKQkiMKQB0NTui-A 5 1 75 8 972kb 972kb
yellow open redirtraffic-2020.09.13 -3j9TYUMR-mR4Xeog_iF0w 5 1 2112 185 1.8mb 1.8mb
yellow open redirtraffic-2020.09.14 -8R00nxLRvGnHeOo337bOA 5 1 3936 549 3.7mb 3.7mb
from redelk.
6r0k3d
commented on June 6, 2024
Feel free to close though, I know trying to run RedELK offline on an untested distro is pretty outside the scope of what you built. I'm pretty much out of ideas of things to check myself. I really appreciate you taking a look all the same, huge thank you!
from redelk.
MarcOverIP
commented on June 6, 2024
The Logstash-plain.log indicates all kinds of actions (geoip, ruby scripts) that it can't make up by its own; it is reading the config properly from /etc/logstash/conf.d/*
The filebeat debug message shows that there is an event sent ("*** joined"). Have you stripped the tls config options on both filebeat output as well as logstash input? Perhaps you should add :5044 as hardcoded port in the filebeat output (the installer script also states you should do so, but this may be a false warning, perhaps filebeat nowadays is smart enough to add port 5044 to the output destination).
Basic question but relevant: Is 5044 on the elk server reachable from the teamserver? Maybe just stop logstash and start netcat to listen for events?
I'm not sure about the illegal reflective access warning. But a quick google shows its a known thing thats prolly not a real issue. Did you install the jvm that ES recommends?
from redelk.
6r0k3d
commented on June 6, 2024
Yea, the ports open, tested with telnet:
telnet 10.10.6.40 5044
Trying 10.10.6.40 ...
Connected to 10.10.6.40.
Escape character is '^]'.
I thought I had SSL turned off for both sides, I commented out the 10-inputs.conf on Logstash, and the ssl.certificate_authorities on filebeat, and added ssl.enabled: false to filebeat.yml. Ran netcat on 5044, but the data coming out looks encrypted (at least, its a binary blob). I added port 5044 to the filebeat.yml, though it works on the redirector without it.
My exact filebeats.yml config is posted above. I guess I still don't have it set right. At least I now know for sure the data is reaching logstash.
I installed the RedELK with internet access, so it used the install script without issue, installed openjdk-11-jre-headless. Running java -version returns openjdk version "11.0.8" 2020-07-14
from redelk.
MarcOverIP
commented on June 6, 2024
Binary could also mean some form gzip or whatever, Im not sure filebeat-logstash talk a clear text based protocol.
But if the data gets to logstash you can debug with a very basic logstash config like the one below:
input {
beats {
port => 5044
}
}
filter {
mutate {
add_tag => [ "logstash_ran" ]
}
}
output {
file {
path => "/tmp/logstashout.txt"
}
}
Of course rm filebeat registry and try again.
But I have got to say that it very much surprises me that this isnt working when there is data flowing to logstash.
from redelk.
6r0k3d
commented on June 6, 2024
Progress!
I moved all the existing /etc/logstash/conf.d files into a temp folder, created a 10-inputs.conf with your details above, and can see all the kali logs in /tmp/logstashout.txt.
I think this is without question the toughest thing I've had to debug. But this is the first time I've been able to confirm logstash collecting properly.
Would it make sense to keep this 10-inputs.conf, move the 50-c2-cobaltstrike.conf back to /etc/logstash/conf.d and run again? Would I also need the 90-outputs.conf back in conf.d?
from redelk.
MarcOverIP
commented on June 6, 2024
Hurray!
Like I said before, debugging ELK things is indeed not one of the easiest things I've done.
Well, the important thing to check right now is if the infralogtype = rtops field is present in the output you just got. If it is present, it would make sense to slowly add back logstash config things. If it is not, I can understand it fails to go to ES. CHeck the filebeat config for typos
There must be something set wrong somewhere as it doesnt make sense that the RedELK shipped logstash conf is not working.
from redelk.
6r0k3d
commented on June 6, 2024
rtops is present
"input":{"type":"log"},"offset":536,"fields":{"attackscenario":"test","cslogtype":"beacon","infralogtype":"rtops"},"host":{"name":"kali"},"beat":{"hostname":"kali","name":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}
from redelk.
MarcOverIP
commented on June 6, 2024
Give it a go :-)
It comes down to logstash debugging now. Again, the RedELK configs should work and we've never had issue with these.
from redelk.
6r0k3d
commented on June 6, 2024
Hey quick update. I'm working on testing with incremental additions. However, I tested on a brand new kali install with test teamserver logs in the same location as my offline box, everything install without issue, but still not seeing logs in rtops. Hopefull as I mess with logstash and elastic today I'll finally get to an answer for why. I'm guessing at this point its something to do with kali itself.
from redelk.
6r0k3d
commented on June 6, 2024
Alright. Fairly certain we can eliminate SSL as the problem. I'm running the elkserver and the teamserver filebeat on the same system, here's what I'm seeing. I think the issue may be with elasticsearch importing? If I'm reading the logs correctly, it looks like elastic isnt updating with the logstash data.
Initially, re-ran the tests with the following logstash inputs conf file
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/logstash/certs/elkserver.crt"
ssl_key => "/etc/logstash/certs/elkserver.key"
client_inactivity_timeout => 7200
ssl_handshake_timeout => 30000
}
}
filter {
mutate {
add_tag => [ "logstash_ran" ]
}
}
output {
file {
path => "/tmp/logstashout.txt"
}
}
This resulted in collected data being properly written to /tmp/logstashout.txt (while using SSL). These are being collected from /opt/cobalstrike/logs (I changed the filebeat.yml to match my offline system)
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":0,"message":"09/15 15:08:55 UTC [metadata] 172.31.49.182 <- 200.20.110.10; computer: DESKTOP-VIC1; user: Victim; process: powershell.exe; pid: 8792; os: Windows; version: 10.0; build: 18363; beacon arch: x64 (x64)","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.214Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_743423776.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_743423776.log"}}}
logstash-plain.log
[2020-09-17T17:51:41,050][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.8.2"}
[2020-09-17T17:51:44,603][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>1, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2020-09-17T17:51:45,271][INFO ][logstash.inputs.beats ] Beats inputs: Starting input listener {:address=>"0.0.0.0:5044"}
[2020-09-17T17:51:45,357][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x26e07b6c run>"}
[2020-09-17T17:51:45,432][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2020-09-17T17:51:45,528][INFO ][org.logstash.beats.Server] Starting server on port: 5044
[2020-09-17T17:51:45,858][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2020-09-17T17:52:19,698][INFO ][logstash.outputs.file ] Opening file {:path=>"/tmp/logstashout.txt"}
[2020-09-17T17:54:47,877][WARN ][logstash.runner ] SIGTERM received. Shutting down.
[2020-09-17T17:54:52,561][INFO ][logstash.outputs.file ] Closing file /tmp/logstashout.txt
[2020-09-17T17:54:52,974][INFO ][logstash.pipeline ] Pipeline has terminated {:pipeline_id=>"main", :thread=>"#<Thread:0x26e07b6c run>"}
[2020-09-17T17:54:52,979][INFO ][logstash.runner ] Logstash shut down.
With confirmation of data flowing over SSL, I updated 10-inputs.conf, and added 50 and 90 back into /etc/logstash/conf.d. Additionally, for every test, I stopped filebeat and removed its registry file to ensure the log data would get recollected.
The logstash files in use are the 10/50/90 from RedELK.
I tail -f the log files for filebeat, elasticsearch, and logstash with select output shown below. For filebeat, you can see multiple failed connection attempts while logstash was being turned on, and then the successful connection.
Filebeat
2020-09-17T18:22:19.251+0200 INFO instance/beat.go:611 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2020-09-17T18:22:19.251+0200 INFO instance/beat.go:618 Beat UUID: 75b70fa2-ade6-440d-92e8-68e78944f44b
2020-09-17T18:22:19.251+0200 INFO [seccomp] seccomp/seccomp.go:116 Syscall filter successfully installed
2020-09-17T18:22:19.251+0200 INFO [beat] instance/beat.go:931 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "75b70fa2-ade6-440d-92e8-68e78944f44b"}}}
2020-09-17T18:22:19.251+0200 INFO [beat] instance/beat.go:940 Build info {"system_info": {"build": {"commit": "0ffbeab5a52fa93586e4178becf1252e6a837028", "libbeat": "6.8.2", "time": "2019-07-24T14:24:45.000Z", "version": "6.8.2"}}}
2020-09-17T18:22:19.251+0200 INFO [beat] instance/beat.go:943 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":1,"version":"go1.10.8"}}}
2020-09-17T18:22:19.251+0200 INFO [beat] instance/beat.go:947 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2020-09-17T17:15:27+02:00","containerized":false,"name":"kali","ip":["127.0.0.1/8","::1/128","10.0.2.15/24","fe80::a00:27ff:feba:5e0c/64"],"kernel_version":"5.7.0-kali1-amd64","mac":["08:00:27:ba:5e:0c"],"os":{"family":"","platform":"kali","name":"Kali GNU/Linux","version":"2020.3","major":2020,"minor":3,"patch":0,"codename":"kali-rolling"},"timezone":"CEST","timezone_offset_sec":7200,"id":"b4e557ad0f8045c3984ba238c44bb55d"}}}
2020-09-17T18:22:19.252+0200 INFO [beat] instance/beat.go:976 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 6002, "ppid": 1, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2020-09-17T18:22:18.680+0200"}}}
2020-09-17T18:22:19.252+0200 INFO instance/beat.go:280 Setup Beat: filebeat; Version: 6.8.2
2020-09-17T18:22:19.252+0200 INFO [publisher] pipeline/module.go:110 Beat name: ts-test
2020-09-17T18:22:19.252+0200 WARN [cfgwarn] beater/filebeat.go:81 DEPRECATED: prospectors are deprecated, Use `inputs` instead. Will be removed in version: 7.0.0
2020-09-17T18:22:19.252+0200 INFO instance/beat.go:402 filebeat start running.
2020-09-17T18:22:19.252+0200 INFO registrar/registrar.go:97 No registry file found under: /var/lib/filebeat/registry. Creating a new registry file.
2020-09-17T18:22:19.253+0200 INFO [monitoring] log/log.go:117 Starting metrics logging every 30s
2020-09-17T18:22:19.289+0200 INFO registrar/registrar.go:134 Loading registrar data from /var/lib/filebeat/registry
2020-09-17T18:22:19.289+0200 INFO registrar/registrar.go:141 States Loaded from registrar: 0
2020-09-17T18:22:19.289+0200 WARN beater/filebeat.go:367 Filebeat is unable to load the Ingest Node pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the Ingest Node pipelines or are using Logstash pipelines, you can ignore this warning.
2020-09-17T18:22:19.289+0200 INFO crawler/crawler.go:72 Loading Inputs: 5
2020-09-17T18:22:19.290+0200 INFO log/input.go:148 Configured paths: [/opt/cobaltstrike/logs/*/events.log]
2020-09-17T18:22:19.290+0200 INFO input/input.go:114 Starting input of type: log; ID: 1606239087251668652
2020-09-17T18:22:19.290+0200 INFO log/input.go:148 Configured paths: [/opt/cobaltstrike/logs/*/weblog.log]
2020-09-17T18:22:19.290+0200 INFO input/input.go:114 Starting input of type: log; ID: 5755712550402058376
2020-09-17T18:22:19.290+0200 INFO log/input.go:148 Configured paths: [/opt/cobaltstrike/logs/*/downloads.log]
2020-09-17T18:22:19.290+0200 INFO input/input.go:114 Starting input of type: log; ID: 2293190375744009869
2020-09-17T18:22:19.290+0200 INFO log/input.go:148 Configured paths: [/opt/cobaltstrike/logs/*/*/beacon_*.log]
2020-09-17T18:22:19.290+0200 INFO input/input.go:114 Starting input of type: log; ID: 12414764114003662895
2020-09-17T18:22:19.290+0200 INFO log/input.go:148 Configured paths: [/opt/cobaltstrike/logs/*/*/keystrokes/keystrokes_*.txt]
2020-09-17T18:22:19.290+0200 INFO input/input.go:114 Starting input of type: log; ID: 7218035168341614709
2020-09-17T18:22:19.291+0200 INFO crawler/crawler.go:106 Loading and starting Inputs completed. Enabled inputs: 5
2020-09-17T18:22:19.292+0200 INFO cfgfile/reload.go:150 Config reloader started
2020-09-17T18:22:19.292+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200914/events.log
2020-09-17T18:22:19.292+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log
2020-09-17T18:22:19.292+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200915/events.log
2020-09-17T18:22:19.292+0200 INFO cfgfile/reload.go:205 Loading of config files completed.
