Some Comments and Suggestions about redelk HOT 7 OPEN

I. Anything that helps with setting the default index is much appreciated.
II. No have not thought about it but does sound interesting! Would be interested in anything that you can share.
III. I am testing with JA3. Interesting tech, but not totally convinced yet for detecting Blue Team activity. Do have some more tests to run, so might still include it in the future.
IV. This concerns a Cobalt Strike specific thing. When you are using a redirector (which you should during any red team), than the beacons that connecting to the CS teamserver only know the IP address of the redirector as to be the external IP address. This of course is not the real external IP address, meaning the ext IP of the internet uplink of where the beacon is running. At this moment there is no correlation possible between the what the redirector sees as originating IP address and the CS teamserver. I have not found a stable solution to this yet.
V. That is one way indeed, but does require all red team operators to have access to a writable directory, and would only cover files. Another option would be to have this done by a bot thats running on the teamserver. So far, Ive run some tests but havent found a way Iim happy with.
VI. Thats pretty cool! Didnt know about that. Will run some tests.
VII. Do know the possibility exists, but simply havent had time to delve into it just yet. Would be great to have this included, but am afraid it will take significant time with the setup and testing.

Thanks for the ideas!

from redelk.

Err, some numbering went off.
VII. yes know about Elastalert. Seems like a lot better approach than ours quick n dirty one. Althogh perhaps not usable in all our cases I will take a look to have it included.
VIII. Do know the possibility exists, but simply havent had time to delve into it just yet. Would be great to have this included, but am afraid it will take significant time with the setup and testing.

from redelk.

sorry for late reply on the index pattern..
I would recommend creating custom INDEX (pattern) IDs which can also be done via the CLI. Example from HELK instance
https://github.com/Cyb3rWard0g/HELK/blob/ccbee9f6fb1ab80b26e813425396f656bece7bbc/docker/helk-kibana/scripts/basic/kibana-setup.sh#L39
Otherwise, I believe the Kibana index pattern ID's are randomly generated and would be different per build and thus unable to automate via script.

# ID Of the (Kibana) INDEX Pattern
$INDEXID=PlaceIndexID
    
curl -XPOST -H "Content-Type: application/json" -H "kbn-xsrf: true" "127.0.0.1:5601/api/kibana/settings/defaultIndex" -d "{\"value\":\"$INDEXID\"}"

from redelk.

Thanks for the pointer. Ill run some tests and add in next update.

If you have any pointers for the other items thats also hugely appreciated!

from redelk.

Absolutely, I will provide pointers. Just waiting on (should be over the next week) when I can get a solid hour or two to devout to you a good response.
Love this project even though I am "blue team"... As I have said, I love the ingenuity!

from redelk.

For "Fine grained authorisation" check out SearchGuard (https://docs.search-guard.com/latest/search-guard-community-edition.html) - this will give you additional benefits, such as being able to encrypt all the things in transit.

In regards to Elastalert, since you'll be using Kibana you can just use the Kibana plugin (https://github.com/bitsensor/elastalert-kibana-plugin) and their Elastalert fork (https://github.com/bitsensor/elastalert) which comes in a handy docker container so it's super easy to set up.

from redelk.

Thanks for the suggestions @derentis. I will have a look at them and see how easy it is to include.

from redelk.