Skip to content

Recommendations and systems requirements

Marc Smeets edited this page May 22, 2023 · 8 revisions

Recommendations

It is very much recommended to destroy and reinstall your red team infrastructure per engagement. Of course you already know this, but it can't hurt to re-state this.

This means that we highly recommend to:

  • Create and destroy a RedELK installation per engagement. RedELK does allow you to define different attack scenario names within a single engagement. This comes very in handy for multi-scenario engagements such as TIBER.
  • Install redirector, teamserver and RedELK components on different systems. You don't want to mix these functionalities.
  • At the start of your red team engagement, deploy new systems used as redirectors, teamservers and as RedELK server.
  • The installation scripts bundled with RedELK are not intended to upgrade RedELK. Want a newer version of RedELK: nuke your system, git clone latest release and perform a new installation.

HW and SW specs

RedELK consists of three components: the dedicated RedELK, installer for redirector and installer for your C2 server. Required specs differ per components.

  • Overall: only apt based systems are supported
  • RedELK server: use a dedicated system with at least 8GB, ideally 16GB of ram. CPU power is less relevant. Disk space is cheap and usage depends on length of the operation as well as amount of files you download. A safe amount is 50GB. The RedELK server needs to have a TCP port reachable for the redirs and teamservers for inbound filebeat traffic.
  • redirector: insignificant memory and disk - only filebeat is installed.
  • C2 server: insignificant memory and disk. RedELK server needs to be able to setup a ssh/rsync connection to your C2server.