2020-09-17T18:22:19.292+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200909/events.log
2020-09-17T18:22:19.292+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log
2020-09-17T18:22:19.298+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200915/200.20.110.10/beacon_743423776.log
2020-09-17T18:22:19.310+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log
2020-09-17T18:22:19.310+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log
2020-09-17T18:22:19.310+0200 INFO log/harvester.go:255 Harvester started for file: /opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log
2020-09-17T18:22:20.294+0200 INFO pipeline/output.go:95 Connecting to backoff(async(tcp://127.0.0.1:5044))
2020-09-17T18:22:21.385+0200 ERROR pipeline/output.go:100 Failed to connect to backoff(async(tcp://127.0.0.1:5044)): dial tcp 127.0.0.1:5044: connect: connection refused
2020-09-17T18:22:21.385+0200 INFO pipeline/output.go:93 Attempting to reconnect to backoff(async(tcp://127.0.0.1:5044)) with 1 reconnect attempt(s)
2020-09-17T18:22:24.205+0200 ERROR pipeline/output.go:100 Failed to connect to backoff(async(tcp://127.0.0.1:5044)): dial tcp 127.0.0.1:5044: connect: connection refused
2020-09-17T18:22:24.205+0200 INFO pipeline/output.go:93 Attempting to reconnect to backoff(async(tcp://127.0.0.1:5044)) with 2 reconnect attempt(s)
2020-09-17T18:22:28.653+0200 ERROR pipeline/output.go:100 Failed to connect to backoff(async(tcp://127.0.0.1:5044)): dial tcp 127.0.0.1:5044: connect: connection refused
2020-09-17T18:22:28.653+0200 INFO pipeline/output.go:93 Attempting to reconnect to backoff(async(tcp://127.0.0.1:5044)) with 3 reconnect attempt(s)
2020-09-17T18:22:37.320+0200 ERROR pipeline/output.go:100 Failed to connect to backoff(async(tcp://127.0.0.1:5044)): dial tcp 127.0.0.1:5044: connect: connection refused
2020-09-17T18:22:37.320+0200 INFO pipeline/output.go:93 Attempting to reconnect to backoff(async(tcp://127.0.0.1:5044)) with 4 reconnect attempt(s)
2020-09-17T18:22:49.254+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":0,"time":{"ms":6}},"total":{"ticks":30,"time":{"ms":37},"value":0},"user":{"ticks":30,"time":{"ms":31}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":15},"info":{"ephemeral_id":"8c03bdc2-8293-4e5b-9e15-528da4b76000","uptime":{"ms":30011}},"memstats":{"gc_next":5703840,"memory_alloc":3095576,"memory_total":7971840,"rss":27062272}},"filebeat":{"events":{"active":78,"added":85,"done":7},"harvester":{"open_files":9,"running":9,"started":9}},"libbeat":{"config":{"module":{"running":0},"reloads":1},"output":{"type":"logstash"},"pipeline":{"clients":5,"events":{"active":76,"filtered":9,"published":76,"retry":210,"total":85}}},"registrar":{"states":{"current":7,"update":7},"writes":{"success":8,"total":8}},"system":{"cpu":{"cores":1},"load":{"1":1.18,"15":0.92,"5":0.91,"norm":{"1":1.18,"15":0.92,"5":0.91}}}}}}
2020-09-17T18:23:03.219+0200 ERROR pipeline/output.go:100 Failed to connect to backoff(async(tcp://127.0.0.1:5044)): dial tcp 127.0.0.1:5044: connect: connection refused
2020-09-17T18:23:03.219+0200 INFO pipeline/output.go:93 Attempting to reconnect to backoff(async(tcp://127.0.0.1:5044)) with 5 reconnect attempt(s)
2020-09-17T18:23:19.257+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":0,"time":{"ms":1}},"total":{"ticks":30,"time":{"ms":7},"value":30},"user":{"ticks":30,"time":{"ms":6}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":15},"info":{"ephemeral_id":"8c03bdc2-8293-4e5b-9e15-528da4b76000","uptime":{"ms":60010}},"memstats":{"gc_next":5703840,"memory_alloc":4358192,"memory_total":9234456,"rss":684032}},"filebeat":{"harvester":{"open_files":9,"running":9}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":76,"retry":70}}},"registrar":{"states":{"current":7}},"system":{"load":{"1":1.97,"15":0.99,"5":1.13,"norm":{"1":1.97,"15":0.99,"5":1.13}}}}}}
2020-09-17T18:23:49.256+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":10,"time":{"ms":10}},"total":{"ticks":50,"time":{"ms":22},"value":50},"user":{"ticks":40,"time":{"ms":12}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":15},"info":{"ephemeral_id":"8c03bdc2-8293-4e5b-9e15-528da4b76000","uptime":{"ms":90013}},"memstats":{"gc_next":5790192,"memory_alloc":3460600,"memory_total":10644136,"rss":806912}},"filebeat":{"harvester":{"open_files":9,"running":9}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":76}}},"registrar":{"states":{"current":7}},"system":{"load":{"1":1.26,"15":0.97,"5":1.03,"norm":{"1":1.26,"15":0.97,"5":1.03}}}}}}
2020-09-17T18:23:59.751+0200 ERROR pipeline/output.go:100 Failed to connect to backoff(async(tcp://127.0.0.1:5044)): dial tcp 127.0.0.1:5044: connect: connection refused
2020-09-17T18:23:59.751+0200 INFO pipeline/output.go:93 Attempting to reconnect to backoff(async(tcp://127.0.0.1:5044)) with 6 reconnect attempt(s)
2020-09-17T18:24:00.361+0200 INFO pipeline/output.go:105 Connection to backoff(async(tcp://127.0.0.1:5044)) established
2020-09-17T18:24:19.255+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":30,"time":{"ms":13}},"total":{"ticks":80,"time":{"ms":17},"value":80},"user":{"ticks":50,"time":{"ms":4}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":16},"info":{"ephemeral_id":"8c03bdc2-8293-4e5b-9e15-528da4b76000","uptime":{"ms":120012}},"memstats":{"gc_next":10460112,"memory_alloc":6182392,"memory_total":14888880,"rss":794624}},"filebeat":{"events":{"active":-78,"done":78},"harvester":{"open_files":9,"running":9}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":76,"batches":2,"total":76},"read":{"bytes":1585},"write":{"bytes":6769}},"pipeline":{"clients":5,"events":{"active":0,"retry":82},"queue":{"acked":76}}},"registrar":{"states":{"current":9,"update":78},"writes":{"success":2,"total":2}},"system":{"load":{"1":1.03,"15":0.96,"5":1,"norm":{"1":1.03,"15":0.96,"5":1}}}}}}
2020-09-17T18:24:49.255+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":30,"time":{"ms":2}},"total":{"ticks":90,"time":{"ms":14},"value":90},"user":{"ticks":60,"time":{"ms":12}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":16},"info":{"ephemeral_id":"8c03bdc2-8293-4e5b-9e15-528da4b76000","uptime":{"ms":150010}},"memstats":{"gc_next":10460112,"memory_alloc":7605464,"memory_total":16311952,"rss":266240}},"filebeat":{"harvester":{"open_files":9,"running":9}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":9}},"system":{"load":{"1":0.62,"15":0.92,"5":0.9,"norm":{"1":0.62,"15":0.92,"5":0.9}}}}}}
2020-09-17T18:25:19.254+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":30,"time":{"ms":3}},"total":{"ticks":110,"time":{"ms":22},"value":110},"user":{"ticks":80,"time":{"ms":19}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":16},"info":{"ephemeral_id":"8c03bdc2-8293-4e5b-9e15-528da4b76000","uptime":{"ms":180011}},"memstats":{"gc_next":5371952,"memory_alloc":3817384,"memory_total":17736152,"rss":-1916928}},"filebeat":{"harvester":{"open_files":9,"running":9}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":9}},"system":{"load":{"1":0.38,"15":0.89,"5":0.81,"norm":{"1":0.38,"15":0.89,"5":0.81}}}}}}
2020-09-17T18:25:19.373+0200 INFO beater/filebeat.go:442 Stopping filebeat
2020-09-17T18:25:19.373+0200 INFO crawler/crawler.go:139 Stopping Crawler
2020-09-17T18:25:19.373+0200 INFO crawler/crawler.go:149 Stopping 5 inputs
2020-09-17T18:25:19.373+0200 INFO cfgfile/reload.go:208 Dynamic config reloader stopped
2020-09-17T18:25:19.373+0200 INFO input/input.go:149 input ticker stopped
2020-09-17T18:25:19.373+0200 INFO input/input.go:167 Stopping Input: 7218035168341614709
2020-09-17T18:25:19.373+0200 INFO input/input.go:149 input ticker stopped
2020-09-17T18:25:19.373+0200 INFO input/input.go:167 Stopping Input: 1606239087251668652
2020-09-17T18:25:19.373+0200 INFO log/harvester.go:276 Reader was closed: /opt/cobaltstrike/logs/200909/events.log. Closing.
2020-09-17T18:25:19.373+0200 INFO input/input.go:149 input ticker stopped
2020-09-17T18:25:19.373+0200 INFO input/input.go:167 Stopping Input: 5755712550402058376
2020-09-17T18:25:19.373+0200 INFO input/input.go:149 input ticker stopped
2020-09-17T18:25:19.373+0200 INFO input/input.go:167 Stopping Input: 2293190375744009869
2020-09-17T18:25:19.373+0200 INFO input/input.go:149 input ticker stopped
2020-09-17T18:25:19.373+0200 INFO input/input.go:167 Stopping Input: 12414764114003662895
2020-09-17T18:25:19.373+0200 INFO log/harvester.go:276 Reader was closed: /opt/cobaltstrike/logs/200914/events.log. Closing.
2020-09-17T18:25:19.373+0200 INFO log/harvester.go:276 Reader was closed: /opt/cobaltstrike/logs/200915/events.log. Closing.
2020-09-17T18:25:19.373+0200 INFO log/harvester.go:276 Reader was closed: /opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log. Closing.
2020-09-17T18:25:19.374+0200 INFO log/harvester.go:276 Reader was closed: /opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log. Closing.
2020-09-17T18:25:19.374+0200 INFO log/harvester.go:276 Reader was closed: /opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log. Closing.
2020-09-17T18:25:19.374+0200 INFO log/harvester.go:276 Reader was closed: /opt/cobaltstrike/logs/200915/200.20.110.10/beacon_743423776.log. Closing.
2020-09-17T18:25:19.374+0200 INFO log/harvester.go:276 Reader was closed: /opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log. Closing.
2020-09-17T18:25:19.374+0200 INFO log/harvester.go:276 Reader was closed: /opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log. Closing.
2020-09-17T18:25:19.374+0200 INFO crawler/crawler.go:165 Crawler stopped
2020-09-17T18:25:19.374+0200 INFO registrar/registrar.go:356 Stopping Registrar
2020-09-17T18:25:19.374+0200 INFO registrar/registrar.go:282 Ending Registrar
2020-09-17T18:25:19.382+0200 INFO [monitoring] log/log.go:152 Total non-zero metrics {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":30,"time":{"ms":36}},"total":{"ticks":110,"time":{"ms":122},"value":110},"user":{"ticks":80,"time":{"ms":86}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":7},"info":{"ephemeral_id":"8c03bdc2-8293-4e5b-9e15-528da4b76000","uptime":{"ms":180138}},"memstats":{"gc_next":5371952,"memory_alloc":4392264,"memory_total":18311032,"rss":27697152}},"filebeat":{"events":{"added":85,"done":85},"harvester":{"closed":9,"open_files":0,"running":0,"started":9}},"libbeat":{"config":{"module":{"running":0},"reloads":1},"output":{"events":{"acked":76,"batches":2,"total":76},"read":{"bytes":1585},"type":"logstash","write":{"bytes":6769}},"pipeline":{"clients":0,"events":{"active":0,"filtered":9,"published":76,"retry":362,"total":85},"queue":{"acked":76}}},"registrar":{"states":{"current":9,"update":85},"writes":{"success":11,"total":11}},"system":{"cpu":{"cores":1},"load":{"1":0.38,"15":0.89,"5":0.81,"norm":{"1":0.38,"15":0.89,"5":0.81}}}}}}
2020-09-17T18:25:19.382+0200 INFO [monitoring] log/log.go:153 Uptime: 3m0.139749749s
2020-09-17T18:25:19.382+0200 INFO [monitoring] log/log.go:130 Stopping metrics logging.
2020-09-17T18:25:19.382+0200 INFO instance/beat.go:412 filebeat stopped.
Logstash-plain.log
[2020-09-17T18:17:51,943][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.8.2"}
[2020-09-17T18:18:05,450][INFO ][logstash.filters.ruby.script] Test run complete {:script_path=>"/etc/logstash/ruby-scripts/makebeaconlogpath.rb", :results=>{:passed=>0, :failed=>0, :errored=>0}}
[2020-09-17T18:18:05,799][INFO ][logstash.filters.ruby.script] Test run complete {:script_path=>"/etc/logstash/ruby-scripts/makescreenshotpath.rb", :results=>{:passed=>0, :failed=>0, :errored=>0}}
[2020-09-17T18:18:05,875][INFO ][logstash.filters.ruby.script] Test run complete {:script_path=>"/etc/logstash/ruby-scripts/makekeystrokespath.rb", :results=>{:passed=>0, :failed=>0, :errored=>0}}
[2020-09-17T18:18:05,938][INFO ][logstash.filters.ruby.script] Test run complete {:script_path=>"/etc/logstash/ruby-scripts/makedownloadspath.rb", :results=>{:passed=>0, :failed=>0, :errored=>0}}
[2020-09-17T18:18:06,204][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>1, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2020-09-17T18:18:07,260][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://127.0.0.1:9200/]}}
[2020-09-17T18:18:07,734][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://127.0.0.1:9200/"}
[2020-09-17T18:18:07,880][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2020-09-17T18:18:07,884][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6}
[2020-09-17T18:18:07,930][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//127.0.0.1:9200"]}
[2020-09-17T18:18:08,053][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://127.0.0.1:9200/]}}
[2020-09-17T18:18:08,063][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://127.0.0.1:9200/"}
[2020-09-17T18:18:08,072][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2020-09-17T18:18:08,075][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6}
[2020-09-17T18:18:08,087][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//127.0.0.1:9200"]}
[2020-09-17T18:18:08,099][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://127.0.0.1:9200/]}}
[2020-09-17T18:18:08,109][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://127.0.0.1:9200/"}
[2020-09-17T18:18:08,126][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2020-09-17T18:18:08,130][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6}
[2020-09-17T18:18:08,139][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//127.0.0.1:9200"]}
[2020-09-17T18:18:09,717][INFO ][logstash.inputs.beats ] Beats inputs: Starting input listener {:address=>"0.0.0.0:5044"}
[2020-09-17T18:18:09,763][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x4b3e87d run>"}
[2020-09-17T18:18:09,860][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2020-09-17T18:18:09,964][INFO ][org.logstash.beats.Server] Starting server on port: 5044
[2020-09-17T18:18:10,317][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2020-09-17T18:22:07,489][WARN ][logstash.runner ] SIGTERM received. Shutting down.
[2020-09-17T18:22:12,741][WARN ][org.logstash.execution.ShutdownWatcherExt] {"inflight_count"=>0, "stalling_threads_info"=>{}}
[2020-09-17T18:22:12,744][ERROR][org.logstash.execution.ShutdownWatcherExt] The shutdown process appears to be stalled due to busy or blocked plugins. Check the logs for more information.
[2020-09-17T18:22:14,392][INFO ][logstash.pipeline ] Pipeline has terminated {:pipeline_id=>"main", :thread=>"#<Thread:0x4b3e87d run>"}
[2020-09-17T18:22:14,406][INFO ][logstash.runner ] Logstash shut down.
Elastichsearch.log. This log piece shows elasticsearch from startup through T18:22:07, which is just before I closed logstash. I'm not totally sure how to read it, but it looks like its not updating anything? updated=0, created=0, etc.
[2020-09-17T18:16:01,701][INFO ][o.e.e.NodeEnvironment ] [uEDXTLP] using [1] data paths, mounts [[/ (/dev/sda1)]], net usable_space [6.8gb], net total_space [18.6gb], types [ext4]
[2020-09-17T18:16:01,708][INFO ][o.e.e.NodeEnvironment ] [uEDXTLP] heap size [1015.6mb], compressed ordinary object pointers [true]
[2020-09-17T18:16:01,739][INFO ][o.e.n.Node ] [uEDXTLP] node name derived from node ID [uEDXTLP1Sc-mlLbZ84B00Q]; set [node.name] to override
[2020-09-17T18:16:01,741][INFO ][o.e.n.Node ] [uEDXTLP] version[6.8.2], pid[5643], build[default/deb/b506955/2019-07-24T15:24:41.545295Z], OS[Linux/5.7.0-kali1-amd64/amd64], JVM[Debian/OpenJDK 64-Bit Server VM/11.0.8/11.0.8+10-post-Debian-1]
[2020-09-17T18:16:01,741][INFO ][o.e.n.Node ] [uEDXTLP] JVM arguments [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.io.tmpdir=/tmp/elasticsearch-769602358332656239, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/elasticsearch, -XX:ErrorFile=/var/log/elasticsearch/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djava.locale.providers=COMPAT, -XX:UseAVX=2, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/etc/elasticsearch, -Des.distribution.flavor=default, -Des.distribution.type=deb]
[2020-09-17T18:16:04,942][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [aggs-matrix-stats]
[2020-09-17T18:16:04,942][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [analysis-common]
[2020-09-17T18:16:04,942][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [ingest-common]
[2020-09-17T18:16:04,943][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [ingest-geoip]
[2020-09-17T18:16:04,943][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [ingest-user-agent]
[2020-09-17T18:16:04,943][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [lang-expression]
[2020-09-17T18:16:04,943][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [lang-mustache]
[2020-09-17T18:16:04,943][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [lang-painless]
[2020-09-17T18:16:04,943][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [mapper-extras]
[2020-09-17T18:16:04,943][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [parent-join]
[2020-09-17T18:16:04,943][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [percolator]
[2020-09-17T18:16:04,944][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [rank-eval]
[2020-09-17T18:16:04,944][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [reindex]
[2020-09-17T18:16:04,944][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [repository-url]
[2020-09-17T18:16:04,944][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [transport-netty4]
[2020-09-17T18:16:04,944][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [tribe]
[2020-09-17T18:16:04,944][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [x-pack-ccr]
[2020-09-17T18:16:04,944][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [x-pack-core]
[2020-09-17T18:16:04,944][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [x-pack-deprecation]
[2020-09-17T18:16:04,945][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [x-pack-graph]
[2020-09-17T18:16:04,945][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [x-pack-ilm]
[2020-09-17T18:16:04,945][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [x-pack-logstash]
[2020-09-17T18:16:04,945][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [x-pack-ml]
[2020-09-17T18:16:04,945][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [x-pack-monitoring]
[2020-09-17T18:16:04,945][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [x-pack-rollup]
[2020-09-17T18:16:04,945][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [x-pack-security]
[2020-09-17T18:16:04,945][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [x-pack-sql]
[2020-09-17T18:16:04,945][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [x-pack-upgrade]
[2020-09-17T18:16:04,945][INFO ][o.e.p.PluginsService ] [uEDXTLP] loaded module [x-pack-watcher]
[2020-09-17T18:16:04,946][INFO ][o.e.p.PluginsService ] [uEDXTLP] no plugins loaded
[2020-09-17T18:16:10,055][INFO ][o.e.x.s.a.s.FileRolesStore] [uEDXTLP] parsed [0] roles from file [/etc/elasticsearch/roles.yml]
[2020-09-17T18:16:11,061][INFO ][o.e.x.m.p.l.CppLogMessageHandler] [uEDXTLP] [controller/5701] [Main.cc@109] controller (64 bit): Version 6.8.2 (Build f4a9b28c0d5114) Copyright (c) 2019 Elasticsearch BV
[2020-09-17T18:16:11,721][DEBUG][o.e.a.ActionModule ] [uEDXTLP] Using REST wrapper from plugin org.elasticsearch.xpack.security.Security
[2020-09-17T18:16:12,403][INFO ][o.e.d.DiscoveryModule ] [uEDXTLP] using discovery type [zen] and host providers [settings]
[2020-09-17T18:16:13,535][INFO ][o.e.n.Node ] [uEDXTLP] initialized
[2020-09-17T18:16:13,535][INFO ][o.e.n.Node ] [uEDXTLP] starting ...
