First BETA release of the new version 2.
RedELK release notes
version 2.0 BETA1
- Elastic stack upgraded to version 7.8
- Use Elasticsearch ILM to manage indices
- Elastic stack field naming overhaul:
- Indices rtops and beacondb (now implantsdb) are now C2 framework agnostic instead of Cobalt Strike terms specific
- Field names adhere to ECS naming standard as much as possible
- Field names and their types are now defined in ES templates and Kibana index patterns
- Documented all field in names and types
- First step of support for PoshC2 C2 framework. Thanks @benpturner for the heavy lifting
- Offensive hunting tools are now installed on the RedELK server
- Neo4J for BloodHound integration
- Jupyter notenbooks for custom searching and data handling
- These two are installed by default unless you pass the 'limited' parameter to the elkserver installer
- Elkserver installer is now aware of amount of memory and adjusts memory settings of ES, NEO4j and ES to optimized values.
- Cobalt Strike specific changes:
- Support for Cobalt Strike 4.1
- Credentials store is periodically read, parsed and sent to the RedELK server where it is stored in a new index called credentials.
- Ssh beacon logs are now also ingested
- CS listener info is also parsed and stored
Other: - Outflank PS-Tools output is now parsed and stored in extra fields inside the rtops index
- Integrated and adjusted chameleon.py (thanks @DomChell) for performing domain classification checks
- Emails from IMAP mailboxes can now be ingested and dispalyed in RedELK
- Added several dashboards, vizualisations and searches
- added Useragent info to incoming traffic on redirectors
Bugfixes: - Fixed double space bug in Apache catch-all Grok rule
- Fix for incorrect GeoIP ASN lookup when using an CDN
- Fixed several parsing bugs for CS
- Fixed several parsing bugs for HAProxy