-
Notifications
You must be signed in to change notification settings - Fork 371
Red team operations overview
First time login
Browse to your RedELK server's IP address and login with the credentials presented at the end of the redelk server installer. These are also listed in the docker .env file. You are now in a Kibana interface.
There are probably two things you want to do here: look at dashboards, or look and search the data in more detail. You can switch between those views using the buttons on the left bar (default Kibana functionality).
Click on the dashboard icon on the left, and you'll be given 2 choices: Traffic and Beacon.
Click on the Discover button to look at and search the data in more detail. Once there, click the time range you want to use and click on the 'Open' button to use one of the prepared searches with views.
Beacon data
When selecting the search 'TimelineOverview' you are presented with an easy to use view on the data from the Cobalt Strike teamservers, a time line of beacon events if you like. The view includes the relevant columns you want to have, such as timestamp, testscenario name, username, beacon ID, hostname, OS and OS version. Finally, the full message from Cobalt Strike is shown.
You can modify this search to your liking. Also, because it is elasticsearch, you can search all the data in this index using the search bar.
Clicking on the details of a record will show you the full details. An important field for usability is the beaconlogfile field. This field is an hyperlink, linking to the full beacon log file this record is from. It allows you to look at the beacon transcript in a bigger windows and use CTRL+F within it.
Screenshots
RedELK comes with an easy way of looking at all the screenshots that were made from your targets. Select the 'Screenshots' search to get this overview. We added two big usability things: thumbnails and hyperlinks to the full pictures. The thumbnails are there to quickly scroll through and give you an immediate impression: often you still remember what the screenshot looked like.
Keystrokes
Just as with screenshots, it's very handy to have an easy overview of all keystrokes. This search gives you the first lines of content, as well as again an hyperlink to the full keystrokes log file.
IOC data
To get a quick list of all IOCs, RedELK comes with an easy overview. Just use the 'IOCs' search to get this list. This will present all IOC data from Cobalt Strike, both from files and from services.
You can quickly export this list by hitting the 'Reporting' button in the top bar to generate a CSV of this exact view.
Downloads
RedELK comes with an easy way of looking at every file that was downloaded during the red team operation. You can find this using the 'Downloads' search. You now get a list of all downloaded files, including all relevant meta data, and this is all searchable. But more importantly, you also have the ability to download the actual file directly from your web browser. As RedELK gathers all data from every teamserver, this means that you have all the downloaded files from every teamserver in the entire operation. No more need to use your Cobalt Strike client to login (and sync) to every teamserver.