[2020-09-17T18:16:13,741][INFO ][o.e.t.TransportService ] [uEDXTLP] publish_address {127.0.0.1:9300}, bound_addresses {[::1]:9300}, {127.0.0.1:9300}
[2020-09-17T18:16:16,963][INFO ][o.e.c.s.MasterService ] [uEDXTLP] zen-disco-elected-as-master ([0] nodes joined), reason: new_master {uEDXTLP}{uEDXTLP1Sc-mlLbZ84B00Q}{aUWG6S_5SOK8HQuEiE-zNQ}{127.0.0.1}{127.0.0.1:9300}{ml.machine_memory=4131852288, xpack.installed=true, ml.max_open_jobs=20, ml.enabled=true}
[2020-09-17T18:16:16,982][INFO ][o.e.c.s.ClusterApplierService] [uEDXTLP] new_master {uEDXTLP}{uEDXTLP1Sc-mlLbZ84B00Q}{aUWG6S_5SOK8HQuEiE-zNQ}{127.0.0.1}{127.0.0.1:9300}{ml.machine_memory=4131852288, xpack.installed=true, ml.max_open_jobs=20, ml.enabled=true}, reason: apply cluster state (from master [master {uEDXTLP}{uEDXTLP1Sc-mlLbZ84B00Q}{aUWG6S_5SOK8HQuEiE-zNQ}{127.0.0.1}{127.0.0.1:9300}{ml.machine_memory=4131852288, xpack.installed=true, ml.max_open_jobs=20, ml.enabled=true} committed version [1] source [zen-disco-elected-as-master ([0] nodes joined)]])
[2020-09-17T18:16:17,162][INFO ][o.e.h.n.Netty4HttpServerTransport] [uEDXTLP] publish_address {127.0.0.1:9200}, bound_addresses {[::1]:9200}, {127.0.0.1:9200}
[2020-09-17T18:16:17,162][INFO ][o.e.n.Node ] [uEDXTLP] started
[2020-09-17T18:16:18,321][WARN ][o.e.x.s.a.s.m.NativeRoleMappingStore] [uEDXTLP] Failed to clear cache for realms [[]]
[2020-09-17T18:16:18,464][INFO ][o.e.l.LicenseService ] [uEDXTLP] license [31a33b05-d0c1-446a-b460-1a7b0a7f73e8] mode [basic] - valid
[2020-09-17T18:16:18,499][INFO ][o.e.g.GatewayService ] [uEDXTLP] recovered [3] indices into cluster_state
[2020-09-17T18:16:19,353][INFO ][o.e.c.r.a.AllocationService] [uEDXTLP] Cluster health status changed from [RED] to [GREEN] (reason: [shards started [[.kibana_task_manager][0], [.kibana_1][0]] ...]).
[2020-09-17T18:16:19,728][INFO ][o.e.c.m.MetaDataIndexTemplateService] [uEDXTLP] adding template [.management-beats] for index patterns [.management-beats]
[2020-09-17T18:17:02,371][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 193 finished with response BulkByScrollResponse[took=9.6ms,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:17:03,302][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 209 finished with response BulkByScrollResponse[took=498.1micros,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:17:04,313][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 218 finished with response BulkByScrollResponse[took=930micros,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:17:05,333][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 235 finished with response BulkByScrollResponse[took=248micros,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:18:03,602][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 492 finished with response BulkByScrollResponse[took=1.8ms,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:18:04,369][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 501 finished with response BulkByScrollResponse[took=276.5micros,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:18:05,456][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 513 finished with response BulkByScrollResponse[took=277.7micros,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:18:06,401][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 529 finished with response BulkByScrollResponse[took=480.8micros,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:19:02,553][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 843 finished with response BulkByScrollResponse[took=201.8micros,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:19:03,559][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 865 finished with response BulkByScrollResponse[took=214.6micros,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:19:04,574][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 874 finished with response BulkByScrollResponse[took=245.8micros,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:19:05,584][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 886 finished with response BulkByScrollResponse[took=258.3micros,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:20:03,301][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 1209 finished with response BulkByScrollResponse[took=498.5micros,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:20:04,353][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 1237 finished with response BulkByScrollResponse[took=600.1micros,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:20:05,358][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 1249 finished with response BulkByScrollResponse[took=301.4micros,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:20:06,425][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 1260 finished with response BulkByScrollResponse[took=781.8micros,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:21:02,329][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 1576 finished with response BulkByScrollResponse[took=193.6micros,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:21:03,342][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 1590 finished with response BulkByScrollResponse[took=212.1micros,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:21:04,364][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 1599 finished with response BulkByScrollResponse[took=264.1micros,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:21:05,378][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 1621 finished with response BulkByScrollResponse[took=193.3micros,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:22:02,073][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 1939 finished with response BulkByScrollResponse[took=1.4ms,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:22:03,105][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 1956 finished with response BulkByScrollResponse[took=1.7ms,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:22:04,144][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 1967 finished with response BulkByScrollResponse[took=1.4ms,timed_out=false,sliceId=null,updated=0,created=0,deleted=0,batches=0,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2020-09-17T18:22:05,155][INFO ][o.e.t.LoggingTaskListener] [uEDXTLP] 1981 finished with response
curling for the indices shows nothing created:
root@kali:/home/kali# curl -XGET 'localhost:9200/_cat/indices/?v&s=index'
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open .kibana_1 Egy4tD38T7OQsg_DS8pF5g 1 0 26 0 78.9kb 78.9kb
green open .kibana_task_manager kfXdXMHAQTSGSseBQJIixQ 1 0 2 0 12.6kb 12.6kb
green open .tasks dIu4IlXsQd6lSo4nzdnypw 1 0 280 0 105.6kb 105.6kb
from redelk.
fastlorenzo
commented on June 6, 2024
Did you try running logstash and elasticsearch with debug flags to get more output? That might help to identify what's happening.
from redelk.
MarcOverIP
commented on June 6, 2024
If you can make logstash output to a file but not to ES, perhaps you ca try to send data to ES using manual curl PUT commands? See if you can put data in an index rtops-%date. Doesnt really matter what data, just to see if it works that way.
from redelk.
6r0k3d
commented on June 6, 2024
This may be a silly question (or I'm about to find out I made a real silly mistake....). Working on posting direct now
Should the install scripts be run with or without sudo? I realize in the install guide none of the commands have sudo on them, but when I run install without it, I get all kinds of errors.
from redelk.
MarcOverIP
commented on June 6, 2024
As root. Still, as non-root you wouldnt even be able to install filebeat or elasticsearch, right?
from redelk.
6r0k3d
commented on June 6, 2024
I'm not sure I've quite got the URL syntax down..
curl -XPUT -H"content-type: application/json" 'localhost:9200/rtops-20200917' -d @'./logstashout.txt'
{"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"unknown setting [index.@timestamp] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"}],"type":"illegal_argument_exception","reason":"unknown setting [index.@timestamp] please check that any required plugins are installed, or check the breaking changes documentation for removed settings","suppressed":[{"type":"illegal_argument_exception","reason":"unknown setting [index.@version] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"},{"type":"illegal_argument_exception","reason":"unknown setting [index.beat.hostname] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"},{"type":"illegal_argument_exception","reason":"unknown setting [index.beat.name] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"},{"type":"illegal_argument_exception","reason":"unknown setting [index.beat.version] did you mean [index.xpack.version]?"},{"type":"illegal_argument_exception","reason":"unknown setting [index.fields.attackscenario] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"},{"type":"illegal_argument_exception","reason":"unknown setting [index.fields.cslogtype] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"},{"type":"illegal_argument_exception","reason":"unknown setting [index.fields.infralogtype] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"},{"type":"illegal_argument_exception","reason":"unknown setting [index.host.name] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"},{"type":"illegal_argument_exception","reason":"unknown setting [index.input.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"},{"type":"illegal_argument_exception","reason":"unknown setting [index.log.file.path] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"},{"type":"illegal_argument_exception","reason":"unknown setting [index.message] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"},{"type":"illegal_argument_exception","reason":"unknown setting [index.offset] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"},{"type":"illegal_argument_exception","reason":"unknown setting [index.prospector.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"},{"type":"illegal_argument_exception","reason":"unknown setting [index.source] did you mean [index.source_only]?"},{"type":"illegal_argument_exception","reason":"unknown setting [index.tags] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"}]},"status":400}
curl -XPOST -H"content-type: application/json" 'localhost:9200/rtops-20200917/rtops-20200917' -d @'./logstashout.txt'
{"error":{"root_cause":[{"type":"mapper_parsing_exception","reason":"failed to parse"}],"type":"mapper_parsing_exception","reason":"failed to parse","caused_by":{"type":"illegal_argument_exception","reason":"Malformed content, found extra data after parsing: START_OBJECT"}},"status":400}
Logstashout.txt
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":0,"message":"09/15 15:08:55 UTC [metadata] 172.31.49.182 <- 200.20.110.10; computer: DESKTOP-VIC1; user: Victim; process: powershell.exe; pid: 8792; os: Windows; version: 10.0; build: 18363; beacon arch: x64 (x64)","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.214Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_743423776.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_743423776.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":536,"message":"09/15 15:26:54 UTC [output]\nC:\\Users\\Victim\\*\nD\t0\t09/09/2020 11:31:55\t.\nD\t0\t09/09/2020 11:31:55\t..\nD\t0\t03/24/2020 16:18:49\t.dotnet\nD\t0\t03/18/2020 15:55:48\t.ssh\nD\t0\t09/09/2020 14:30:17\t3D Objects\nD\t0\t03/10/2020 16:23:12\tAppData\nD\t0\t03/10/2020 16:23:12\tApplication Data\nD\t0\t09/09/2020 14:30:17\tContacts\nD\t0\t03/10/2020 16:23:12\tCookies\nD\t0\t09/09/2020 14:30:17\tDesktop\nD\t0\t09/09/2020 14:30:18\tDocuments\nD\t0\t09/09/2020 14:30:18\tDownloads\nD\t0\t09/09/2020 14:30:17\tFavorites\nF\t0\t05/11/2020 11:23:01\tkey.txt\nD\t0\t09/09/2020 14:30:18\tLinks\nD\t0\t03/10/2020 16:23:12\tLocal Settings\nD\t0\t03/18/2020 10:50:39\tMicrosoftEdgeBackups\nD\t0\t09/09/2020 14:30:18\tMusic\nD\t0\t03/10/2020 16:23:12\tMy Documents\nD\t0\t03/10/2020 16:23:12\tNetHood\nF\t4718592\t09/14/2020 15:07:25\tNTUSER.DAT\nF\t1024000\t03/10/2020 16:23:12\tntuser.dat.LOG1\nF\t786432\t03/10/2020 16:23:12\tntuser.dat.LOG2\nF\t65536\t03/10/2020 16:23:38\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TM.blf\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000001.regtrans-ms\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000002.regtrans-ms\nF\t20\t03/10/2020 16:23:12\tntuser.ini\nD\t0\t03/23/2020 10:13:47\tOneDrive\nD\t0\t09/09/2020 14:30:17\tPictures\nD\t0\t03/10/2020 16:23:12\tPrintHood\nD\t0\t03/10/2020 16:23:12\tRecent\nD\t0\t09/09/2020 14:30:18\tSaved Games\nD\t0\t09/09/2020 14:30:17\tSearches\nD\t0\t03/10/2020 16:23:12\tSendTo\nD\t0\t03/25/2020 08:08:16\tsource\nD\t0\t03/10/2020 16:23:12\tStart Menu\nD\t0\t03/10/2020 16:23:12\tTemplates\nD\t0\t09/09/2020 14:30:17\tVideos\n\n","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.215Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","beat":{"hostname":"kali","name":"ts-test","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"flags":["multiline"],"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":534,"message":"09/15 14:21:32 UTC [output]\nC:\\Users\\Victim\\*\nD\t0\t05/13/2020 18:10:05\t.\nD\t0\t05/13/2020 18:10:05\t..\nD\t0\t03/18/2020 15:55:48\t.ssh\nD\t0\t09/09/2020 14:29:40\t3D Objects\nD\t0\t03/10/2020 16:23:12\tAppData\nD\t0\t03/10/2020 16:23:12\tApplication Data\nD\t0\t09/09/2020 14:29:41\tContacts\nD\t0\t03/10/2020 16:23:12\tCookies\nD\t0\t09/14/2020 13:14:27\tDesktop\nD\t0\t09/09/2020 14:29:42\tDocuments\nD\t0\t09/09/2020 14:29:41\tDownloads\nD\t0\t09/09/2020 14:29:41\tFavorites\nD\t0\t09/09/2020 14:29:42\tLinks\nD\t0\t03/10/2020 16:23:12\tLocal Settings\nD\t0\t03/18/2020 10:50:39\tMicrosoftEdgeBackups\nD\t0\t09/09/2020 14:29:41\tMusic\nD\t0\t03/10/2020 16:23:12\tMy Documents\nD\t0\t03/10/2020 16:23:12\tNetHood\nF\t4980736\t09/14/2020 18:44:44\tNTUSER.DAT\nF\t720896\t03/10/2020 16:23:12\tntuser.dat.LOG1\nF\t1246208\t03/10/2020 16:23:12\tntuser.dat.LOG2\nF\t65536\t03/10/2020 16:23:38\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TM.blf\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000001.regtrans-ms\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000002.regtrans-ms\nF\t20\t03/10/2020 16:23:12\tntuser.ini\nD\t0\t03/23/2020 10:16:37\tOneDrive\nD\t0\t09/09/2020 14:29:41\tPictures\nD\t0\t03/10/2020 16:23:12\tPrintHood\nD\t0\t03/10/2020 16:23:12\tRecent\nD\t0\t09/09/2020 14:29:42\tSaved Games\nD\t0\t09/09/2020 14:29:41\tSearches\nD\t0\t03/10/2020 16:23:12\tSendTo\nD\t0\t03/10/2020 16:23:12\tStart Menu\nD\t0\t03/10/2020 16:23:12\tTemplates\nD\t0\t09/09/2020 14:29:41\tVideos\n\n","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.217Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"flags":["multiline"],"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"}}}
{"fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2518,"message":"09/14 18:09:53 UTC [task] <> Tasked beacon to exit","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.218Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}}}
{"fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":536,"message":"09/14 18:13:00 UTC [output]\nC:\\Users\\Victim\\*\nD\t0\t09/09/2020 11:31:55\t.\nD\t0\t09/09/2020 11:31:55\t..\nD\t0\t03/24/2020 16:18:49\t.dotnet\nD\t0\t03/18/2020 15:55:48\t.ssh\nD\t0\t09/09/2020 14:30:17\t3D Objects\nD\t0\t03/10/2020 16:23:12\tAppData\nD\t0\t03/10/2020 16:23:12\tApplication Data\nD\t0\t09/09/2020 14:30:17\tContacts\nD\t0\t03/10/2020 16:23:12\tCookies\nD\t0\t09/09/2020 14:30:17\tDesktop\nD\t0\t09/09/2020 14:30:18\tDocuments\nD\t0\t09/09/2020 14:30:18\tDownloads\nD\t0\t09/09/2020 14:30:17\tFavorites\nF\t0\t05/11/2020 11:23:01\tkey.txt\nD\t0\t09/09/2020 14:30:18\tLinks\nD\t0\t03/10/2020 16:23:12\tLocal Settings\nD\t0\t03/18/2020 10:50:39\tMicrosoftEdgeBackups\nD\t0\t09/09/2020 14:30:18\tMusic\nD\t0\t03/10/2020 16:23:12\tMy Documents\nD\t0\t03/10/2020 16:23:12\tNetHood\nF\t4718592\t09/14/2020 13:45:23\tNTUSER.DAT\nF\t1024000\t03/10/2020 16:23:12\tntuser.dat.LOG1\nF\t786432\t03/10/2020 16:23:12\tntuser.dat.LOG2\nF\t65536\t03/10/2020 16:23:38\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TM.blf\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000001.regtrans-ms\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000002.regtrans-ms\nF\t20\t03/10/2020 16:23:12\tntuser.ini\nD\t0\t03/23/2020 10:13:47\tOneDrive\nD\t0\t09/09/2020 14:30:17\tPictures\nD\t0\t03/10/2020 16:23:12\tPrintHood\nD\t0\t03/10/2020 16:23:12\tRecent\nD\t0\t09/09/2020 14:30:18\tSaved Games\nD\t0\t09/09/2020 14:30:17\tSearches\nD\t0\t03/10/2020 16:23:12\tSendTo\nD\t0\t03/25/2020 08:08:16\tsource\nD\t0\t03/10/2020 16:23:12\tStart Menu\nD\t0\t03/10/2020 16:23:12\tTemplates\nD\t0\t09/09/2020 14:30:17\tVideos\n\n","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.217Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"flags":["multiline"],"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2865,"message":"09/14 18:04:31 UTC [task] <> Tasked beacon to exit","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.219Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"events","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":0,"message":"09/14 17:13:01 UTC *** test2 joined","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.196Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/events.log","beat":{"hostname":"kali","name":"ts-test","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/events.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"events","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":0,"message":"09/09 15:07:46 UTC *** test joined","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.196Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200909/events.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200909/events.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"events","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":39,"message":"09/09 15:23:27 UTC *** test quit","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.197Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200909/events.log","beat":{"hostname":"kali","name":"ts-test","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200909/events.log"}}}
