Comments (7)
I. Anything that helps with setting the default index is much appreciated.
II. No have not thought about it but does sound interesting! Would be interested in anything that you can share.
III. I am testing with JA3. Interesting tech, but not totally convinced yet for detecting Blue Team activity. Do have some more tests to run, so might still include it in the future.
IV. This concerns a Cobalt Strike specific thing. When you are using a redirector (which you should during any red team), than the beacons that connecting to the CS teamserver only know the IP address of the redirector as to be the external IP address. This of course is not the real external IP address, meaning the ext IP of the internet uplink of where the beacon is running. At this moment there is no correlation possible between the what the redirector sees as originating IP address and the CS teamserver. I have not found a stable solution to this yet.
V. That is one way indeed, but does require all red team operators to have access to a writable directory, and would only cover files. Another option would be to have this done by a bot thats running on the teamserver. So far, Ive run some tests but havent found a way Iim happy with.
VI. Thats pretty cool! Didnt know about that. Will run some tests.
VII. Do know the possibility exists, but simply havent had time to delve into it just yet. Would be great to have this included, but am afraid it will take significant time with the setup and testing.
Thanks for the ideas!
from redelk.
Err, some numbering went off.
VII. yes know about Elastalert. Seems like a lot better approach than ours quick n dirty one. Althogh perhaps not usable in all our cases I will take a look to have it included.
VIII. Do know the possibility exists, but simply havent had time to delve into it just yet. Would be great to have this included, but am afraid it will take significant time with the setup and testing.
from redelk.
sorry for late reply on the index pattern..
I would recommend creating custom INDEX (pattern) IDs which can also be done via the CLI. Example from HELK instance
https://github.com/Cyb3rWard0g/HELK/blob/ccbee9f6fb1ab80b26e813425396f656bece7bbc/docker/helk-kibana/scripts/basic/kibana-setup.sh#L39
Otherwise, I believe the Kibana index pattern ID's are randomly generated and would be different per build and thus unable to automate via script.
# ID Of the (Kibana) INDEX Pattern
$INDEXID=PlaceIndexID
curl -XPOST -H "Content-Type: application/json" -H "kbn-xsrf: true" "127.0.0.1:5601/api/kibana/settings/defaultIndex" -d "{\"value\":\"$INDEXID\"}"
from redelk.
Thanks for the pointer. Ill run some tests and add in next update.
If you have any pointers for the other items thats also hugely appreciated!
from redelk.
Absolutely, I will provide pointers. Just waiting on (should be over the next week) when I can get a solid hour or two to devout to you a good response.
Love this project even though I am "blue team"... As I have said, I love the ingenuity!
from redelk.
For "Fine grained authorisation" check out SearchGuard (https://docs.search-guard.com/latest/search-guard-community-edition.html) - this will give you additional benefits, such as being able to encrypt all the things in transit.
In regards to Elastalert, since you'll be using Kibana you can just use the Kibana plugin (https://github.com/bitsensor/elastalert-kibana-plugin) and their Elastalert fork (https://github.com/bitsensor/elastalert) which comes in a handy docker container so it's super easy to set up.
from redelk.
Thanks for the suggestions @derentis. I will have a look at them and see how easy it is to include.
from redelk.
Related Issues (20)
- Help with install HOT 1
- Performance issue with rsync on C2server HOT 1
- Glibc filebeat errors HOT 1
- Implant.log_file not showing c2logs HOT 1
- Issue with dashboards missing "keyword" HOT 2
- Add mising modules in config.py
- Add support for domain lists (similar to IP lists) HOT 1
- Check and clean-up ruby scripts
- Check if all modules in config.py HOT 1
- Check for consistent usage of c2.log.type field HOT 1
- All alarms should report project_name HOT 2
- Greynoise error
- Remove config files from source control HOT 3
- Hybrid Analysis - error handling around max API hits HOT 1
- Hybrid Anlaysis - SSL handshake failure HOT 1
- VT quota management HOT 1
- ES document conflicterrors
- quick dump of small notes and issues
- Cobalt Strike enrichment stacktrace errors
- Add containers to GHCR / Review build pipeline HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from redelk.