Version 2.0 BETA6

Version 2.0.0 BETA6

• New alarm: alarm when traffic is hit to any redir backend that has 'alarm' in it. Allows for flexibility in smarter redir logic.
• Chained X-Forwarded-For IPs are now also stored, in field source.ip_otherproxies in redirtraffic index.
• Outflank Security Tooling specific: Stage1 C2 operator name recorded.
• Outflank Security Tooling specific: Data from BlueCheck CertCheck, BlueCheck PasswordChangeCheck and BlueCheck SecurityToolCheck now properly stored in ElasticSearch.
• LogStash config now mounted by default, allowing for easier modification of the config.
• Template updates.
• Fixed bug on storage of www-data/c2logs directory.
• Fixed bug to make email alarms working again.
• Several smaller bugfixes.

Version 2.0 BETA5

Version 2.0.0 BETA5

• log4shell fix: bumped ELK stack to 7.16.3
• Further Docker and memory tunings
• Moved Greynoise support to community API and allowing a custom API key in config file
• Fixed bug on updated API for VirusTotal and IBM X-Force alarms
• Fixed bug to make domain classifications via Chameleon.py work again.
• Moved Filebeat config files to config directory for easier support of multiple C2s on same machine
• Installer script enhancement, a.o. to check if accounts already exist on elkserver
• Numerous enhancement for easier development, e.g. pylint and Kibana port accessible from localhost
• Many bug fixes

v2.0.0-beta.4

Version 2.0.0 BETA4

• Many bug fixes
• Migrated background enrichment and alarm scripts to new modular setup
• Added support for Cobalt Strike 4.2 and 4.3
• Added sample data ingestor when running in dev mode
• Made sure Kibana searches Red Team Operations and Redirector Traffic are presented on top of list
• Included an ES password import for Jupyter notebooks
• Maximized the logging of docker logs
• Migrated to official Neo4j container instead of old BloodHound container
• Updated the RedELK Kibana app to include management of IP lists inside Kibana

What's new?

• Updates release notes for v2 beta4 @MarcOverIP (#168)
• Fix es fields @fastlorenzo (#169)
• Fixed rsync @fastlorenzo (#166)
• Fix logging @fastlorenzo (#165)
• Revert neo4j changes @fastlorenzo (#164)
• Updated neo4j container + added behind Nginx @fastlorenzo (#162)
• Nginx full config optional (via installer) @fastlorenzo (#152)
• Revert "Moved to neo4j official docker to fix #159" @MarcOverIP (#161)
• Moved to neo4j official docker to fix #159 @fastlorenzo (#160)
• Added possibility to set remote base path to get logs from @fastlorenzo (#154)
• Fixed Kibana dashboard links @fastlorenzo (#156)
• Added option to set docker max log size @fastlorenzo (#157)
• Fixed date parsing for HAProxy @fastlorenzo (#147)
• Migrate enrich.py to modular system @fastlorenzo (#117)
• yolo script for resetting index to RW @xychix (#145)
• Fix certbot-nginx-ssl issues and improved installer script @MarcOverIP (#128)
• Update filebeat_cobaltstrike.yml @ceramic-skate0 (#136)
• Update getremotelogs.sh to accept custom a SSH port @yamakadi (#135)
• Issue #41 item 4 added an alarm, patched a few others @xychix (#118)
• Refreshed index patterns @fastlorenzo (#121)
• Updated templates for bluecheck, email and credentials @MarcOverIP (#123)
• logstash email index fields renaming @MarcOverIP (#122)
• Fixed missing logger initialisation @fastlorenzo (#120)
• Added localhost as valid hostname @fastlorenzo (#119)
• Updated helper script @fastlorenzo (#116)
• Template updates regarding CS4.2 and other tuning @MarcOverIP (#115)
• Randomize Neo4j password at install @fastlorenzo (#99)
• Added dry-run mode @fastlorenzo (#100)
• [dev] Add sample data ingestor @fastlorenzo (#82)
• Upgrade to Elastic 7.10 @fastlorenzo (#112)
• Fix search with free text @fastlorenzo (#113)
• Fix for dev and non-existent domain @fastlorenzo (#111)
• Added TLS support for nginx @fastlorenzo (#79)
• Cobalt Strike 4.2 support @MarcOverIP (#110)
• BUGFIX: installer bash syntax error @xychix (#107)