{"fields":{"attackscenario":"testinstall","cslogtype":"events","infralogtype":"rtops"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":0,"message":"09/15 14:19:16 UTC *** test2 joined","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.197Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/events.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/events.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"events","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":34,"message":"09/15 14:20:31 UTC *** initial beacon from [email protected] (DESKTOP-VIC1)","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.197Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/events.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/events.log"}}}
{"fields":{"attackscenario":"testinstall","cslogtype":"events","infralogtype":"rtops"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":113,"message":"09/15 15:08:51 UTC *** initial beacon from [email protected] (DESKTOP-VIC1)","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.197Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/events.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/events.log"}}}
{"fields":{"attackscenario":"testinstall","cslogtype":"events","infralogtype":"rtops"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":192,"message":"09/15 15:26:10 UTC *** initial beacon from [email protected] (DESKTOP-3H3MRO8)","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.197Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/events.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/events.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"events","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":34,"message":"09/14 17:14:26 UTC *** test2 hosted Scripted Web Delivery (powershell) @ https://10.10.6.65:443/update","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.197Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/events.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/events.log"}}}
{"fields":{"attackscenario":"testinstall","cslogtype":"events","infralogtype":"rtops"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":135,"message":"09/14 17:34:48 UTC *** initial beacon from [email protected] (DESKTOP-3H3MRO8)","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.197Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/events.log","beat":{"hostname":"kali","name":"ts-test","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/events.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"events","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":216,"message":"09/14 18:05:37 UTC *** initial beacon from [email protected] (DESKTOP-3H3MRO8)","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.197Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/events.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/events.log"}}}
{"fields":{"attackscenario":"testinstall","cslogtype":"events","infralogtype":"rtops"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":297,"message":"09/14 18:09:45 UTC *** initial beacon from [email protected] (DESKTOP-3H3MRO8)","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.197Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/events.log","beat":{"hostname":"kali","name":"ts-test","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/events.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"events","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":378,"message":"09/14 18:10:29 UTC *** initial beacon from [email protected] (DESKTOP-3H3MRO8)","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.197Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/events.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/events.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"events","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":459,"message":"09/14 19:10:40 UTC *** test2 quit","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.197Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/events.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/events.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":0,"message":"09/14 18:05:44 UTC [metadata] 172.31.49.182 <- 200.20.110.6; computer: DESKTOP-3H3MRO8; user: Victim; process: powershell.exe; pid: 8952; os: Windows; version: 10.0; build: 18363; beacon arch: x64 (x64)","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.196Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":0,"message":"09/14 17:34:54 UTC [metadata] 172.31.49.182 <- 200.20.110.6; computer: DESKTOP-3H3MRO8; user: Victim; process: powershell.exe; pid: 5828; os: Windows; version: 10.0; build: 18363; beacon arch: x64 (x64)","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.197Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":0,"message":"09/14 18:10:34 UTC [metadata] 172.31.49.182 <- 200.20.110.6; computer: DESKTOP-3H3MRO8; user: Victim; process: powershell.exe; pid: 8260; os: Windows; version: 10.0; build: 18363; beacon arch: x64 (x64)","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.203Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":203,"message":"09/14 18:05:47 UTC [input] <test2> sleep 0","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.196Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":244,"message":"09/14 18:05:47 UTC [task] <T1029> Tasked beacon to become interactive","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.196Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}}}
{"fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":314,"message":"09/14 18:06:22 UTC [checkin] host called home, sent: 16 bytes","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.196Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":0,"message":"09/15 15:26:15 UTC [metadata] 172.31.49.182 <- 200.20.110.6; computer: DESKTOP-3H3MRO8; user: Victim; process: powershell.exe; pid: 9068; os: Windows; version: 10.0; build: 18363; beacon arch: x64 (x64)","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.214Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":203,"message":"09/15 15:26:19 UTC [input] <test2> sleep 0","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.214Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":244,"message":"09/15 15:26:19 UTC [task] <T1029> Tasked beacon to become interactive","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.214Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","beat":{"hostname":"kali","name":"ts-test","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":203,"message":"09/14 17:35:17 UTC [input] <test2> sleep 0","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.197Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":244,"message":"09/14 17:35:17 UTC [task] <T1029> Tasked beacon to become interactive","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.197Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":314,"message":"09/14 17:35:29 UTC [checkin] host called home, sent: 16 bytes","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.197Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":376,"message":"09/14 18:06:28 UTC [input] <test2> ls","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.214Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":412,"message":"09/14 18:06:28 UTC [task] <> Tasked beacon to list files in .","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.214Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}}}
{"fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":474,"message":"09/14 18:06:28 UTC [checkin] host called home, sent: 19 bytes","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.214Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}}}
{"fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":314,"message":"09/15 15:26:49 UTC [checkin] host called home, sent: 16 bytes","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.214Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":376,"message":"09/15 15:26:53 UTC [input] <test2> ls","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.214Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","beat":{"hostname":"kali","name":"ts-test","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":412,"message":"09/15 15:26:53 UTC [task] <> Tasked beacon to list files in .","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.214Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":0,"message":"09/15 14:20:35 UTC [metadata] 172.31.49.182 <- 200.20.110.10; computer: DESKTOP-VIC1; user: Victim; process: powershell.exe; pid: 7684; os: Windows; version: 10.0; build: 18363; beacon arch: x64 (x64)","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.214Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":201,"message":"09/15 14:21:02 UTC [input] <test2> sleep 0","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.214Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":242,"message":"09/15 14:21:02 UTC [task] <T1029> Tasked beacon to become interactive","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.214Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"}}}
{"fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":376,"message":"09/14 17:36:20 UTC [input] <test2> dir","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.214Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":413,"message":"09/14 17:36:20 UTC [error] Unknown command: dir","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.214Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":461,"message":"09/14 17:36:22 UTC [input] <test2> ls","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.214Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":536,"message":"09/14 18:06:28 UTC [output]\nC:\\Users\\Victim\\*\nD\t0\t09/09/2020 11:31:55\t.\nD\t0\t09/09/2020 11:31:55\t..\nD\t0\t03/24/2020 16:18:49\t.dotnet\nD\t0\t03/18/2020 15:55:48\t.ssh\nD\t0\t09/09/2020 14:30:17\t3D Objects\nD\t0\t03/10/2020 16:23:12\tAppData\nD\t0\t03/10/2020 16:23:12\tApplication Data\nD\t0\t09/09/2020 14:30:17\tContacts\nD\t0\t03/10/2020 16:23:12\tCookies\nD\t0\t09/09/2020 14:30:17\tDesktop\nD\t0\t09/09/2020 14:30:18\tDocuments\nD\t0\t09/09/2020 14:30:18\tDownloads\nD\t0\t09/09/2020 14:30:17\tFavorites\nF\t0\t05/11/2020 11:23:01\tkey.txt\nD\t0\t09/09/2020 14:30:18\tLinks\nD\t0\t03/10/2020 16:23:12\tLocal Settings\nD\t0\t03/18/2020 10:50:39\tMicrosoftEdgeBackups\nD\t0\t09/09/2020 14:30:18\tMusic\nD\t0\t03/10/2020 16:23:12\tMy Documents\nD\t0\t03/10/2020 16:23:12\tNetHood\nF\t4718592\t09/14/2020 13:45:23\tNTUSER.DAT\nF\t1024000\t03/10/2020 16:23:12\tntuser.dat.LOG1\nF\t786432\t03/10/2020 16:23:12\tntuser.dat.LOG2\nF\t65536\t03/10/2020 16:23:38\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TM.blf\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000001.regtrans-ms\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000002.regtrans-ms\nF\t20\t03/10/2020 16:23:12\tntuser.ini\nD\t0\t03/23/2020 10:13:47\tOneDrive\nD\t0\t09/09/2020 14:30:17\tPictures\nD\t0\t03/10/2020 16:23:12\tPrintHood\nD\t0\t03/10/2020 16:23:12\tRecent\nD\t0\t09/09/2020 14:30:18\tSaved Games\nD\t0\t09/09/2020 14:30:17\tSearches\nD\t0\t03/10/2020 16:23:12\tSendTo\nD\t0\t03/25/2020 08:08:16\tsource\nD\t0\t03/10/2020 16:23:12\tStart Menu\nD\t0\t03/10/2020 16:23:12\tTemplates\nD\t0\t09/09/2020 14:30:17\tVideos\n\n","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.214Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"flags":["multiline"],"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}}}
{"fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":474,"message":"09/15 15:26:53 UTC [checkin] host called home, sent: 19 bytes","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.214Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"}}}
{"fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":203,"message":"09/14 18:11:20 UTC [input] <test2> sleep 0","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.203Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":244,"message":"09/14 18:11:20 UTC [task] <T1029> Tasked beacon to become interactive","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.203Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":314,"message":"09/14 18:11:24 UTC [checkin] host called home, sent: 16 bytes","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.203Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":312,"message":"09/15 14:21:26 UTC [checkin] host called home, sent: 16 bytes","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.214Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"}}}
{"fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":374,"message":"09/15 14:21:31 UTC [input] <test2> ls","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.216Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"}}}
{"fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":410,"message":"09/15 14:21:31 UTC [task] <> Tasked beacon to list files in .","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.216Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","beat":{"hostname":"kali","name":"ts-test","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"}}}
{"fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":497,"message":"09/14 17:36:22 UTC [task] <> Tasked beacon to list files in .","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.214Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":559,"message":"09/14 17:36:22 UTC [checkin] host called home, sent: 19 bytes","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.217Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2108,"message":"09/14 18:06:44 UTC [input] <test2> sleep 60","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.215Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2150,"message":"09/14 18:06:44 UTC [task] <T1029> Tasked beacon to sleep for 60s","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.217Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2215,"message":"09/14 18:06:44 UTC [checkin] host called home, sent: 16 bytes","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.217Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","beat":{"hostname":"kali","name":"ts-test","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":376,"message":"09/14 18:12:59 UTC [input] <test2> ls","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.214Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":472,"message":"09/15 14:21:31 UTC [checkin] host called home, sent: 19 bytes","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.216Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":621,"message":"09/14 17:36:22 UTC [output]\nC:\\Users\\Victim\\*\nD\t0\t09/09/2020 11:31:55\t.\nD\t0\t09/09/2020 11:31:55\t..\nD\t0\t03/24/2020 16:18:49\t.dotnet\nD\t0\t03/18/2020 15:55:48\t.ssh\nD\t0\t09/09/2020 14:30:17\t3D Objects\nD\t0\t03/10/2020 16:23:12\tAppData\nD\t0\t03/10/2020 16:23:12\tApplication Data\nD\t0\t09/09/2020 14:30:17\tContacts\nD\t0\t03/10/2020 16:23:12\tCookies\nD\t0\t09/09/2020 14:30:17\tDesktop\nD\t0\t09/09/2020 14:30:18\tDocuments\nD\t0\t09/09/2020 14:30:18\tDownloads\nD\t0\t09/09/2020 14:30:17\tFavorites\nF\t0\t05/11/2020 11:23:01\tkey.txt\nD\t0\t09/09/2020 14:30:18\tLinks\nD\t0\t03/10/2020 16:23:12\tLocal Settings\nD\t0\t03/18/2020 10:50:39\tMicrosoftEdgeBackups\nD\t0\t09/09/2020 14:30:18\tMusic\nD\t0\t03/10/2020 16:23:12\tMy Documents\nD\t0\t03/10/2020 16:23:12\tNetHood\nF\t4718592\t09/14/2020 12:10:53\tNTUSER.DAT\nF\t1024000\t03/10/2020 16:23:12\tntuser.dat.LOG1\nF\t786432\t03/10/2020 16:23:12\tntuser.dat.LOG2\nF\t65536\t03/10/2020 16:23:38\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TM.blf\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000001.regtrans-ms\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000002.regtrans-ms\nF\t20\t03/10/2020 16:23:12\tntuser.ini\nD\t0\t03/23/2020 10:13:47\tOneDrive\nD\t0\t09/09/2020 14:30:17\tPictures\nD\t0\t03/10/2020 16:23:12\tPrintHood\nD\t0\t03/10/2020 16:23:12\tRecent\nD\t0\t09/09/2020 14:30:18\tSaved Games\nD\t0\t09/09/2020 14:30:17\tSearches\nD\t0\t03/10/2020 16:23:12\tSendTo\nD\t0\t03/25/2020 08:08:16\tsource\nD\t0\t03/10/2020 16:23:12\tStart Menu\nD\t0\t03/10/2020 16:23:12\tTemplates\nD\t0\t09/09/2020 14:30:17\tVideos\n\n","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.217Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"flags":["multiline"],"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2193,"message":"09/14 17:36:48 UTC [input] <test2> sleep 1","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.218Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2277,"message":"09/14 18:09:54 UTC [metadata] 172.31.49.182 <- 200.20.110.6; computer: DESKTOP-3H3MRO8; user: Victim; process: powershell.exe; pid: 8952; os: Windows; version: 10.0; build: 18363; beacon arch: x64 (x64)","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.217Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}}}
