Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for Covenant C2 framework #23

Open
MarcOverIP opened this issue Feb 17, 2020 · 4 comments
Open

Support for Covenant C2 framework #23

MarcOverIP opened this issue Feb 17, 2020 · 4 comments
Assignees
@MarcOverIP
Labels
c2servers Related to RedELK C2 server components enhancement New feature or request help wanted Extra attention is needed

Comments

@MarcOverIP
Copy link
Member

Have full support for the Covenant C2 framework (https://github.com/cobbr/Covenant).

I will need help from others with understanding the exact way of logging performed by Covenant; I have 0 experience with Covenant.

If Covenant is able to log to text based log files, it is to be expected we can align to the current setup of including Cobalt Strike logs into RedELK. That would mean the following things to be required to be created:

  1. Filebeat config to read the log file of Covenant on the c2 server
  2. Logstash rules that receive and filter the log lines
  3. Cron scripts running on the c2 server to copy relevant files (screenshots, downloaded files, etc) from the Covenant directory to the /home/scponly directory
  4. Modified rsync script on elkserver to copy files from /home/scponly on c2 server.
  5. Review of field names in rtops- index to check if they are relevant for c2 in general, or (still) are too Cobalt Strike dedicated.
  6. Update on documentation.

My main problem at this moment is that I have no experience with Covenant and don't have access to demo logs that I can test with.

Any help with above steps is well received. Help with access to demo logs would also work.
@MarcOverIP MarcOverIP added enhancement New feature or request help wanted Extra attention is needed labels Feb 17, 2020
@MarcOverIP MarcOverIP self-assigned this Feb 17, 2020
@fastlorenzo
Copy link
Collaborator

I did some checks and it looks like Covenant doesn't have text log files, everything is stored in a sqlite file. I have also 0 experience with Covenant except the new install I just performed.

We could have 2 options there:

  1. Add support for text logs to Covenant
  2. Make a script that will periodically query the sqlite database and append the changes in a structured manner to a text log file

@MarcOverIP MarcOverIP mentioned this issue Aug 10, 2020
Open
@MarcOverIP
Copy link
Member Author

Would have my preference to - just as with other C2s that RedELK supports - keep the way of logging part of the codebase of the actual C2 itself and not part of RedELK. That would mean your option 1. All the other steps form my initial post is then still left on the RedELK side.

It would make sense to make an issue at the Covenant side, so I did: cobbr/Covenant#221

@MarcOverIP
Copy link
Member Author

Update: the roadmap for the 0.7 release of Covenant now includes extra logging. When that is out, we can start working on the RedELK side.

@fastlorenzo
Copy link
Collaborator

Awesome, that'd be great to have it in, I'll work on it when it's released

This was referenced Oct 7, 2020
Closed
Open
@fastlorenzo fastlorenzo added the c2servers Related to RedELK C2 server components label May 27, 2021
@MarcOverIP MarcOverIP mentioned this issue Sep 18, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MarcOverIP MarcOverIP

Labels
c2servers Related to RedELK C2 server components enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fastlorenzo @MarcOverIP