Merge pull request #310 from OG-Sadpanda/master

RedELK Modification to Support Cobaltstrike 4.10
outflanknl · Sep 10, 2024 · eee9963 · eee9963
2 parents 4b39f72 + 18c5ef4
commit eee9963
Show file tree

Hide file tree

Showing 7 changed files with 19 additions and 18 deletions.
diff --git a/c2servers/cron.d/redelk_cobaltstrike b/c2servers/cron.d/redelk_cobaltstrike
@@ -10,8 +10,8 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 
 # Command to sync the logs from cobaltstrike to our scponly user's home directory
 # m h dom mon dow user command
-* * * * * root /usr/bin/rsync -rvx --append-verify --delete /root/cobaltstrike/logs /home/scponly/cobaltstrike/; /bin/chown -R scponly:scponly /home/scponly/cobaltstrike/*
+* * * * * root /usr/bin/rsync -rvx --append-verify --delete /root/cobaltstrike/server/logs /home/scponly/cobaltstrike/; /bin/chown -R scponly:scponly /home/scponly/cobaltstrike/*
 * * * * * root /usr/bin/rsync -rvx --append-verify --delete /root/cobaltstrike/profiles /home/scponly/cobaltstrike/; /bin/chown -R scponly:scponly /home/scponly/cobaltstrike/*
-* * * * * root /usr/bin/rsync -rvx --append-verify --delete /root/cobaltstrike/data /home/scponly/cobaltstrike/; /bin/chown -R scponly:scponly /home/scponly/cobaltstrike/*
+* * * * * root /usr/bin/rsync -rvx --append-verify --delete /root/cobaltstrike/server/data /home/scponly/cobaltstrike/; /bin/chown -R scponly:scponly /home/scponly/cobaltstrike/*
 * * * * * root /usr/share/redelk/bin/export_cobaltstrikedata.sh
 * * * * * root /usr/share/redelk/bin/copydownloads_cobaltstrike.sh
diff --git a/c2servers/filebeat/inputs.d/filebeat_cobaltstrike.yml b/c2servers/filebeat/inputs.d/filebeat_cobaltstrike.yml
@@ -3,7 +3,7 @@
  enabled: true
  fields_under_root: true
  paths:
- - /root/cobaltstrike/logs/*/events.log
+ - /root/cobaltstrike/server/logs/*/events.log
  fields:
  infra:
  attack_scenario: @@ATTACKSCENARIO@@
@@ -19,7 +19,7 @@
  enabled: true
  fields_under_root: true
  paths:
- - /root/cobaltstrike/logs/*/weblog*
+ - /root/cobaltstrike/server/logs/*/weblog*
  fields:
  infra:
  attack_scenario: @@ATTACKSCENARIO@@
@@ -35,7 +35,7 @@
  enabled: true
  fields_under_root: true
  paths:
- - /root/cobaltstrike/logs/*/downloads.log
+ - /root/cobaltstrike/server/logs/*/downloads.log
  fields:
  infra:
  attack_scenario: @@ATTACKSCENARIO@@
@@ -51,7 +51,7 @@
  enabled: true
  fields_under_root: true
  paths:
- - /root/cobaltstrike/data/export_credentials.tsv
+ - /root/cobaltstrike/server/data/export_credentials.tsv
  fields:
  infra:
  attack_scenario: @@ATTACKSCENARIO@@
@@ -68,8 +68,8 @@
  enabled: true
  fields_under_root: true
  paths:
- - /root/cobaltstrike/logs/*/*/beacon_*.log
- - /root/cobaltstrike/logs/*/*/ssh_*.log
+ - /root/cobaltstrike/server/logs/*/*/beacon_*.log
+ - /root/cobaltstrike/server/logs/*/*/ssh_*.log
  # Since Cobalt Strike version 3.14 the time format in the logs is changed. Here we use regex 'or' function (expr1)|(expr2) to match new or old format
  multiline.pattern: '(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\sUTC\s\[)|(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\s\[)' # match "06/19 12:32:56 UTC [" or "06/19 12:32:56 ["
  multiline.negate: true
@@ -90,7 +90,7 @@
  enabled: true
  fields_under_root: true
  paths:
- - /root/cobaltstrike/logs/*/*/keystrokes/keystrokes_*.txt
+ - /root/cobaltstrike/server/logs/*/*/keystrokes/keystrokes_*.txt
  # Since Cobalt Strike version 3.14 the time format in the logs is changed. Here we use regex 'or' function (expr1)|(expr2) to match new or old format
  multiline.pattern: '(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\sUTC\s\[)|(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\s\[)' # match "06/19 12:32:56 UTC [" or "06/19 12:32:56 ["
  multiline.negate: true
@@ -111,7 +111,7 @@
  enabled: true
  fields_under_root: true
  paths:
- - /root/cobaltstrike/logs/*/*/screenshots.log
+ - /root/cobaltstrike/server/logs/*/*/screenshots.log
  # Since Cobalt Strike version 3.14 the time format in the logs is changed. Here we use regex 'or' function (expr1)|(expr2) to match new or old format
  multiline.pattern: '(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\sUTC\s\[)|(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\s\[)' # match "06/19 12:32:56 UTC [" or "06/19 12:32:56 ["
  multiline.negate: true