v2.0.0-beta.3

version 2.0.0 BETA3

• Dockerized the installation on the elkserver components
• Enabled X-pack on ELK stack
• RedELK Kibana app is included by default
• New format for alarm emails
• Structured and increased configurable options in redelk config file config.json
• Restructured enrich and alarm python scripts
• Added rudimentary uninstall scripts for redirs, c2servers and elkserver

Version 2.0 BETA2

Version 2.0 BETA2

• Elastic stack upgraded to version 7.9.2
• Added nginx availability of Neo4J Browser
• Dashboard overview now has seperate list of 'external' tools, i.e. ATT&CK Navigator, Jupyter Notebooks and Neo4J Browser
• Restructuring of python scripts for alarming; now has a modular setup
• Added support for Alarms via Microsoft Teams
• Overall python scripts clean up
• Removed Docker 19.x specific commands to support ao Debian 10
• More settings configurable via alarm.json.config file, e.g. ES connections tring
• elkinstaller script bugfixes

Version 2.0 BETA1

First BETA release of the new version 2.

RedELK release notes

version 2.0 BETA1

• Elastic stack upgraded to version 7.8
• Use Elasticsearch ILM to manage indices
• Elastic stack field naming overhaul:
  • Indices rtops and beacondb (now implantsdb) are now C2 framework agnostic instead of Cobalt Strike terms specific
  • Field names adhere to ECS naming standard as much as possible
  • Field names and their types are now defined in ES templates and Kibana index patterns
  • Documented all field in names and types
• First step of support for PoshC2 C2 framework. Thanks @benpturner for the heavy lifting
• Offensive hunting tools are now installed on the RedELK server
  • Neo4J for BloodHound integration
  • Jupyter notenbooks for custom searching and data handling
  • These two are installed by default unless you pass the 'limited' parameter to the elkserver installer
  • Elkserver installer is now aware of amount of memory and adjusts memory settings of ES, NEO4j and ES to optimized values.
• Cobalt Strike specific changes:
  • Support for Cobalt Strike 4.1
  • Credentials store is periodically read, parsed and sent to the RedELK server where it is stored in a new index called credentials.
  • Ssh beacon logs are now also ingested
  • CS listener info is also parsed and stored
    Other:
  • Outflank PS-Tools output is now parsed and stored in extra fields inside the rtops index
  • Integrated and adjusted chameleon.py (thanks @DomChell) for performing domain classification checks
  • Emails from IMAP mailboxes can now be ingested and dispalyed in RedELK
  • Added several dashboards, vizualisations and searches
  • added Useragent info to incoming traffic on redirectors
    Bugfixes:
  • Fixed double space bug in Apache catch-all Grok rule
  • Fix for incorrect GeoIP ASN lookup when using an CDN
  • Fixed several parsing bugs for CS
  • Fixed several parsing bugs for HAProxy

v1.1

version 1.1

• Added support for Cobalt Strike 4.1. Thanks to @fastlorenzo
• HTTP status code parsing improved to better handle non-RFC approved logging by some redir programs
• Fix for supporting underscores in hostnames, although not allowed by RFC. Thanks to @jaredhaight

v1.0.3

version 1.0.3

• Added support for Nginx redirectors thanks to @sunnyneo

v1.0.2

version 1.0.2

• Fixed silly bug in enrich.py that disabled Greynoise enrichment

v1.0.1

version 1.0.1

* Fixed bug in logstash filter rule when Apache doesn't have a hostname configured
* Tuned verbosity of Alarm.py