Version 2.0 BETA1

First BETA release of the new version 2.

RedELK release notes

version 2.0 BETA1

• Elastic stack upgraded to version 7.8
• Use Elasticsearch ILM to manage indices
• Elastic stack field naming overhaul:
  • Indices rtops and beacondb (now implantsdb) are now C2 framework agnostic instead of Cobalt Strike terms specific
  • Field names adhere to ECS naming standard as much as possible
  • Field names and their types are now defined in ES templates and Kibana index patterns
  • Documented all field in names and types
• First step of support for PoshC2 C2 framework. Thanks @benpturner for the heavy lifting
• Offensive hunting tools are now installed on the RedELK server
  • Neo4J for BloodHound integration
  • Jupyter notenbooks for custom searching and data handling
  • These two are installed by default unless you pass the 'limited' parameter to the elkserver installer
  • Elkserver installer is now aware of amount of memory and adjusts memory settings of ES, NEO4j and ES to optimized values.
• Cobalt Strike specific changes:
  • Support for Cobalt Strike 4.1
  • Credentials store is periodically read, parsed and sent to the RedELK server where it is stored in a new index called credentials.
  • Ssh beacon logs are now also ingested
  • CS listener info is also parsed and stored
    Other:
  • Outflank PS-Tools output is now parsed and stored in extra fields inside the rtops index
  • Integrated and adjusted chameleon.py (thanks @DomChell) for performing domain classification checks
  • Emails from IMAP mailboxes can now be ingested and dispalyed in RedELK
  • Added several dashboards, vizualisations and searches
  • added Useragent info to incoming traffic on redirectors
    Bugfixes:
  • Fixed double space bug in Apache catch-all Grok rule
  • Fix for incorrect GeoIP ASN lookup when using an CDN
  • Fixed several parsing bugs for CS
  • Fixed several parsing bugs for HAProxy