{"fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2480,"message":"09/14 18:09:53 UTC [input] <test2> exit","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.218Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":412,"message":"09/14 18:12:59 UTC [task] <> Tasked beacon to list files in .","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.217Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":474,"message":"09/14 18:12:59 UTC [checkin] host called home, sent: 19 bytes","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.217Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2234,"message":"09/14 17:36:48 UTC [task] <T1029> Tasked beacon to sleep for 1s","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.218Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2298,"message":"09/14 17:36:48 UTC [checkin] host called home, sent: 16 bytes","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.218Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2360,"message":"09/14 17:36:55 UTC [input] <test2> sleep 60","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.218Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2402,"message":"09/14 17:36:55 UTC [task] <T1029> Tasked beacon to sleep for 60s","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.218Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2467,"message":"09/14 17:36:55 UTC [checkin] host called home, sent: 16 bytes","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.219Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2529,"message":"09/14 18:02:38 UTC [input] <test2> sleep 0","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.219Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2570,"message":"09/14 18:02:38 UTC [task] <T1029> Tasked beacon to become interactive","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.219Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2640,"message":"09/14 18:02:54 UTC [input] <test2> ls","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.219Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2676,"message":"09/14 18:02:54 UTC [task] <> Tasked beacon to list files in .","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.219Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2738,"message":"09/14 18:04:14 UTC [input] <test2> exit","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.219Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"hostname":"kali","name":"ts-test","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2776,"message":"09/14 18:04:14 UTC [task] <> Tasked beacon to exit","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.219Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"fields":{"infralogtype":"rtops","cslogtype":"beacon","attackscenario":"testinstall"},"@version":"1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2827,"message":"09/14 18:04:31 UTC [input] <test2> exit","prospector":{"type":"log"},"@timestamp":"2020-09-17T16:03:40.219Z","input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"host":{"name":"ts-test"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/events.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.292Z","fields":{"attackscenario":"testinstall","cslogtype":"events","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200915/events.log","@version":"1","message":"09/15 14:19:16 UTC *** test2 joined","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":0,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/events.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.292Z","fields":{"attackscenario":"testinstall","cslogtype":"events","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/events.log","@version":"1","message":"09/14 17:13:01 UTC *** test2 joined","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"offset":0,"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/events.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.293Z","fields":{"attackscenario":"testinstall","cslogtype":"events","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/events.log","@version":"1","message":"09/14 17:14:26 UTC *** test2 hosted Scripted Web Delivery (powershell) @ https://10.10.6.65:443/update","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":34,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/events.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.293Z","fields":{"attackscenario":"testinstall","cslogtype":"events","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/events.log","@version":"1","message":"09/14 17:34:48 UTC *** initial beacon from [email protected] (DESKTOP-3H3MRO8)","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"offset":135,"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/events.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.293Z","fields":{"attackscenario":"testinstall","cslogtype":"events","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/events.log","@version":"1","message":"09/14 18:05:37 UTC *** initial beacon from [email protected] (DESKTOP-3H3MRO8)","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"offset":216,"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/events.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.293Z","fields":{"attackscenario":"testinstall","cslogtype":"events","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/events.log","@version":"1","message":"09/14 18:09:45 UTC *** initial beacon from [email protected] (DESKTOP-3H3MRO8)","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"offset":297,"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/events.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.293Z","fields":{"attackscenario":"testinstall","cslogtype":"events","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/events.log","@version":"1","message":"09/14 18:10:29 UTC *** initial beacon from [email protected] (DESKTOP-3H3MRO8)","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":378,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/events.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.293Z","fields":{"attackscenario":"testinstall","cslogtype":"events","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/events.log","@version":"1","message":"09/14 19:10:40 UTC *** test2 quit","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":459,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200909/events.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.292Z","fields":{"attackscenario":"testinstall","cslogtype":"events","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200909/events.log","@version":"1","message":"09/09 15:07:46 UTC *** test joined","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":0,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200909/events.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.293Z","fields":{"attackscenario":"testinstall","cslogtype":"events","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200909/events.log","@version":"1","message":"09/09 15:23:27 UTC *** test quit","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":39,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/events.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.293Z","fields":{"attackscenario":"testinstall","cslogtype":"events","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200915/events.log","@version":"1","message":"09/15 14:20:31 UTC *** initial beacon from [email protected] (DESKTOP-VIC1)","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":34,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/events.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.293Z","fields":{"attackscenario":"testinstall","cslogtype":"events","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200915/events.log","@version":"1","message":"09/15 15:08:51 UTC *** initial beacon from [email protected] (DESKTOP-VIC1)","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":113,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/events.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.293Z","fields":{"attackscenario":"testinstall","cslogtype":"events","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200915/events.log","@version":"1","message":"09/15 15:26:10 UTC *** initial beacon from [email protected] (DESKTOP-3H3MRO8)","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":192,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.292Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","@version":"1","message":"09/14 18:10:34 UTC [metadata] 172.31.49.182 <- 200.20.110.6; computer: DESKTOP-3H3MRO8; user: Victim; process: powershell.exe; pid: 8260; os: Windows; version: 10.0; build: 18363; beacon arch: x64 (x64)","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":0,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.292Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","@version":"1","message":"09/15 14:20:35 UTC [metadata] 172.31.49.182 <- 200.20.110.10; computer: DESKTOP-VIC1; user: Victim; process: powershell.exe; pid: 7684; os: Windows; version: 10.0; build: 18363; beacon arch: x64 (x64)","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":0,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.292Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","@version":"1","message":"09/14 18:11:20 UTC [input] <test2> sleep 0","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"offset":203,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.292Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","@version":"1","message":"09/14 18:11:20 UTC [task] <T1029> Tasked beacon to become interactive","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":244,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.292Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","@version":"1","message":"09/14 18:11:24 UTC [checkin] host called home, sent: 16 bytes","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":314,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.310Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 17:34:54 UTC [metadata] 172.31.49.182 <- 200.20.110.6; computer: DESKTOP-3H3MRO8; user: Victim; process: powershell.exe; pid: 5828; os: Windows; version: 10.0; build: 18363; beacon arch: x64 (x64)","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":0,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.310Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 17:35:17 UTC [input] <test2> sleep 0","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"offset":203,"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.310Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 17:35:17 UTC [task] <T1029> Tasked beacon to become interactive","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":244,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.292Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","@version":"1","message":"09/15 14:21:02 UTC [input] <test2> sleep 0","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":201,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.292Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","@version":"1","message":"09/15 14:21:02 UTC [task] <T1029> Tasked beacon to become interactive","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":242,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.292Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","@version":"1","message":"09/15 14:21:26 UTC [checkin] host called home, sent: 16 bytes","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":312,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.310Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","@version":"1","message":"09/14 18:12:59 UTC [input] <test2> ls","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"offset":376,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.310Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","@version":"1","message":"09/14 18:12:59 UTC [task] <> Tasked beacon to list files in .","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":412,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.310Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","@version":"1","message":"09/14 18:12:59 UTC [checkin] host called home, sent: 19 bytes","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":474,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.310Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","@version":"1","message":"09/14 18:05:44 UTC [metadata] 172.31.49.182 <- 200.20.110.6; computer: DESKTOP-3H3MRO8; user: Victim; process: powershell.exe; pid: 8952; os: Windows; version: 10.0; build: 18363; beacon arch: x64 (x64)","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"offset":0,"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.310Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","@version":"1","message":"09/14 18:05:47 UTC [input] <test2> sleep 0","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":203,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.310Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","@version":"1","message":"09/14 18:05:47 UTC [task] <T1029> Tasked beacon to become interactive","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":244,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.310Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 17:35:29 UTC [checkin] host called home, sent: 16 bytes","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":314,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.312Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 17:36:20 UTC [input] <test2> dir","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"offset":376,"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.312Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 17:36:20 UTC [error] Unknown command: dir","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":413,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.310Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","@version":"1","message":"09/15 15:26:15 UTC [metadata] 172.31.49.182 <- 200.20.110.6; computer: DESKTOP-3H3MRO8; user: Victim; process: powershell.exe; pid: 9068; os: Windows; version: 10.0; build: 18363; beacon arch: x64 (x64)","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":0,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.310Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","@version":"1","message":"09/15 15:26:19 UTC [input] <test2> sleep 0","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":203,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.310Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","@version":"1","message":"09/15 15:26:19 UTC [task] <T1029> Tasked beacon to become interactive","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"offset":244,"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.310Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","@version":"1","message":"09/15 14:21:31 UTC [input] <test2> ls","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"offset":374,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.312Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","@version":"1","message":"09/15 14:21:31 UTC [task] <> Tasked beacon to list files in .","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":410,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.312Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","@version":"1","message":"09/15 14:21:31 UTC [checkin] host called home, sent: 19 bytes","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":472,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.310Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","@version":"1","message":"09/14 18:06:22 UTC [checkin] host called home, sent: 16 bytes","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":314,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.312Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","@version":"1","message":"09/14 18:06:28 UTC [input] <test2> ls","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":376,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.312Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","@version":"1","message":"09/14 18:06:28 UTC [task] <> Tasked beacon to list files in .","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":412,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.312Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 17:36:22 UTC [input] <test2> ls","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":461,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.313Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 17:36:22 UTC [task] <> Tasked beacon to list files in .","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":497,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.313Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 17:36:22 UTC [checkin] host called home, sent: 19 bytes","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":559,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.312Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","@version":"1","message":"09/14 18:06:28 UTC [checkin] host called home, sent: 19 bytes","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":474,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"},"flags":["multiline"]},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.313Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","@version":"1","message":"09/14 18:06:28 UTC [output]\nC:\\Users\\Victim\\*\nD\t0\t09/09/2020 11:31:55\t.