github outflanknl/RedELK v2.0-beta1
Version 2.0 BETA1

latest releases: v2.0.0-beta.6, v2.0.0-beta.5, v2.0.0-beta.4...
4 years ago

First BETA release of the new version 2.

RedELK release notes

version 2.0 BETA1

  • Elastic stack upgraded to version 7.8
  • Use Elasticsearch ILM to manage indices
  • Elastic stack field naming overhaul:
    • Indices rtops and beacondb (now implantsdb) are now C2 framework agnostic instead of Cobalt Strike terms specific
    • Field names adhere to ECS naming standard as much as possible
    • Field names and their types are now defined in ES templates and Kibana index patterns
    • Documented all field in names and types
  • First step of support for PoshC2 C2 framework. Thanks @benpturner for the heavy lifting
  • Offensive hunting tools are now installed on the RedELK server
    • Neo4J for BloodHound integration
    • Jupyter notenbooks for custom searching and data handling
    • These two are installed by default unless you pass the 'limited' parameter to the elkserver installer
    • Elkserver installer is now aware of amount of memory and adjusts memory settings of ES, NEO4j and ES to optimized values.
  • Cobalt Strike specific changes:
    • Support for Cobalt Strike 4.1
    • Credentials store is periodically read, parsed and sent to the RedELK server where it is stored in a new index called credentials.
    • Ssh beacon logs are now also ingested
    • CS listener info is also parsed and stored
      Other:
    • Outflank PS-Tools output is now parsed and stored in extra fields inside the rtops index
    • Integrated and adjusted chameleon.py (thanks @DomChell) for performing domain classification checks
    • Emails from IMAP mailboxes can now be ingested and dispalyed in RedELK
    • Added several dashboards, vizualisations and searches
    • added Useragent info to incoming traffic on redirectors
      Bugfixes:
    • Fixed double space bug in Apache catch-all Grok rule
    • Fix for incorrect GeoIP ASN lookup when using an CDN
    • Fixed several parsing bugs for CS
    • Fixed several parsing bugs for HAProxy

Don't miss a new RedELK release

NewReleases is sending notifications on new releases.