diff --git a/c2servers/scripts/copydownloads_cobaltstrike.sh b/c2servers/scripts/copydownloads_cobaltstrike.sh
@@ -13,11 +13,11 @@ mkdir -p /home/scponly/cobaltstrike/downloads >> $LOGFILE 2>&1
 
 echo "`date` # Start CS downloads copy" >> $LOGFILE 2>&1
 
-for fileid in $(ls /root/cobaltstrike/downloads/ | grep -v '\.'); do
- orifilename=`grep -rn $fileid /root/cobaltstrike/logs/*/downloads.log|awk 'BEGIN {FS="\t"}; {print $6}'`
+for fileid in $(ls /root/cobaltstrike/server/downloads/ | grep -v '\.'); do
+ orifilename=`grep -rn $fileid /root/cobaltstrike/server/logs/*/downloads.log|awk 'BEGIN {FS="\t"}; {print $6}'`
  if [ -z "$orifilename" ]; then orifilename="filenameunknown"; fi
  if [ ! -f "/home/scponly/cobaltstrike/downloads/${fileid}_${orifilename}" ]; then
- cp /root/cobaltstrike/downloads/${fileid} "/home/scponly/cobaltstrike/downloads/${fileid}_${orifilename}"
+ cp /root/cobaltstrike/server/downloads/${fileid} "/home/scponly/cobaltstrike/downloads/${fileid}_${orifilename}"
  chown scponly:scponly "/home/scponly/cobaltstrike/downloads/${fileid}_${orifilename}"
  fi
 done

diff --git a/c2servers/scripts/export_cobaltstrikedata.sh b/c2servers/scripts/export_cobaltstrikedata.sh
@@ -8,7 +8,7 @@
 #
 
 LOGFILE="/var/log/redelk/exportcobaltstrikesdata.log"
-CSDIR="/root/cobaltstrike"
+CSDIR="/root/cobaltstrike/server"
 
 echo "`date` ######## Start CS data export" >> $LOGFILE 2>&1
 

diff --git a/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makebeaconlogpath.rb b/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makebeaconlogpath.rb
@@ -8,7 +8,7 @@
 def filter(event)
  host = event.get("[agent][name]")
  logpath = event.get("[log][file][path]")
- temppath = logpath.split('/cobaltstrike')
+ temppath = logpath.split('/cobaltstrike/server')
  implantlogpath = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath[1]}"
  event.tag("_rubyparseok")
  event.set("[implant][log_file]", implantlogpath)

diff --git a/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makekeystrokespath.rb b/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makekeystrokespath.rb
@@ -11,9 +11,10 @@ def filter(event)
  logpath = event.get("[log][file][path]")
  implant_id = event.get("[implant][id]")
  desktop_session = event.get("[keystrokes][desktop_session]")
- temppath = logpath.split('/cobaltstrike')
+ temppath = logpath.split('/cobaltstrike/server')
  temppath2 = temppath[1].split(/\/([^\/]*)$/)
- keystrokespath = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath2[0]}" + "/keystrokes_" + "#{implant_id}" + "." + "#{desktop_session}" + ".txt"
+ filename = temppath2[1]
+ keystrokespath = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath2[0]}" + "/" + "#{filename}"
  event.tag("_rubyparseok")
  event.set("[keystrokes][url]", keystrokespath)
  return [event]

diff --git a/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makescreenshotpath.rb b/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makescreenshotpath.rb
@@ -10,7 +10,7 @@ def filter(event)
  host = event.get("[agent][name]")
  logpath = event.get("[log][file][path]")
  filename = event.get("[screenshot][file_name]")
- temppath = logpath.split('/cobaltstrike')
+ temppath = logpath.split('/cobaltstrike/server')
  temppath2 = temppath[1].split(/\/([^\/]*)$/)
  screenshoturl = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath2[0]}" + "/screenshots/"+ "#{filename}"
  thumburl = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath2[0]}" + "/screenshots/"+ "#{filename}" + ".thumb.jpg"