New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added filebeat configuration for Havoc C2 logs #311

Open

dazzyddos wants to merge 2 commits into outflanknl:master from dazzyddos:Dev

dazzyddos commented Jul 27, 2024

This pull request adds a basic Filebeat configuration (filebeat_havoc.yml) for capturing logs from the Havoc C2 (https://github.com/HavocFramework/Havoc)

Captures logs from agent consoles located at /opt/Havoc/data/loot//agents//Console_*.log.
Captures logs from the teamserver located at /opt/Havoc/data/loot/*/teamserver.log


          Added filebeat configuration for Havoc C2 logs

05bc692

github-actions bot added the c2servers label


          Added filebeat configuration for Havoc C2 logs

f9e93f2

Member

MarcOverIP commented Sep 10, 2024

Cool stuff. I'm happy seeing that somebody is taking the time and effort to do this for Havoc!

A few notes:

The infra.attacks_scenario needs to be set to @@ATTACKSCENARIO@@
The installer file needs to be double checked to see if parses this file as well - could be, I didn't check
Is this data being put into Elasticsearch by Logstash? I see no Logstash format file so no enrichment is performed, not even setting of the correct timestamp (there can be a mismatch between the timestamp of Havoc and of ELK stack, the latter is used by default).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels