-
Notifications
You must be signed in to change notification settings - Fork 372
/
releasenotes.txt
169 lines (140 loc) · 9.97 KB
/
releasenotes.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
RedELK release notes
### version 2.0.0 BETA6
* New alarm: alarm when traffic is hit to any redir backend that has 'alarm' in it. Allows for flexibility in smarter redir logic.
* Chained X-Forwarded-For IPs are now also stored, in field source.ip_otherproxies in redirtraffic index
* Outflank Security Tooling specific: Stage1 C2 operator name recorded
* Outflank Security Tooling specific: Data from BlueCheck CertCheck, BlueCheck PasswordChangeCheck and BlueCheck SecurityToolCheck now properly stored in ElasticSearch.
* LogStash config now mounted by default, allowing for easier modification of the config.
* Template updates.
* Fixed bug on storage of www-data/c2logs directory
* Fixed bug to make email alarms working again
* Several smaller bugfixes
### version 2.0.0 BETA5
* log4shell fix: bumped ELK stack to 7.16.3
* Further Docker and memory tunings
* Moved Greynoise support to community API and allowing a custom API key in config file
* Fixed bug on updated API for VirusTotal and IBM X-Force alarms
* Fixed bug to make domain classifications via Chameleon.py work again.
* Moved Filebeat config files to config directory for easier support of multiple C2s on same machine
* Installer script enhancement, a.o. to check if accounts already exist on elkserver
* Numerous enhancement for easier development, e.g. pylint and Kibana port accessible from localhost
* Many bug fixes
### version 2.0.0 BETA4
* Many bug fixes
* Migrated background enrichment and alarm scripts to new modular setup
* Added support for Cobalt Strike 4.2 and 4.3
* Added sample data ingestor when running in dev mode
* Made sure Kibana searches Red Team Operations and Redirector Traffic are presented on top of list
* Included an ES password import for Jupyter notebooks
* Maximized the logging of docker logs
* Migrated to official Neo4j container instead of old BloodHound container
* Updated the RedELK Kibana app to include management of IP lists inside Kibana
### version 2.0.0 BETA3
* Dockerized the installation on the elkserver components
* Enabled X-pack on ELK stack
* RedELK Kibana app is included by default
* New format for alarm emails
* Structured and increased configurable options in redelk config file config.json
* Restructured enrich and alarm python scripts
* Added rudimentary uninstall scripts for redirs, c2servers and elkserver
### version 2.0 BETA2
* Elastic stack upgraded to version 7.9.2
* Added nginx availability of Neo4J Browser
* Dashboard overview now has separate list of 'external' tools, i.e. ATT&CK Navigator, Jupyter Notebooks and Neo4J Browser
* Restructuring of python scripts for alarming; now has a modular setup
* Added support for Alarms via Microsoft Teams
* Overall python scripts clean up
* Removed Docker 19.x specific commands to support ao Debian 10
* More settings configurable via alarm.json.config file, e.g. ES connections tring
* elkinstaller script bugfixes
### version 2.0 BETA1
* Elastic stack upgraded to version 7.8
* Use Elasticsearch ILM to manage indices
* Elastic stack field naming overhaul:
- Indices rtops and beacondb (now implantsdb) are now C2 framework agnostic instead of Cobalt Strike terms specific
- Field names adhere to ECS naming standard as much as possible
- Field names and their types are now defined in ES templates and Kibana index patterns
- Documented all field in names and types
* First step of support for PoshC2 C2 framework. Thanks @benpturner for the heavy lifting
* Offensive hunting tools are now installed on the RedELK server
- Neo4J for BloodHound integration
- Jupyter notebooks for custom searching and data handling
- These two are installed by default unless you pass the 'limited' parameter to the elkserver installer
- Elkserver installer is now aware of amount of memory and adjusts memory settings of ES, NEO4j and ES to optimized values.
* Cobalt Strike specific changes:
- Support for Cobalt Strike 4.1
- Credentials store is periodically read, parsed and sent to the RedELK server where it is stored in a new index called credentials.
