Skip to content

RedELK server installation

Marc Smeets edited this page May 28, 2023 · 15 revisions

In short

  1. extract elkserver.tgz on your RedELK server
  2. run install-elkserver.sh
  3. Define C2 servers in mounts/redelk-config/etc/crond.d/redelk
  4. Use credentials from redelk_passwords.cfg to login to RedELK HTTP interface.
  5. Post install Configuration, e.g. alarms and notification methods.

In detail

Installation

  1. Copy and extract elkserver.tgz on your RedELK server as part of your red team infra deployment procedures.
  2. Run the installer install-elkserver.sh without parameters for full RedELK (including Neo4j and Jupyter workbook). Optionally, the installer recognises the following parameters:
  • dryrun: only do pre install checks and write config to .env file. Its good practice to run this parameter the first time.
  • fixedmemory: skips the auto memory adjustment and sets memory for elasticsearch and neo4j to 1GB each
  • limited: do not install Neo4j and Jupyter notebooks
  • dev: only used for development (rebuilds all docker containers and inserts some test logs)
  1. Define C2 servers in mounts/redelk-config/etc/crond.d/redelk. Make sure to use the correct $hostname for the c2 servers. Each should match the $FileBeatID parameter used during installation of the c2 server.
  2. Use the credentials from redelk_passwords.cfg to login to the RedELK HTTP interface. This file is a read-only file. If you want to change the password, check the .env file and rebuild containers.
  3. Do post instal Configuration. See the detailed section below

Debugging

Having issues? Check the following:

  • The installer output in redelk-install.log.
  • The output of the docker container logs. All can have valuable info. But in our experience you want to check the following first:
    • docker logs redelk-logstash: check for connection established and errors in your logstash parsing config
    • docker logs redelk-elasticsearch: check for ElasticSearch issues. For example when you are running low on disk space you will get warnings and hints here.
  • RedELK internal script logs stored in mount/redelk-logs/*. All can have valuable info. But check the following first:
    • mount/redelk-logs/daemon.log background daemon stuff. You will spot errors in your config here.
    • mount/redelk-logs/getremotelogs.log for spotting issues with getting remote files from your C2 servers.
  • Have you been messing with settings and are not sure what is what? Check the .env as that contains the relevant settings for docker.

Configuration

Once installed it is time to do configuration. This is done at 2 locations:

  • Main config file mounts/redelk-config/etc/redelk/config.json
  • IP list and other config files in mounts/redelk-config/etc/redelk/*

Main config file

Modify mounts/redelk-config/etc/redelk/config.json to your liking. Explanation of the fields:

