RedELK
RedELK copied to clipboard
outflanknl
Some Comments and Suggestions
First off, this is a genius project! Great use of Elastic ELK.
-
- I should be able to send you something to set the default kibana index once I get back to my main computer this weekend.
-
- Have you thought about doing OCR on the images? and adding to another field in elasticsearch? If you have, let me know I can send you stuff to help with that.
-
- Have you thought about adding JA3 hashes? If you have, let me know I can send you stuff to help with that. Should be able to be done with packetbeats and some proxies.
-
- Are you able to explain more what is going on with not being able to get the true source IP coorelated/added? Trying to see if I could help anyway.
-
- To solve "Ingest manual IOC data", you should be able to create a directory and point logstash or beats at it. Any new files added should automatically be parsed by logstash/beats file input.
-
- To add more useragent info using logstash useragent parser: https://www.elastic.co/guide/en/logstash/current/plugins-filters-useragent.html
-
- To help with "Other alarm channels", you could add in https://github.com/Yelp/elastalert
-
- Have you thought about using translate plugin or even elasticsearch analyzers to make more sense out of keystroke logs? For example, you could create a custom elasticsearch analyzer on the keystroke field (still keep the raw/original key stroke field) and place it in say "keystrokes.analyzed". Your analyzer could essentially allow you easily query keystroke by splitting up in known english or even add other languages. Also, you could create an even more customized one that essentially creates tokens on 2-3 characters in a row. Would be useful to query large strings/things by matching on only 2/3 characters. The other languge analyzers would be really great usecase of Elastic because of its many language supports: https://www.elastic.co/guide/en/elasticsearch/plugins/current/analysis-kuromoji.html https://www.elastic.co/guide/en/elasticsearch/reference/current/analysis-lang-analyzer.html
I really think you will be able to make sifting through the data even easier and better with all the custom analyzers and use cases of Elastic. Example, I know there are really great use cases of using Elastic essentially as a "file share" / file storage search. Including for microsoft office, images, pdf searching for text. Also, many projects based on images that could be used on the screenshot stuff.
There is so much potential with this already great project. Keep up the amazing work.
I. Anything that helps with setting the default index is much appreciated. II. No have not thought about it but does sound interesting! Would be interested in anything that you can share. III. I am testing with JA3. Interesting tech, but not totally convinced yet for detecting Blue Team activity. Do have some more tests to run, so might still include it in the future. IV. This concerns a Cobalt Strike specific thing. When you are using a redirector (which you should during any red team), than the beacons that connecting to the CS teamserver only know the IP address of the redirector as to be the external IP address. This of course is not the real external IP address, meaning the ext IP of the internet uplink of where the beacon is running. At this moment there is no correlation possible between the what the redirector sees as originating IP address and the CS teamserver. I have not found a stable solution to this yet. V. That is one way indeed, but does require all red team operators to have access to a writable directory, and would only cover files. Another option would be to have this done by a bot thats running on the teamserver. So far, Ive run some tests but havent found a way Iim happy with. VI. Thats pretty cool! Didnt know about that. Will run some tests. VII. Do know the possibility exists, but simply havent had time to delve into it just yet. Would be great to have this included, but am afraid it will take significant time with the setup and testing.
Thanks for the ideas!
Err, some numbering went off. VII. yes know about Elastalert. Seems like a lot better approach than ours quick n dirty one. Althogh perhaps not usable in all our cases I will take a look to have it included. VIII. Do know the possibility exists, but simply havent had time to delve into it just yet. Would be great to have this included, but am afraid it will take significant time with the setup and testing.
sorry for late reply on the index pattern.. I would recommend creating custom INDEX (pattern) IDs which can also be done via the CLI. Example from HELK instance https://github.com/Cyb3rWard0g/HELK/blob/ccbee9f6fb1ab80b26e813425396f656bece7bbc/docker/helk-kibana/scripts/basic/kibana-setup.sh#L39 Otherwise, I believe the Kibana index pattern ID's are randomly generated and would be different per build and thus unable to automate via script.
# ID Of the (Kibana) INDEX Pattern
$INDEXID=PlaceIndexID
curl -XPOST -H "Content-Type: application/json" -H "kbn-xsrf: true" "127.0.0.1:5601/api/kibana/settings/defaultIndex" -d "{\"value\":\"$INDEXID\"}"
Thanks for the pointer. Ill run some tests and add in next update.
If you have any pointers for the other items thats also hugely appreciated!
Absolutely, I will provide pointers. Just waiting on (should be over the next week) when I can get a solid hour or two to devout to you a good response. Love this project even though I am "blue team"... As I have said, I love the ingenuity!
For "Fine grained authorisation" check out SearchGuard (https://docs.search-guard.com/latest/search-guard-community-edition.html) - this will give you additional benefits, such as being able to encrypt all the things in transit.
In regards to Elastalert, since you'll be using Kibana you can just use the Kibana plugin (https://github.com/bitsensor/elastalert-kibana-plugin) and their Elastalert fork (https://github.com/bitsensor/elastalert) which comes in a handy docker container so it's super easy to set up.
Thanks for the suggestions @derentis. I will have a look at them and see how easy it is to include.