\nD\t0\t09/09/2020 11:31:55\t..\nD\t0\t03/24/2020 16:18:49\t.dotnet\nD\t0\t03/18/2020 15:55:48\t.ssh\nD\t0\t09/09/2020 14:30:17\t3D Objects\nD\t0\t03/10/2020 16:23:12\tAppData\nD\t0\t03/10/2020 16:23:12\tApplication Data\nD\t0\t09/09/2020 14:30:17\tContacts\nD\t0\t03/10/2020 16:23:12\tCookies\nD\t0\t09/09/2020 14:30:17\tDesktop\nD\t0\t09/09/2020 14:30:18\tDocuments\nD\t0\t09/09/2020 14:30:18\tDownloads\nD\t0\t09/09/2020 14:30:17\tFavorites\nF\t0\t05/11/2020 11:23:01\tkey.txt\nD\t0\t09/09/2020 14:30:18\tLinks\nD\t0\t03/10/2020 16:23:12\tLocal Settings\nD\t0\t03/18/2020 10:50:39\tMicrosoftEdgeBackups\nD\t0\t09/09/2020 14:30:18\tMusic\nD\t0\t03/10/2020 16:23:12\tMy Documents\nD\t0\t03/10/2020 16:23:12\tNetHood\nF\t4718592\t09/14/2020 13:45:23\tNTUSER.DAT\nF\t1024000\t03/10/2020 16:23:12\tntuser.dat.LOG1\nF\t786432\t03/10/2020 16:23:12\tntuser.dat.LOG2\nF\t65536\t03/10/2020 16:23:38\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TM.blf\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000001.regtrans-ms\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000002.regtrans-ms\nF\t20\t03/10/2020 16:23:12\tntuser.ini\nD\t0\t03/23/2020 10:13:47\tOneDrive\nD\t0\t09/09/2020 14:30:17\tPictures\nD\t0\t03/10/2020 16:23:12\tPrintHood\nD\t0\t03/10/2020 16:23:12\tRecent\nD\t0\t09/09/2020 14:30:18\tSaved Games\nD\t0\t09/09/2020 14:30:17\tSearches\nD\t0\t03/10/2020 16:23:12\tSendTo\nD\t0\t03/25/2020 08:08:16\tsource\nD\t0\t03/10/2020 16:23:12\tStart Menu\nD\t0\t03/10/2020 16:23:12\tTemplates\nD\t0\t09/09/2020 14:30:17\tVideos\n\n","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"offset":536,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.313Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","@version":"1","message":"09/14 18:06:44 UTC [input] <test2> sleep 60","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"offset":2108,"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.313Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","@version":"1","message":"09/14 18:06:44 UTC [task] <T1029> Tasked beacon to sleep for 60s","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"offset":2150,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"},"flags":["multiline"]},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.313Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 17:36:22 UTC [output]\nC:\\Users\\Victim\\*\nD\t0\t09/09/2020 11:31:55\t.\nD\t0\t09/09/2020 11:31:55\t..\nD\t0\t03/24/2020 16:18:49\t.dotnet\nD\t0\t03/18/2020 15:55:48\t.ssh\nD\t0\t09/09/2020 14:30:17\t3D Objects\nD\t0\t03/10/2020 16:23:12\tAppData\nD\t0\t03/10/2020 16:23:12\tApplication Data\nD\t0\t09/09/2020 14:30:17\tContacts\nD\t0\t03/10/2020 16:23:12\tCookies\nD\t0\t09/09/2020 14:30:17\tDesktop\nD\t0\t09/09/2020 14:30:18\tDocuments\nD\t0\t09/09/2020 14:30:18\tDownloads\nD\t0\t09/09/2020 14:30:17\tFavorites\nF\t0\t05/11/2020 11:23:01\tkey.txt\nD\t0\t09/09/2020 14:30:18\tLinks\nD\t0\t03/10/2020 16:23:12\tLocal Settings\nD\t0\t03/18/2020 10:50:39\tMicrosoftEdgeBackups\nD\t0\t09/09/2020 14:30:18\tMusic\nD\t0\t03/10/2020 16:23:12\tMy Documents\nD\t0\t03/10/2020 16:23:12\tNetHood\nF\t4718592\t09/14/2020 12:10:53\tNTUSER.DAT\nF\t1024000\t03/10/2020 16:23:12\tntuser.dat.LOG1\nF\t786432\t03/10/2020 16:23:12\tntuser.dat.LOG2\nF\t65536\t03/10/2020 16:23:38\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TM.blf\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000001.regtrans-ms\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000002.regtrans-ms\nF\t20\t03/10/2020 16:23:12\tntuser.ini\nD\t0\t03/23/2020 10:13:47\tOneDrive\nD\t0\t09/09/2020 14:30:17\tPictures\nD\t0\t03/10/2020 16:23:12\tPrintHood\nD\t0\t03/10/2020 16:23:12\tRecent\nD\t0\t09/09/2020 14:30:18\tSaved Games\nD\t0\t09/09/2020 14:30:17\tSearches\nD\t0\t03/10/2020 16:23:12\tSendTo\nD\t0\t03/25/2020 08:08:16\tsource\nD\t0\t03/10/2020 16:23:12\tStart Menu\nD\t0\t03/10/2020 16:23:12\tTemplates\nD\t0\t09/09/2020 14:30:17\tVideos\n\n","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"offset":621,"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.310Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","@version":"1","message":"09/15 15:26:49 UTC [checkin] host called home, sent: 16 bytes","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":314,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.313Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","@version":"1","message":"09/15 15:26:53 UTC [input] <test2> ls","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"offset":376,"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.313Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","@version":"1","message":"09/15 15:26:53 UTC [task] <> Tasked beacon to list files in .","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":412,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.313Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","@version":"1","message":"09/14 18:06:44 UTC [checkin] host called home, sent: 16 bytes","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2215,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.313Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","@version":"1","message":"09/14 18:09:54 UTC [metadata] 172.31.49.182 <- 200.20.110.6; computer: DESKTOP-3H3MRO8; user: Victim; process: powershell.exe; pid: 8952; os: Windows; version: 10.0; build: 18363; beacon arch: x64 (x64)","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"offset":2277,"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.313Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","@version":"1","message":"09/14 18:09:53 UTC [input] <test2> exit","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2480,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.313Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 17:36:48 UTC [input] <test2> sleep 1","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2193,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.313Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 17:36:48 UTC [task] <T1029> Tasked beacon to sleep for 1s","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"offset":2234,"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.313Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 17:36:48 UTC [checkin] host called home, sent: 16 bytes","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"offset":2298,"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.313Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","@version":"1","message":"09/15 15:26:53 UTC [checkin] host called home, sent: 19 bytes","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":474,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.313Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 17:36:55 UTC [input] <test2> sleep 60","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"offset":2360,"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.314Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 17:36:55 UTC [task] <T1029> Tasked beacon to sleep for 60s","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2402,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.314Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 17:36:55 UTC [checkin] host called home, sent: 16 bytes","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"offset":2467,"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.314Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 18:02:38 UTC [input] <test2> sleep 0","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"offset":2529,"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.314Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 18:02:38 UTC [task] <T1029> Tasked beacon to become interactive","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2570,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.314Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 18:02:54 UTC [input] <test2> ls","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2640,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.314Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 18:02:54 UTC [task] <> Tasked beacon to list files in .","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2676,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.314Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 18:04:14 UTC [input] <test2> exit","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2738,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.314Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 18:04:14 UTC [task] <> Tasked beacon to exit","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"offset":2776,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.314Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 18:04:31 UTC [input] <test2> exit","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2827,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_743423776.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.298Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_743423776.log","@version":"1","message":"09/15 15:08:55 UTC [metadata] 172.31.49.182 <- 200.20.110.10; computer: DESKTOP-VIC1; user: Victim; process: powershell.exe; pid: 8792; os: Windows; version: 10.0; build: 18363; beacon arch: x64 (x64)","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":0,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"},"flags":["multiline"]},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.312Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","@version":"1","message":"09/15 14:21:32 UTC [output]\nC:\\Users\\Victim\\*\nD\t0\t05/13/2020 18:10:05\t.\nD\t0\t05/13/2020 18:10:05\t..\nD\t0\t03/18/2020 15:55:48\t.ssh\nD\t0\t09/09/2020 14:29:40\t3D Objects\nD\t0\t03/10/2020 16:23:12\tAppData\nD\t0\t03/10/2020 16:23:12\tApplication Data\nD\t0\t09/09/2020 14:29:41\tContacts\nD\t0\t03/10/2020 16:23:12\tCookies\nD\t0\t09/14/2020 13:14:27\tDesktop\nD\t0\t09/09/2020 14:29:42\tDocuments\nD\t0\t09/09/2020 14:29:41\tDownloads\nD\t0\t09/09/2020 14:29:41\tFavorites\nD\t0\t09/09/2020 14:29:42\tLinks\nD\t0\t03/10/2020 16:23:12\tLocal Settings\nD\t0\t03/18/2020 10:50:39\tMicrosoftEdgeBackups\nD\t0\t09/09/2020 14:29:41\tMusic\nD\t0\t03/10/2020 16:23:12\tMy Documents\nD\t0\t03/10/2020 16:23:12\tNetHood\nF\t4980736\t09/14/2020 18:44:44\tNTUSER.DAT\nF\t720896\t03/10/2020 16:23:12\tntuser.dat.LOG1\nF\t1246208\t03/10/2020 16:23:12\tntuser.dat.LOG2\nF\t65536\t03/10/2020 16:23:38\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TM.blf\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000001.regtrans-ms\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000002.regtrans-ms\nF\t20\t03/10/2020 16:23:12\tntuser.ini\nD\t0\t03/23/2020 10:16:37\tOneDrive\nD\t0\t09/09/2020 14:29:41\tPictures\nD\t0\t03/10/2020 16:23:12\tPrintHood\nD\t0\t03/10/2020 16:23:12\tRecent\nD\t0\t09/09/2020 14:29:42\tSaved Games\nD\t0\t09/09/2020 14:29:41\tSearches\nD\t0\t03/10/2020 16:23:12\tSendTo\nD\t0\t03/10/2020 16:23:12\tStart Menu\nD\t0\t03/10/2020 16:23:12\tTemplates\nD\t0\t09/09/2020 14:29:41\tVideos\n\n","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":534,"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"},"flags":["multiline"]},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.311Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","@version":"1","message":"09/14 18:13:00 UTC [output]\nC:\\Users\\Victim\\*\nD\t0\t09/09/2020 11:31:55\t.\nD\t0\t09/09/2020 11:31:55\t..\nD\t0\t03/24/2020 16:18:49\t.dotnet\nD\t0\t03/18/2020 15:55:48\t.ssh\nD\t0\t09/09/2020 14:30:17\t3D Objects\nD\t0\t03/10/2020 16:23:12\tAppData\nD\t0\t03/10/2020 16:23:12\tApplication Data\nD\t0\t09/09/2020 14:30:17\tContacts\nD\t0\t03/10/2020 16:23:12\tCookies\nD\t0\t09/09/2020 14:30:17\tDesktop\nD\t0\t09/09/2020 14:30:18\tDocuments\nD\t0\t09/09/2020 14:30:18\tDownloads\nD\t0\t09/09/2020 14:30:17\tFavorites\nF\t0\t05/11/2020 11:23:01\tkey.txt\nD\t0\t09/09/2020 14:30:18\tLinks\nD\t0\t03/10/2020 16:23:12\tLocal Settings\nD\t0\t03/18/2020 10:50:39\tMicrosoftEdgeBackups\nD\t0\t09/09/2020 14:30:18\tMusic\nD\t0\t03/10/2020 16:23:12\tMy Documents\nD\t0\t03/10/2020 16:23:12\tNetHood\nF\t4718592\t09/14/2020 13:45:23\tNTUSER.DAT\nF\t1024000\t03/10/2020 16:23:12\tntuser.dat.LOG1\nF\t786432\t03/10/2020 16:23:12\tntuser.dat.LOG2\nF\t65536\t03/10/2020 16:23:38\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TM.blf\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000001.regtrans-ms\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000002.regtrans-ms\nF\t20\t03/10/2020 16:23:12\tntuser.ini\nD\t0\t03/23/2020 10:13:47\tOneDrive\nD\t0\t09/09/2020 14:30:17\tPictures\nD\t0\t03/10/2020 16:23:12\tPrintHood\nD\t0\t03/10/2020 16:23:12\tRecent\nD\t0\t09/09/2020 14:30:18\tSaved Games\nD\t0\t09/09/2020 14:30:17\tSearches\nD\t0\t03/10/2020 16:23:12\tSendTo\nD\t0\t03/25/2020 08:08:16\tsource\nD\t0\t03/10/2020 16:23:12\tStart Menu\nD\t0\t03/10/2020 16:23:12\tTemplates\nD\t0\t09/09/2020 14:30:17\tVideos\n\n","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"offset":536,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.314Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","@version":"1","message":"09/14 18:04:31 UTC [task] <> Tasked beacon to exit","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":2865,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.313Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","@version":"1","message":"09/14 18:09:53 UTC [task] <> Tasked beacon to exit","tags":["beats_input_codec_plain_applied","logstash_ran"],"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"offset":2518,"prospector":{"type":"log"}}