Field Description
loglevel defines the logging level for the background daemons. Normally no need to change. Possible values: CRITICAL, ERROR, WARNING, INFO, DEBUG - Default: WARNING.
interval interval in seconds for RedELK to do its operations. Normally no need to change.
tempDir Directory where RedELK stores some temporary files. Normally no need to change.
redelkserver_letsencrypt.redelkserver_letsencrypt If you want to use certbot certificates for your Kibana interface.
redelkserver_letsencrypt.external_domain the domain name of the RedELK server for Lets Encrypt.
redelkserver_letsencrypt.le_email the email used for Lets Encrypt registration.
redelkserver_letsencrypt.staging staging related to Lets Encrypt.
project_name Main identifier for this installation. This is to differentiate between multiple RedELK install when you get alarms.
es_connection The ES connection string. Likely no need to change this.
notifications settings for notification delivery. You will need to enable the module you want to use. By default none is enabled.
notifications.email Get alarms via email: Set to enable and configure all subfields. The names are self-explanatory
notifications.msteams Get alarms via MS Teams: Set to enable and enter the Teams Webhook URL. More info on configuring Teams webhooks here.
notifications.slack Get alarms via Slack: Set to enable and enter the Slack Webhook URL. More info on configuring Slack webhooks here
alarms.alarm_dummy only used for testing purposes, probably no need to enable.
alarms.alarm_filehash alarms SHA/MD5 hashes of your uploaded files that are also found on VirusTotal, IBM X-Force and/or Hybrid Analyses. Requires API key per provider. If you leave the API key empty the check is not performed.
alarms.alarm_httptraffic alarms IP's that aren't listed in any iplist* but access redirector backends named c2*.
alarms.alarm_useragent alarms User-Agents that are listed in config file blacklist_useragents.conf but access redirector backends named c2*.
alarms.alarm_backendalarm alarms any traffic hitting a redirector backend named *alarm*.
alarm_manual alarms if a C2 message contains the text REDELK_ALARM. This is useful for testing if your alarm setup works. Type REDELK_ALARM something something in your C2 either in the event log or in the implant to test.
enrich settings for enrichment modules. By default most are enabled. You likely do not need to change anything here.
enrich.enrich_csbeacon enriches rtops data from Cobalt Strike implants.
enrich.enrich_stage1 enriches rtops data from Outflank's custom C2 framework.
enrich.enrich_greynoise enriches redirtraffic data with info from Greynoise. If an IP address is listed in Greynoise, this data is added. You can enter your own API key to prevent you from hitting rate limits from a public API key.
enrich.enrich_tor enriches redirtraffic with Tor. If an IP address is a known Tor exit node, this info is added.
enrich.enrich_iplists background RedELK process. Better keep ik enabled.
enrich.enrich_synciplists background RedELK process. Better keep ik enabled.
enrich.enrich_syncdomainslists background RedELK process. Better keep ik enabled.
enrich.enrich_domainscategorization enriches domain names with info from domain classifiers. Requires API key from IBM or Virus Total

IP and other list files

Files in mount/redelk-config/etc/redelk/. All files take 1 IP per line.

File Description
domainslist_redteam.conf define domain names part of your red team infrastructure. Once on this list they will be periodically checked against appearance on lists of known bad domains.
iplist_alarmed.conf tracking of IPs already alarmed about. Add files here to not be alarmed about
iplist_blueteams.conf IPs you absolutelly want to be alarmed about, regardless of whatever redir frontend it is accessing
iplist_customer.conf IPs of your target. This will mute alarms of sessions from these IP addresses.
iplist_redteam.conf IP addresses of your own team. This will mute alarms of sessions from these IP addresses
iplist_unknown.conf IP addresses of systems you havent identified yet, but dont want to be alarmed about.
known_testsystems.conf host characteristics of known test systems. You probably want to add info regarding your own test systems. One per line.
rogue_useragents.conf User agents that are known bad when they access your C2 backend. We have included a basic list of UAs like curl, python-urllib and some other tools blue teamers like to use. The list also contains a list of UAs of instant messaging tools such as WhatsApp, Skype and Slack. Very useful for when your C2 us shared amongst analysts using IM. Feel free to add UAs to this list.

Other config files not recommended to edit:

  • roguedomains.conf: auto-updated list of known bad domains, from multiple sources.
  • torexitnodes.conf: auto-updated list of known TOR exit node IP addresses.

API and rate limit info third party security providers

provider Rate limit API supports bundling requests Links with info
OTX 10k/hour with api key No bundling https://otx.alienvault.com/api, https://cybersecurity.att.com/blogs/security-essentials/the-upgraded-alienvault-otx-api-ways-to-score-swag
IBM free tier 5k/month and 3000/minute No bundling https://exchange.xforce.ibmcloud.com/faq#tiers_of_usage, https://api.xforce.ibmcloud.com/doc/#/Malware/get_malware__filehash_
IBM paid goes in batches of 10k/month, prolly about $2k for $10k calls No Bundling
VT free 4/minute and 500/day No bundling https://developers.virustotal.com/reference/public-vs-premium-api
VT commercial no limit No bundling
Hybrid Analyses unclear: either 2000/hour with no daily/weekly/monthly limit, or 5/minute and 200/hour Bundling supported https://www.hybrid-analysis.com/docs/api/v2#/Search/post_search_hash
Facebook Unclear 200 per hour No bundling (probably) https://developers.facebook.com/docs/graph-api/overview/rate-limiting, https://developers.facebook.com/docs/threat-exchange/reference/apis/threat-indicators/v15.0