ashirt-server icon indicating copy to clipboard operation
ashirt-server copied to clipboard
verified publisher icon ashirt-ops

feat: c2-event evidence type

Open nbaertsch opened this issue 2 years ago • 8 comments

Adding an evidence type to capture C2 events in ASHIRT.

We have ingestors (python script + systemd service file) for both Cobalt Strike and Brute Ratel, though both have some bugs we are working through squashing. If we like the direction of adding this feature into ASHIRT I'd be partial to the ingestor repo being owned by ashirt-ops so that they can live with the rest of the project.

I confirm that this contribution is made under the terms of the license found in the root directory of this repository's source tree and that I have the authority necessary to make this contribution on behalf of its copyright owner.

nbaertsch avatar Apr 18 '24 15:04 nbaertsch

Saw this come in. Should have some time tomorrow to look through the PR. We're happy to adopt the ingestor repo over to the org. I think that makes sense as well. Do you have some samples of logs from brute ratel or cobalt strike so that we can test things end to end? Also, are the ingestors public currently?

jrozner avatar Apr 18 '24 17:04 jrozner

Saw this come in. Should have some time tomorrow to look through the PR. We're happy to adopt the ingestor repo over to the org. I think that makes sense as well. Do you have some samples of logs from brute ratel or cobalt strike so that we can test things end to end? Also, are the ingestors public currently?

Just made the ingestors public here. There are some (very succinct) sample logs there for BR and CS (no mythic atm), as well as a python script to simulate log writing to test the ingestors.

nbaertsch avatar Apr 19 '24 03:04 nbaertsch

I've added the missing ashirt_worker.py to the ingestor repo - apologies for that. I will take look at the requested changes and try and get this cleaned up and ready to merge over this coming weekend.

nbaertsch avatar Apr 23 '24 14:04 nbaertsch

I've made the changes we've discussed here. Sorry for the delay on this one, thanks for your patience. If there's anything else I can do to clean this up do lmk, this was my first time writing React 😁

nbaertsch avatar May 27 '24 16:05 nbaertsch

Thanks for getting the changes in. I should have some time this afternoon to take a look

jrozner avatar May 29 '24 17:05 jrozner

I'll make some time this weekend to go through it.

JoelAtDeluxe avatar May 31 '24 02:05 JoelAtDeluxe

Thanks for the review Joel. I'm going to get to work on the code cleanup work you noted. When it comes to styling I'd appreciate some help (especially grid sizing issue, i can't get that thing centered for the life of me), but let me give this one more pass and I'll ping for another review and any styling help I may need.

nbaertsch avatar Jun 12 '24 22:06 nbaertsch

I'll try to find some time. fit seems like the primary issue why it doesn't fit right is because of the padding on the c2-event-grid. That somewhat breaks the lightbox view, but I think that there should be a way to fix specifically that (it's been awhile though, so I don't know what it is off the top of my head). I'd say look at the har viewer as an example, but that's broken due to lazy loading components. There may still be some insight there though.

JoelAtDeluxe avatar Jun 16 '24 02:06 JoelAtDeluxe