{"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"},"flags":["multiline"]},"host":{"name":"ts-test"},"@timestamp":"2020-09-17T16:22:19.313Z","fields":{"attackscenario":"testinstall","cslogtype":"beacon","infralogtype":"rtops"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","@version":"1","message":"09/15 15:26:54 UTC [output]\nC:\\Users\\Victim\\*\nD\t0\t09/09/2020 11:31:55\t.\nD\t0\t09/09/2020 11:31:55\t..\nD\t0\t03/24/2020 16:18:49\t.dotnet\nD\t0\t03/18/2020 15:55:48\t.ssh\nD\t0\t09/09/2020 14:30:17\t3D Objects\nD\t0\t03/10/2020 16:23:12\tAppData\nD\t0\t03/10/2020 16:23:12\tApplication Data\nD\t0\t09/09/2020 14:30:17\tContacts\nD\t0\t03/10/2020 16:23:12\tCookies\nD\t0\t09/09/2020 14:30:17\tDesktop\nD\t0\t09/09/2020 14:30:18\tDocuments\nD\t0\t09/09/2020 14:30:18\tDownloads\nD\t0\t09/09/2020 14:30:17\tFavorites\nF\t0\t05/11/2020 11:23:01\tkey.txt\nD\t0\t09/09/2020 14:30:18\tLinks\nD\t0\t03/10/2020 16:23:12\tLocal Settings\nD\t0\t03/18/2020 10:50:39\tMicrosoftEdgeBackups\nD\t0\t09/09/2020 14:30:18\tMusic\nD\t0\t03/10/2020 16:23:12\tMy Documents\nD\t0\t03/10/2020 16:23:12\tNetHood\nF\t4718592\t09/14/2020 15:07:25\tNTUSER.DAT\nF\t1024000\t03/10/2020 16:23:12\tntuser.dat.LOG1\nF\t786432\t03/10/2020 16:23:12\tntuser.dat.LOG2\nF\t65536\t03/10/2020 16:23:38\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TM.blf\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000001.regtrans-ms\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000002.regtrans-ms\nF\t20\t03/10/2020 16:23:12\tntuser.ini\nD\t0\t03/23/2020 10:13:47\tOneDrive\nD\t0\t09/09/2020 14:30:17\tPictures\nD\t0\t03/10/2020 16:23:12\tPrintHood\nD\t0\t03/10/2020 16:23:12\tRecent\nD\t0\t09/09/2020 14:30:18\tSaved Games\nD\t0\t09/09/2020 14:30:17\tSearches\nD\t0\t03/10/2020 16:23:12\tSendTo\nD\t0\t03/25/2020 08:08:16\tsource\nD\t0\t03/10/2020 16:23:12\tStart Menu\nD\t0\t03/10/2020 16:23:12\tTemplates\nD\t0\t09/09/2020 14:30:17\tVideos\n\n","tags":["beats_input_codec_plain_applied","logstash_ran"],"offset":536,"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"input":{"type":"log"},"prospector":{"type":"log"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/events.log"}},"source":"/opt/cobaltstrike/logs/200914/events.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 17:13:01 UTC *** test2 joined","@version":"1","@timestamp":"2020-09-17T17:48:28.725Z","offset":0,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"events"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/events.log"}},"source":"/opt/cobaltstrike/logs/200914/events.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 17:14:26 UTC *** test2 hosted Scripted Web Delivery (powershell) @ https://10.10.6.65:443/update","@version":"1","@timestamp":"2020-09-17T17:48:28.764Z","offset":34,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"events"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/events.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200914/events.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 17:34:48 UTC *** initial beacon from [email protected] (DESKTOP-3H3MRO8)","@version":"1","@timestamp":"2020-09-17T17:48:28.764Z","offset":135,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"events"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/events.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200914/events.log"}},"beat":{"hostname":"kali","name":"ts-test","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:05:37 UTC *** initial beacon from [email protected] (DESKTOP-3H3MRO8)","@version":"1","@timestamp":"2020-09-17T17:48:28.764Z","offset":216,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"events"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/events.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200914/events.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:09:45 UTC *** initial beacon from [email protected] (DESKTOP-3H3MRO8)","@version":"1","@timestamp":"2020-09-17T17:48:28.764Z","offset":297,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"events"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/events.log"}},"source":"/opt/cobaltstrike/logs/200914/events.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:10:29 UTC *** initial beacon from [email protected] (DESKTOP-3H3MRO8)","@version":"1","@timestamp":"2020-09-17T17:48:28.764Z","offset":378,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"events"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/events.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200914/events.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 19:10:40 UTC *** test2 quit","@version":"1","@timestamp":"2020-09-17T17:48:28.764Z","offset":459,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"events"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200909/events.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200909/events.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/09 15:07:46 UTC *** test joined","@version":"1","@timestamp":"2020-09-17T17:48:28.764Z","offset":0,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"events"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200909/events.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200909/events.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/09 15:23:27 UTC *** test quit","@version":"1","@timestamp":"2020-09-17T17:48:28.764Z","offset":39,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"events"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200915/events.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200915/events.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/15 14:19:16 UTC *** test2 joined","@version":"1","@timestamp":"2020-09-17T17:48:28.726Z","offset":0,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"events"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/events.log"}},"source":"/opt/cobaltstrike/logs/200915/events.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/15 14:20:31 UTC *** initial beacon from [email protected] (DESKTOP-VIC1)","@version":"1","@timestamp":"2020-09-17T17:48:28.765Z","offset":34,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"events"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/events.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/events.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/15 15:08:51 UTC *** initial beacon from [email protected] (DESKTOP-VIC1)","@version":"1","@timestamp":"2020-09-17T17:48:28.765Z","offset":113,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"events"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/events.log"}},"source":"/opt/cobaltstrike/logs/200915/events.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/15 15:26:10 UTC *** initial beacon from [email protected] (DESKTOP-3H3MRO8)","@version":"1","@timestamp":"2020-09-17T17:48:28.765Z","offset":192,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"events"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:05:44 UTC [metadata] 172.31.49.182 <- 200.20.110.6; computer: DESKTOP-3H3MRO8; user: Victim; process: powershell.exe; pid: 8952; os: Windows; version: 10.0; build: 18363; beacon arch: x64 (x64)","@version":"1","@timestamp":"2020-09-17T17:48:28.726Z","offset":0,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"hostname":"kali","name":"ts-test","version":"6.8.2"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 17:34:54 UTC [metadata] 172.31.49.182 <- 200.20.110.6; computer: DESKTOP-3H3MRO8; user: Victim; process: powershell.exe; pid: 5828; os: Windows; version: 10.0; build: 18363; beacon arch: x64 (x64)","@version":"1","@timestamp":"2020-09-17T17:48:28.757Z","offset":0,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:10:34 UTC [metadata] 172.31.49.182 <- 200.20.110.6; computer: DESKTOP-3H3MRO8; user: Victim; process: powershell.exe; pid: 8260; os: Windows; version: 10.0; build: 18363; beacon arch: x64 (x64)","@version":"1","@timestamp":"2020-09-17T17:48:28.764Z","offset":0,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:05:47 UTC [input] <test2> sleep 0","@version":"1","@timestamp":"2020-09-17T17:48:28.726Z","offset":203,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"}},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/15 14:20:35 UTC [metadata] 172.31.49.182 <- 200.20.110.10; computer: DESKTOP-VIC1; user: Victim; process: powershell.exe; pid: 7684; os: Windows; version: 10.0; build: 18363; beacon arch: x64 (x64)","@version":"1","@timestamp":"2020-09-17T17:48:28.764Z","offset":0,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"hostname":"kali","name":"ts-test","version":"6.8.2"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 17:35:17 UTC [input] <test2> sleep 0","@version":"1","@timestamp":"2020-09-17T17:48:28.757Z","offset":203,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 17:35:17 UTC [task] <T1029> Tasked beacon to become interactive","@version":"1","@timestamp":"2020-09-17T17:48:28.757Z","offset":244,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 17:35:29 UTC [checkin] host called home, sent: 16 bytes","@version":"1","@timestamp":"2020-09-17T17:48:28.757Z","offset":314,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:11:20 UTC [input] <test2> sleep 0","@version":"1","@timestamp":"2020-09-17T17:48:28.764Z","offset":203,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:11:20 UTC [task] <T1029> Tasked beacon to become interactive","@version":"1","@timestamp":"2020-09-17T17:48:28.764Z","offset":244,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:11:24 UTC [checkin] host called home, sent: 16 bytes","@version":"1","@timestamp":"2020-09-17T17:48:28.764Z","offset":314,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"hostname":"kali","name":"ts-test","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 17:36:20 UTC [input] <test2> dir","@version":"1","@timestamp":"2020-09-17T17:48:28.778Z","offset":376,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"beat":{"hostname":"kali","name":"ts-test","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 17:36:20 UTC [error] Unknown command: dir","@version":"1","@timestamp":"2020-09-17T17:48:28.778Z","offset":413,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"beat":{"hostname":"kali","name":"ts-test","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 17:36:22 UTC [input] <test2> ls","@version":"1","@timestamp":"2020-09-17T17:48:28.778Z","offset":461,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/15 15:26:15 UTC [metadata] 172.31.49.182 <- 200.20.110.6; computer: DESKTOP-3H3MRO8; user: Victim; process: powershell.exe; pid: 9068; os: Windows; version: 10.0; build: 18363; beacon arch: x64 (x64)","@version":"1","@timestamp":"2020-09-17T17:48:28.778Z","offset":0,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/15 15:26:19 UTC [input] <test2> sleep 0","@version":"1","@timestamp":"2020-09-17T17:48:28.778Z","offset":203,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/15 15:26:19 UTC [task] <T1029> Tasked beacon to become interactive","@version":"1","@timestamp":"2020-09-17T17:48:28.778Z","offset":244,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:12:59 UTC [input] <test2> ls","@version":"1","@timestamp":"2020-09-17T17:48:28.778Z","offset":376,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"hostname":"kali","name":"ts-test","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:12:59 UTC [task] <> Tasked beacon to list files in .","@version":"1","@timestamp":"2020-09-17T17:48:28.778Z","offset":412,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"hostname":"kali","name":"ts-test","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:12:59 UTC [checkin] host called home, sent: 19 bytes","@version":"1","@timestamp":"2020-09-17T17:48:28.778Z","offset":474,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 17:36:22 UTC [task] <> Tasked beacon to list files in .","@version":"1","@timestamp":"2020-09-17T17:48:28.778Z","offset":497,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 17:36:22 UTC [checkin] host called home, sent: 19 bytes","@version":"1","@timestamp":"2020-09-17T17:48:28.778Z","offset":559,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:05:47 UTC [task] <T1029> Tasked beacon to become interactive","@version":"1","@timestamp":"2020-09-17T17:48:28.726Z","offset":244,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:06:22 UTC [checkin] host called home, sent: 16 bytes","@version":"1","@timestamp":"2020-09-17T17:48:28.726Z","offset":314,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:06:28 UTC [input] <test2> ls","@version":"1","@timestamp":"2020-09-17T17:48:28.778Z","offset":376,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"}},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/15 15:26:49 UTC [checkin] host called home, sent: 16 bytes","@version":"1","@timestamp":"2020-09-17T17:48:28.778Z","offset":314,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"}},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/15 15:26:53 UTC [input] <test2> ls","@version":"1","@timestamp":"2020-09-17T17:48:28.778Z","offset":376,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"}},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/15 15:26:53 UTC [task] <> Tasked beacon to list files in .","@version":"1","@timestamp":"2020-09-17T17:48:28.778Z","offset":412,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"},"flags":["multiline"]},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 17:36:22 UTC [output]\nC:\\Users\\Victim\\*\nD\t0\t09/09/2020 11:31:55\t.\nD\t0\t09/09/2020 11:31:55\t..\nD\t0\t03/24/2020 16:18:49\t.dotnet\nD\t0\t03/18/2020 15:55:48\t.ssh\nD\t0\t09/09/2020 14:30:17\t3D Objects\nD\t0\t03/10/2020 16:23:12\tAppData\nD\t0\t03/10/2020 16:23:12\tApplication Data\nD\t0\t09/09/2020 14:30:17\tContacts\nD\t0\t03/10/2020 16:23:12\tCookies\nD\t0\t09/09/2020 14:30:17\tDesktop\nD\t0\t09/09/2020 14:30:18\tDocuments\nD\t0\t09/09/2020 14:30:18\tDownloads\nD\t0\t09/09/2020 14:30:17\tFavorites\nF\t0\t05/11/2020 11:23:01\tkey.txt\nD\t0\t09/09/2020 14:30:18\tLinks\nD\t0\t03/10/2020 16:23:12\tLocal Settings\nD\t0\t03/18/2020 10:50:39\tMicrosoftEdgeBackups\nD\t0\t09/09/2020 14:30:18\tMusic\nD\t0\t03/10/2020 16:23:12\tMy Documents\nD\t0\t03/10/2020 16:23:12\tNetHood\nF\t4718592\t09/14/2020 12:10:53\tNTUSER.DAT\nF\t1024000\t03/10/2020 16:23:12\tntuser.dat.LOG1\nF\t786432\t03/10/2020 16:23:12\tntuser.dat.LOG2\nF\t65536\t03/10/2020 16:23:38\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TM.blf\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000001.regtrans-ms\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000002.regtrans-ms\nF\t20\t03/10/2020 16:23:12\tntuser.ini\nD\t0\t03/23/2020 10:13:47\tOneDrive\nD\t0\t09/09/2020 14:30:17\tPictures\nD\t0\t03/10/2020 16:23:12\tPrintHood\nD\t0\t03/10/2020 16:23:12\tRecent\nD\t0\t09/09/2020 14:30:18\tSaved Games\nD\t0\t09/09/2020 14:30:17\tSearches\nD\t0\t03/10/2020 16:23:12\tSendTo\nD\t0\t03/25/2020 08:08:16\tsource\nD\t0\t03/10/2020 16:23:12\tStart Menu\nD\t0\t03/10/2020 16:23:12\tTemplates\nD\t0\t09/09/2020 14:30:17\tVideos\n\n","@version":"1","@timestamp":"2020-09-17T17:48:28.778Z","offset":621,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"beat":{"hostname":"kali","name":"ts-test","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 17:36:48 UTC [input] <test2> sleep 1","@version":"1","@timestamp":"2020-09-17T17:48:28.779Z","offset":2193,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/15 14:21:02 UTC [input] <test2> sleep 0","@version":"1","@timestamp":"2020-09-17T17:48:28.764Z","offset":201,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/15 14:21:02 UTC [task] <T1029> Tasked beacon to become interactive","@version":"1","@timestamp":"2020-09-17T17:48:28.764Z","offset":242,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/15 14:21:26 UTC [checkin] host called home, sent: 16 bytes","@version":"1","@timestamp":"2020-09-17T17:48:28.765Z","offset":312,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:06:28 UTC [task] <> Tasked beacon to list files in .","@version":"1","@timestamp":"2020-09-17T17:48:28.778Z","offset":412,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:06:28 UTC [checkin] host called home, sent: 19 bytes","@version":"1","@timestamp":"2020-09-17T17:48:28.780Z","offset":474,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/15 15:26:53 UTC [checkin] host called home, sent: 19 bytes","@version":"1","@timestamp":"2020-09-17T17:48:28.778Z","offset":474,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"hostname":"kali","name":"ts-test","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 17:36:48 UTC [task] <T1029> Tasked beacon to sleep for 1s","@version":"1","@timestamp":"2020-09-17T17:48:28.779Z","offset":2234,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 17:36:48 UTC [checkin] host called home, sent: 16 bytes","@version":"1","@timestamp":"2020-09-17T17:48:28.781Z","offset":2298,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 17:36:55 UTC [input] <test2> sleep 60","@version":"1","@timestamp":"2020-09-17T17:48:28.781Z","offset":2360,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/15 14:21:31 UTC [input] <test2> ls","@version":"1","@timestamp":"2020-09-17T17:48:28.778Z","offset":374,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/15 14:21:31 UTC [task] <> Tasked beacon to list files in .","@version":"1","@timestamp":"2020-09-17T17:48:28.781Z","offset":410,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"}},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/15 14:21:31 UTC [checkin] host called home, sent: 19 bytes","@version":"1","@timestamp":"2020-09-17T17:48:28.781Z","offset":472,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 17:36:55 UTC [task] <T1029> Tasked beacon to sleep for 60s","@version":"1","@timestamp":"2020-09-17T17:48:28.781Z","offset":2402,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 17:36:55 UTC [checkin] host called home, sent: 16 bytes","@version":"1","@timestamp":"2020-09-17T17:48:28.781Z","offset":2467,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"beat":{"hostname":"kali","name":"ts-test","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:02:38 UTC [input] <test2> sleep 0","@version":"1","@timestamp":"2020-09-17T17:48:28.781Z","offset":2529,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"},"flags":["multiline"]},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:06:28 UTC [output]\nC:\\Users\\Victim\\*\nD\t0\t09/09/2020 11:31:55\t.\nD\t0\t09/09/2020 11:31:55\t..