Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for Empire C2 #203

Open
Cx01N opened this issue Oct 9, 2021 · 2 comments
Open

Support for Empire C2 #203

Cx01N opened this issue Oct 9, 2021 · 2 comments
Labels
c2servers Related to RedELK C2 server components enhancement New feature or request

Comments

@Cx01N
Copy link

Cx01N commented Oct 9, 2021

Hubble and I are the developers for Empire and are interested in supporting the development of RedELK. We saw that you have some basic support for logs and are interested in helping expand support. Where could we be most helpful?
@Hubbl3
Copy link

Hubbl3 commented Oct 9, 2021

I'm in too!

@MarcOverIP
Copy link
Member

Hi, I'm Marc and I am an idiot :) I typed in the wrong C2 name when I said there is basic support of Empire. I meant PoshC2.

That having said, if you are willing to help the following steps are the way to go:
Start with basic support:

  1. Empire needs to generate sufficient logging of most important actions. How much is sufficient? Cobalt Strike is descent example on the amount of info. You can check here for the list of fields that RedELK understands for c2 logs. The more Empire supports, the better. Some of these fields can be considered too much for basic support, eg creds.*, c2.listener.* and screenshot.*
  2. On c2server side we need to make sure the logs of Empire are ingested by the RedELK component running on the c2 server. We do this by creating a filebeat config file with correct parameters. You can check ``here for a few examples.
  3. On the ELK server side the logs need to be parsed. We do this with Logstash. So we need to create logstash filter rules. This is were the field list of step 1 comes into play. See the Cobalt Strike one as example.

Full Support

  1. On c2 server side a cron job runs that copies some basic log files from the source C2 dir to a dedicated directory. This dedicated dir later gets synced back to RedELK server for easy viewing of the full log files straight from the Kibana interface. See example here.
  2. Same as previous step we might need extra scripts to gather other relevant data of your C2. This depends on the C2. Some examples here
  3. On the RedELK server side we want some scripts for Logstash to insert URL paths for the extra fun things like screenshots, keylog transcripts, credentials, etc. Some examples here
  4. Revisit the fields skipped in step 3 to make sure we get maximum value from the logs.

Now, this isn't too hard of you have some experience with the ELK stack. And the examples can be very valuable. So you might be able to produce this all yourself. Of course we're here for questions.

But the most important thing that I cannot influence is number 1 of the list above: the amount of logging that Empire emits. Could you perhaps give a few examples of logs that Empire emits?

@fastlorenzo fastlorenzo added the enhancement New feature or request label Dec 7, 2021
@MarcOverIP MarcOverIP changed the title Enhanced Support for Empire C2 Support for Empire C2 Jan 13, 2022
@MarcOverIP MarcOverIP added the c2servers Related to RedELK C2 server components label Jan 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c2servers Related to RedELK C2 server components enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fastlorenzo @MarcOverIP @Cx01N @Hubbl3