- Ssh beacon logs are now also ingested
- CS listener info is also parsed and stored
Other:
- Outflank PS-Tools output is now parsed and stored in extra fields inside the rtops index
- Integrated and adjusted chameleon.py (thanks @DomChell) for performing domain classification checks
- Emails from IMAP mailboxes can now be ingested and displayed in RedELK
- Added several dashboards, visualisations and searches
- added Useragent info to incoming traffic on redirectors
Bugfixes:
- Fixed double space bug in Apache catch-all Grok rule
- Fix for incorrect GeoIP ASN lookup when using an CDN
- Fixed several parsing bugs for CS
- Fixed several parsing bugs for HAProxy
### version 1.1
* Added support for Cobalt Strike 4.1. Thanks to @fastlorenzo
* HTTP status code parsing improved to better handle non-RFC approved logging by some redir programs
* Fix for supporting underscores in hostnames, although not allowed by RFC. Thanks to @jaredhaight
### version 1.0.3
* Added support for Nginx redirectors thanks to @sunnyneo
### version 1.0.2
* Fixed silly bug in enrich.py that disabled Greynoise enrichment
### version 1.0.1
* Fixed bug in logstash filter rule when Apache doesn't have a hostname configured
* Tuned verbosity of Alarm.py
### version 1.0
* Support for Apache redirectors
* Support for Cobalt Strike 4.0
* Fixed bug in useragent alarm, now uses config file as input
* Added example configurations for HAProxy and Apache that show how to setup the logging required for RedELK
* Added example Cobalt Strike Mallable profile that works with the example configs of Apache and HAProxy
* Added RedELKFieldnames.md with detailed info on the field names in RedELK
* ES index haproxytraffic renamed to redirtraffic to better suit the support for Apache (and future redirectors)
* ES field name overhaul to better suit the support for Apache
* Renamed of Kibana views, visualisations and dashboards for better usability, i.e. Redirector Traffic, Red Team Operations, CS Downloads, CS Keystrokes, CS IOCs, CS Screenshots and CS Beacons.
* Adjustment of logstash filter rules to support the aforementioned renaming as well as Apache.
* Adjusting enrichment and alarming python scripts to support the aforementioned renaming.
* Changed alarm script to use redir destination c2* instead of cobaltstrike*
* Minor changes to type definitions of fields, e.g. IPs now stored as IP instead of string.
* Explicit check and quit with error for non-apt based distributions during installation.
* Redir installation script now checks for presence /etc/logrotate.d/haproxy before trying to adjust it.
* Dozens of minor changes
### version 0.9
* Support for Cobalt Strike 3.14
* Upgraded jvm to OpenJDK 11.0
* Upgraded Filebeat, Elasticsearch, Logstash and Kibana to 6.8.2
* Support for Cobalt Strike Downloads: downloaded files from each teamserver can be searched and downloaded directly from the RedELK Kibana interface. No more need to login to each teamserver to search and download files.
* Support for MITRE ATT&CK numbers in Cobalt Strike's task output. This is indexed as field "attack_technique". Fancy visuals are not yet included in this release.
* New alarm: rogue user-agents that connect to your C2 backend. Basic list (e.g. curl*, python*) is pre populated on /etc/redelk/rogue_useragents.conf
* Support for Cobalt Strike SMB and TCP type beacons. Regardless of type (SMB or TCP) linked beacons are now tracked in ES field 'beacon_linked' (true/false). Parent or child state is tracked in the field 'beacon_linkmode' (child or parent) and IP address of the parent/child is tracked in the fields 'target_linkparentnode' and 'target_linkchildnode'.
* Full support for changed logging in Cobalt Strike version 3.14. This includes more log files, structured time format logging as well as changed timestamp to now include (UTC) time zone. Thanks @fastlorenzo for quick fix on the time zone part.
* Modified hyperlinks in Kibana to screenshots, log files, etc. to include the new timestamp as used in Cobalt Strike version 3.14.
* Cobalt Strike profiles are rsynced to RedELK server. Interpretation and full inclusion in RedELK is to be done at a later moment.
* Much improved error checking and reporting in installation scripts.
* Installer now checks state of Kibana before continuing and inserting templates.
* Improved pre-install checks, e.g. already installed packages and existing directories.
* Version of ELK packages is fixed instead of installing the latest available version.
* Installer now better states essential manual post-installation steps.
* Fixed bug that made installers crash with 'unsupported locale settings' in some circumstances. Locale is now set explicitly during installation.
* Ownership and permission of logstash certificates are now set to work on Ubuntu 18.04 and higher.
* Modified Cobalt Strike logstash rules to use UTC instead of system's time zone.
* Fixed bugs in ES template to now have every IP address defined as type IP address.
* Many, many under the hood optimizations and bugfixes of python scripts used for enrichment and alarming.
* Added tracking of IP addresses for which alarms are sent; 1 alarm per applicable IP address.
* RedELK now tracks abuse.ch for known botnet IP addresses SSL certs of botnets. Data goes to /etc/redelk/abuse*.conf files. Alarming to be done in later release.
# RedELK now tracks multiple sources for known rogue domain names. Data goes to /etc/redelk/roguedomains.conf. Alarming to be done in later release.
### Version 0.8
* Default Kibana index is now set during installation - thanks @neu5ron
* Fixed installer bug in copying logstash certificates directory - thanks @justsly
* Fixed bug in redirector logstash rule, useragent regex was missing - thanks @justsly
* Multiple typos and errors in installation scripts - thanks @justsly and @fastlorenzo
* Significant addition of known AV username-hostname combinations
* Date header added to sending of emails - thanks @fastlorenzo
* Reformat of TOR exit node IP list for easier interpretation
### Version 0.7 - initial public version