\nD\t0\t03/24/2020 16:18:49\t.dotnet\nD\t0\t03/18/2020 15:55:48\t.ssh\nD\t0\t09/09/2020 14:30:17\t3D Objects\nD\t0\t03/10/2020 16:23:12\tAppData\nD\t0\t03/10/2020 16:23:12\tApplication Data\nD\t0\t09/09/2020 14:30:17\tContacts\nD\t0\t03/10/2020 16:23:12\tCookies\nD\t0\t09/09/2020 14:30:17\tDesktop\nD\t0\t09/09/2020 14:30:18\tDocuments\nD\t0\t09/09/2020 14:30:18\tDownloads\nD\t0\t09/09/2020 14:30:17\tFavorites\nF\t0\t05/11/2020 11:23:01\tkey.txt\nD\t0\t09/09/2020 14:30:18\tLinks\nD\t0\t03/10/2020 16:23:12\tLocal Settings\nD\t0\t03/18/2020 10:50:39\tMicrosoftEdgeBackups\nD\t0\t09/09/2020 14:30:18\tMusic\nD\t0\t03/10/2020 16:23:12\tMy Documents\nD\t0\t03/10/2020 16:23:12\tNetHood\nF\t4718592\t09/14/2020 13:45:23\tNTUSER.DAT\nF\t1024000\t03/10/2020 16:23:12\tntuser.dat.LOG1\nF\t786432\t03/10/2020 16:23:12\tntuser.dat.LOG2\nF\t65536\t03/10/2020 16:23:38\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TM.blf\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000001.regtrans-ms\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000002.regtrans-ms\nF\t20\t03/10/2020 16:23:12\tntuser.ini\nD\t0\t03/23/2020 10:13:47\tOneDrive\nD\t0\t09/09/2020 14:30:17\tPictures\nD\t0\t03/10/2020 16:23:12\tPrintHood\nD\t0\t03/10/2020 16:23:12\tRecent\nD\t0\t09/09/2020 14:30:18\tSaved Games\nD\t0\t09/09/2020 14:30:17\tSearches\nD\t0\t03/10/2020 16:23:12\tSendTo\nD\t0\t03/25/2020 08:08:16\tsource\nD\t0\t03/10/2020 16:23:12\tStart Menu\nD\t0\t03/10/2020 16:23:12\tTemplates\nD\t0\t09/09/2020 14:30:17\tVideos\n\n","@version":"1","@timestamp":"2020-09-17T17:48:28.780Z","offset":536,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:06:44 UTC [input] <test2> sleep 60","@version":"1","@timestamp":"2020-09-17T17:48:28.781Z","offset":2108,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:02:38 UTC [task] <T1029> Tasked beacon to become interactive","@version":"1","@timestamp":"2020-09-17T17:48:28.781Z","offset":2570,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:02:54 UTC [input] <test2> ls","@version":"1","@timestamp":"2020-09-17T17:48:28.781Z","offset":2640,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:02:54 UTC [task] <> Tasked beacon to list files in .","@version":"1","@timestamp":"2020-09-17T17:48:28.781Z","offset":2676,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:06:44 UTC [task] <T1029> Tasked beacon to sleep for 60s","@version":"1","@timestamp":"2020-09-17T17:48:28.781Z","offset":2150,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:06:44 UTC [checkin] host called home, sent: 16 bytes","@version":"1","@timestamp":"2020-09-17T17:48:28.781Z","offset":2215,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:09:54 UTC [metadata] 172.31.49.182 <- 200.20.110.6; computer: DESKTOP-3H3MRO8; user: Victim; process: powershell.exe; pid: 8952; os: Windows; version: 10.0; build: 18363; beacon arch: x64 (x64)","@version":"1","@timestamp":"2020-09-17T17:48:28.781Z","offset":2277,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:04:14 UTC [input] <test2> exit","@version":"1","@timestamp":"2020-09-17T17:48:28.781Z","offset":2738,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:04:14 UTC [task] <> Tasked beacon to exit","@version":"1","@timestamp":"2020-09-17T17:48:28.782Z","offset":2776,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:04:31 UTC [input] <test2> exit","@version":"1","@timestamp":"2020-09-17T17:48:28.782Z","offset":2827,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:09:53 UTC [input] <test2> exit","@version":"1","@timestamp":"2020-09-17T17:48:28.781Z","offset":2480,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_743423776.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_743423776.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/15 15:08:55 UTC [metadata] 172.31.49.182 <- 200.20.110.10; computer: DESKTOP-VIC1; user: Victim; process: powershell.exe; pid: 8792; os: Windows; version: 10.0; build: 18363; beacon arch: x64 (x64)","@version":"1","@timestamp":"2020-09-17T17:48:28.765Z","offset":0,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log","log":{"flags":["multiline"],"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_730929380.log"}},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:13:00 UTC [output]\nC:\\Users\\Victim\\*\nD\t0\t09/09/2020 11:31:55\t.\nD\t0\t09/09/2020 11:31:55\t..\nD\t0\t03/24/2020 16:18:49\t.dotnet\nD\t0\t03/18/2020 15:55:48\t.ssh\nD\t0\t09/09/2020 14:30:17\t3D Objects\nD\t0\t03/10/2020 16:23:12\tAppData\nD\t0\t03/10/2020 16:23:12\tApplication Data\nD\t0\t09/09/2020 14:30:17\tContacts\nD\t0\t03/10/2020 16:23:12\tCookies\nD\t0\t09/09/2020 14:30:17\tDesktop\nD\t0\t09/09/2020 14:30:18\tDocuments\nD\t0\t09/09/2020 14:30:18\tDownloads\nD\t0\t09/09/2020 14:30:17\tFavorites\nF\t0\t05/11/2020 11:23:01\tkey.txt\nD\t0\t09/09/2020 14:30:18\tLinks\nD\t0\t03/10/2020 16:23:12\tLocal Settings\nD\t0\t03/18/2020 10:50:39\tMicrosoftEdgeBackups\nD\t0\t09/09/2020 14:30:18\tMusic\nD\t0\t03/10/2020 16:23:12\tMy Documents\nD\t0\t03/10/2020 16:23:12\tNetHood\nF\t4718592\t09/14/2020 13:45:23\tNTUSER.DAT\nF\t1024000\t03/10/2020 16:23:12\tntuser.dat.LOG1\nF\t786432\t03/10/2020 16:23:12\tntuser.dat.LOG2\nF\t65536\t03/10/2020 16:23:38\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TM.blf\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000001.regtrans-ms\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000002.regtrans-ms\nF\t20\t03/10/2020 16:23:12\tntuser.ini\nD\t0\t03/23/2020 10:13:47\tOneDrive\nD\t0\t09/09/2020 14:30:17\tPictures\nD\t0\t03/10/2020 16:23:12\tPrintHood\nD\t0\t03/10/2020 16:23:12\tRecent\nD\t0\t09/09/2020 14:30:18\tSaved Games\nD\t0\t09/09/2020 14:30:17\tSearches\nD\t0\t03/10/2020 16:23:12\tSendTo\nD\t0\t03/25/2020 08:08:16\tsource\nD\t0\t03/10/2020 16:23:12\tStart Menu\nD\t0\t03/10/2020 16:23:12\tTemplates\nD\t0\t09/09/2020 14:30:17\tVideos\n\n","@version":"1","@timestamp":"2020-09-17T17:48:28.778Z","offset":536,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"source":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.6/beacon_129901508.log"},"flags":["multiline"]},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/15 15:26:54 UTC [output]\nC:\\Users\\Victim\\*\nD\t0\t09/09/2020 11:31:55\t.\nD\t0\t09/09/2020 11:31:55\t..\nD\t0\t03/24/2020 16:18:49\t.dotnet\nD\t0\t03/18/2020 15:55:48\t.ssh\nD\t0\t09/09/2020 14:30:17\t3D Objects\nD\t0\t03/10/2020 16:23:12\tAppData\nD\t0\t03/10/2020 16:23:12\tApplication Data\nD\t0\t09/09/2020 14:30:17\tContacts\nD\t0\t03/10/2020 16:23:12\tCookies\nD\t0\t09/09/2020 14:30:17\tDesktop\nD\t0\t09/09/2020 14:30:18\tDocuments\nD\t0\t09/09/2020 14:30:18\tDownloads\nD\t0\t09/09/2020 14:30:17\tFavorites\nF\t0\t05/11/2020 11:23:01\tkey.txt\nD\t0\t09/09/2020 14:30:18\tLinks\nD\t0\t03/10/2020 16:23:12\tLocal Settings\nD\t0\t03/18/2020 10:50:39\tMicrosoftEdgeBackups\nD\t0\t09/09/2020 14:30:18\tMusic\nD\t0\t03/10/2020 16:23:12\tMy Documents\nD\t0\t03/10/2020 16:23:12\tNetHood\nF\t4718592\t09/14/2020 15:07:25\tNTUSER.DAT\nF\t1024000\t03/10/2020 16:23:12\tntuser.dat.LOG1\nF\t786432\t03/10/2020 16:23:12\tntuser.dat.LOG2\nF\t65536\t03/10/2020 16:23:38\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TM.blf\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000001.regtrans-ms\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000002.regtrans-ms\nF\t20\t03/10/2020 16:23:12\tntuser.ini\nD\t0\t03/23/2020 10:13:47\tOneDrive\nD\t0\t09/09/2020 14:30:17\tPictures\nD\t0\t03/10/2020 16:23:12\tPrintHood\nD\t0\t03/10/2020 16:23:12\tRecent\nD\t0\t09/09/2020 14:30:18\tSaved Games\nD\t0\t09/09/2020 14:30:17\tSearches\nD\t0\t03/10/2020 16:23:12\tSendTo\nD\t0\t03/25/2020 08:08:16\tsource\nD\t0\t03/10/2020 16:23:12\tStart Menu\nD\t0\t03/10/2020 16:23:12\tTemplates\nD\t0\t09/09/2020 14:30:17\tVideos\n\n","@version":"1","@timestamp":"2020-09-17T17:48:28.780Z","offset":536,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log"},"flags":["multiline"]},"source":"/opt/cobaltstrike/logs/200915/200.20.110.10/beacon_1678653938.log","beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/15 14:21:32 UTC [output]\nC:\\Users\\Victim\\*\nD\t0\t05/13/2020 18:10:05\t.\nD\t0\t05/13/2020 18:10:05\t..\nD\t0\t03/18/2020 15:55:48\t.ssh\nD\t0\t09/09/2020 14:29:40\t3D Objects\nD\t0\t03/10/2020 16:23:12\tAppData\nD\t0\t03/10/2020 16:23:12\tApplication Data\nD\t0\t09/09/2020 14:29:41\tContacts\nD\t0\t03/10/2020 16:23:12\tCookies\nD\t0\t09/14/2020 13:14:27\tDesktop\nD\t0\t09/09/2020 14:29:42\tDocuments\nD\t0\t09/09/2020 14:29:41\tDownloads\nD\t0\t09/09/2020 14:29:41\tFavorites\nD\t0\t09/09/2020 14:29:42\tLinks\nD\t0\t03/10/2020 16:23:12\tLocal Settings\nD\t0\t03/18/2020 10:50:39\tMicrosoftEdgeBackups\nD\t0\t09/09/2020 14:29:41\tMusic\nD\t0\t03/10/2020 16:23:12\tMy Documents\nD\t0\t03/10/2020 16:23:12\tNetHood\nF\t4980736\t09/14/2020 18:44:44\tNTUSER.DAT\nF\t720896\t03/10/2020 16:23:12\tntuser.dat.LOG1\nF\t1246208\t03/10/2020 16:23:12\tntuser.dat.LOG2\nF\t65536\t03/10/2020 16:23:38\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TM.blf\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000001.regtrans-ms\nF\t524288\t03/10/2020 16:23:12\tNTUSER.DAT{fd9a35db-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000002.regtrans-ms\nF\t20\t03/10/2020 16:23:12\tntuser.ini\nD\t0\t03/23/2020 10:16:37\tOneDrive\nD\t0\t09/09/2020 14:29:41\tPictures\nD\t0\t03/10/2020 16:23:12\tPrintHood\nD\t0\t03/10/2020 16:23:12\tRecent\nD\t0\t09/09/2020 14:29:42\tSaved Games\nD\t0\t09/09/2020 14:29:41\tSearches\nD\t0\t03/10/2020 16:23:12\tSendTo\nD\t0\t03/10/2020 16:23:12\tStart Menu\nD\t0\t03/10/2020 16:23:12\tTemplates\nD\t0\t09/09/2020 14:29:41\tVideos\n\n","@version":"1","@timestamp":"2020-09-17T17:48:28.781Z","offset":534,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log","log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_1270392426.log"}},"prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:09:53 UTC [task] <> Tasked beacon to exit","@version":"1","@timestamp":"2020-09-17T17:48:28.782Z","offset":2518,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
{"input":{"type":"log"},"beat":{"name":"ts-test","hostname":"kali","version":"6.8.2"},"log":{"file":{"path":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log"}},"source":"/opt/cobaltstrike/logs/200914/200.20.110.6/beacon_2028474710.log","prospector":{"type":"log"},"tags":["beats_input_codec_plain_applied","logstash_ran"],"message":"09/14 18:04:31 UTC [task] <> Tasked beacon to exit","@version":"1","@timestamp":"2020-09-17T17:48:28.782Z","offset":2865,"fields":{"infralogtype":"rtops","attackscenario":"testinstall","cslogtype":"beacon"},"host":{"name":"ts-test"}}
from redelk.
6r0k3d
commented on June 6, 2024
Hmm. Didn't see this until I ran the last test on here, but one of these commands created the index even though I kept getting errors. Didn't realize it until I tried a test index with garbage data and saw the rtops index now existed.
Tried these:
curl -XPUT -H"content-type: application/json" 'localhost:9200/rtops-20200917/_create' -d @'./logstashout.txt'
{"error":"Incorrect HTTP method for uri [/rtops-20200917/_create] and method [PUT], allowed: [POST]","status":405}
curl -XPOST -H"content-type: application/json" 'localhost:9200/rtops-20200917/_create' -d @'./logstashout.txt'
{"error":{"root_cause":[{"type":"mapper_parsing_exception","reason":"failed to parse"}],"type":"mapper_parsing_exception","reason":"failed to parse","caused_by":{"type":"illegal_argument_exception","reason":"Malformed content, found extra data after parsing: START_OBJECT"}},"status":400}
curl -XPOST -H"content-type: application/json" 'localhost:9200/rtops-20200917/_doc' -d @'./logstashout.txt'
{"error":{"root_cause":[{"type":"mapper_parsing_exception","reason":"failed to parse"}],"type":"mapper_parsing_exception","reason":"failed to parse","caused_by":{"type":"illegal_argument_exception","reason":"Malformed content, found extra data after parsing: START_OBJECT"}},"status":400}
root@kali:/tmp# grep START_OBJECT logstashout.txt
root@kali:/tmp#
Following this post (https://mindmajix.com/elasticsearch/curl-syntax-with-examples) with some adjustments:
root@kali:/tmp# curl -XPOST -H"content-type: application/json" "HTTP://LOCALHOST:9200/test/message" -d'
{
"text": "Hello world!"
}'
{"_index":"test","_type":"message","_id":"APu0nXQBjFT1xQTkzNH1","_version":1,"result":"created","_shards":{"total":2,"successful":1,"failed":0},"_seq_no":0,"_primary_term":1}
root@kali:/tmp# curl -XGET 'localhost:9200/_cat/indices/?v&s=index'
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open .kibana_1 Egy4tD38T7OQsg_DS8pF5g 1 0 26 0 78.9kb 78.9kb
green open .kibana_task_manager kfXdXMHAQTSGSseBQJIixQ 1 0 2 0 12.6kb 12.6kb
green open .tasks dIu4IlXsQd6lSo4nzdnypw 1 0 1034 0 281.7kb 281.7kb
yellow open rtops-20200917 cSxWiFPtRgWhP08KxgFueQ 5 1 0 0 1.2kb 1.2kb
yellow open test ZsFOCwcXSCGxOvOsFrwAwg 5 1 1 0 4.3kb 4.3kb
from redelk.
6r0k3d
commented on June 6, 2024
from redelk.
MarcOverIP
commented on June 6, 2024
Ha, well I meant indeed to create a Hello world request as you did. The output of /tmp/logstash.out wouldnt work indeed.
The fact that you don't see the "Hello world" example in Kibana may be down to the selected Kibana Search 'Red Team Operations'. A defined search contains filters and view setting that may prevent the Hello World from showing. If you start a new search and point it to the rtops- index, the record should be there.
You can also test manually using curl. Something like this should do (maybe check the exact syntax, Im doing this from the top of my head):
curl -XGET 'localhost:9200/rtops-*/_search?pretty'
If its there, I suppose you try with the full logstash config. If it is not there, Im baffled.
Wrt the installer scripts: did you run them all as root, or with sudo?
from redelk.
6r0k3d
commented on June 6, 2024
Oh sorry, it's in there, I just pulled the rtops on the off chance curling in the logstashout would work haha.
I installed with sudo. I'm going to spin up an Ubuntu 16.04 box and give the install there a shot and see if that works. Then hopefully we can at least see if this is a distro issue or not.
from redelk.
6r0k3d
commented on June 6, 2024
Also, @fastlorenzo, I tried running filebeat, logstash, and elastic with debugging turned on, dumped it to stdout and tee'ed to a file, didn't see anything different than what was in the log files collected.
from redelk.
6r0k3d
commented on June 6, 2024
Looks like 16.04 package list is too far behind for install
root@redelk:/opt/RedELK/elkserver# apt-get install -y openjdk-11-jre-headless
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package openjdk-11-jre-headless
from redelk.
MarcOverIP
commented on June 6, 2024
Yeah we dropped support (as in we don't test anymore) for 16.04 some time ago. 18 should work fine.
from redelk.
6r0k3d
commented on June 6, 2024
(sigh) problem "solved". or at least, found whats causing it, if you've got any pointers on what else needs to be adjusted, im all ears.
my teamserver logs are stored in /opt/cobaltstrike/logs. I've been updating the filebeat.yml to collect from there, but there must be something in the elk processing chain that isn't liking that. I grepped the logstash conf and found the grok rule to match /root/cobaltstrike/downloads, but as I understand it, thats just for the files that get rsynched, not the logs collected.
I searched the RedELK repo for /root, but nothings jumping out at me for editing.
from redelk.
MarcOverIP
commented on June 6, 2024
I believe that besides the filebeat config, and perhaps a shell script running on the teamserver that copies CS logs to the redelk user's home dir, there is no hard reference to /root/cobaltstrike. The hits in the logstash config are commented lines. The actual grok rules don't care about the path.
Im still interested in what made this install go ok, and the Kali one not. Any ideas?
from redelk.
6r0k3d
commented on June 6, 2024
I've got it running on kali now too, the only thing i changed was moving my log files from /opt/cobalstrike/logs to /root/cobaltstrike/logs, and then changing filebeat.yml back to /root/cobaltstrik etc.
That's why I suspect theres something weird happening either with logstash or elastic, but I've got 0 ideas as to what.
At this point I'm just running a cronjob to copy the files over and letting it rip. I'm sure theres a cleaner way but, thats working for me now haha.
If you've got any more ELK debugging knowledge, I'm happy to try it out
from redelk.
MarcOverIP
commented on June 6, 2024
Great to hear it worked out in the end.
Remote debugging is hard, and I am out of ideas. So Ill close this issue. Feel free te reopen when you believe there is need to.
from redelk.
fastlorenzo
commented on June 6, 2024
I'm actually running cobaltstrike from /opt and am not facing any issues, I have an Ansible script deploying RedELK where I replaced /root with a variable (in this case set to /opt).
from redelk.
Related Issues (20)
- Issue with dashboards missing "keyword" HOT 2
- Add mising modules in config.py
- Add support for domain lists (similar to IP lists) HOT 1
- Check and clean-up ruby scripts
- Check if all modules in config.py HOT 1
- Check for consistent usage of c2.log.type field HOT 1
- All alarms should report project_name HOT 2
- Greynoise error
- Remove config files from source control HOT 3
- Hybrid Analysis - error handling around max API hits HOT 1
- Hybrid Anlaysis - SSL handshake failure HOT 1
- VT quota management HOT 1
- ES document conflicterrors
- quick dump of small notes and issues
- Cobalt Strike enrichment stacktrace errors
- Add containers to GHCR / Review build pipeline HOT 1
- Nothing being indexed into implantsdb HOT 2
- Integration of Bloodhound Community Edition HOT 9
- BounceBack redirector support HOT 1
- MsSQL setup trouble
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from redelk.