1.0 Release

RedELK Version 1.0 release notes:

• Support for Apache redirectors
• Support for Cobalt Strike 4.0
• Fixed bug in useragent alarm, now uses config file as input
• Added example configurations for HAProxy and Apache that show how to setup the logging required for RedELK
• Added example Cobalt Strike Mallable profile that works with the example configs of Apache and HAProxy
• Added RedELKFieldnames.md with detailed info on the field names in RedELK
• ES index haproxytraffic renamed to redirtraffic to better suit the support for Apache (and future redirectors)
• ES field name overhaul to better suit the support for Apache
• Renamed of Kibana views, visualisations and dashboards for better usability, i.e. Redirector Traffic, Red Team Operations, CS Downloads, CS Keystrokes, CS IOCs, CS Screenshots and CS Beacons.
• Adjustment of logstash filter rules to support the aforementioned renaming as well as Apache.
• Adjusting enrichment and alarming python scripts to support the aforementioned renaming.
• Changed alarm script to use redir destination c2* instead of cobaltstrike*
• Minor changes to type definitions of fields, e.g. IPs now stored as IP instead of string.
• Explicit check and quit with error for non-apt based distributions during installation.
• Redir installation script now checks for presence /etc/logrotate.d/haproxy before trying to adjust it.
• Dozens of minor changes

0.9 Relase

RedELK release notes

version 0.9

• Support for Cobalt Strike 3.14
• Upgraded jvm to OpenJDK 11.0
• Upgraded Filebeat, Elasticsearch, Logstash and Kibana to 6.8.2
• Support for Cobalt Strike Downloads: downloaded files from each teamserver can be searched and downloaded directly from the RedELK Kibana interface. No more need to login to each teamserver to search and download files.
• Support for MITRE ATT&CK numbers in Cobalt Strike's task output. This is indexed as field "attack_technique". Fancy visuals are not yet included in this release.
• New alarm: rogue user-agents that connect to your C2 backend. Basic list (e.g. curl*, python*) is pre populated on /etc/redelk/rogue_useragents.conf
• Support for Cobalt Strike SMB and TCP type beacons. Regardless of type (SMB or TCP) linked beacons are now tracked in ES field 'beacon_linked' (true/false). Parent or child state is tracked in the field 'beacon_linkmode' (child or parent) and IP address of the parent/child is tracked in the fields 'target_linkparentnode' and 'target_linkchildnode'.
• Full support for changed logging in Cobalt Strike version 3.14. This includes more log files, structured time format logging as well as changed timestamp to now include (UTC) time zone. Thanks @fastlorenzo for quick fix on the time zone part.
• Modified hyperlinks in Kibana to screenshots, log files, etc. to include the new timestamp as used in Cobalt Strike version 3.14.
• Cobalt Strike profiles are rsynced to RedELK server. Interpretation and full inclusion in RedELK is to be done at a later moment.
• Much improved error checking and reporting in installation scripts.
• Installer now checks state of Kibana before continuing and inserting templates.
• Improved pre-install checks, e.g. already installed packages and existing directories.
• Version of ELK packages is fixed instead of installing the latest available version.
• Installer now better states essential manual post-installation steps.
• Fixed bug that made installers crash with 'unsupported locale settings' in some circumstances. Locale is now set explicitly during installation.
• Ownership and permission of logstash certificates are now set to work on Ubuntu 18.04 and higher.
• Modified Cobalt Strike logstash rules to use UTC instead of system's time zone.
• Fixed bugs in ES template to now have every IP address defined as type IP address.
• Many, many under the hood optimizations and bugfixes of python scripts used for enrichment and alarming.
• Added tracking of IP addresses for which alarms are sent; 1 alarm per applicable IP address.
• RedELK now tracks abuse.ch for known botnet IP addresses SSL certs of botnets. Data goes to /etc/redelk/abuse*.conf files. Alarming to be done in later release.
• RedELK now tracks multiple sources for known rogue domain names. Data goes to /etc/redelk/roguedomains.conf. Alarming to be done in later release.

v0.8.0-beta

Mainly small bug fixes and updates to the install scripts to get to a ready-state for release.

Change log:

• Several typo's in text and logic operators in install scripts. A big thank you to fastlorenzo, erjanmx and justsly for their pull request, and neu5ron for his suggestions.
• Install-teamserver.sh no longer overwrites /etc/cron.d/redelk - great for reinstall on teamservers where you modified the cron job to your liking.
• Updated each install script to have a 'pre install check': a check on blocking issues before installation can continue.
• Updated each install script to have a final check on 'ERROR' in the log file and report if such is the case.
• Explicit declaration of the versions of the filebeat, logstash, elasticsearch and kibana components that will be installed, currently set to 6.4.1.
• Inserted check for Kibana being up and reachable before inserting the templates.
• Kibana default Index is now set as part of the installation.