Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automate searching for valuable info in downloaded files and keystrokes #45

Open
MarcOverIP opened this issue Aug 14, 2020 · 1 comment
Open

Automate searching for valuable info in downloaded files and keystrokes #45

MarcOverIP opened this issue Aug 14, 2020 · 1 comment
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@MarcOverIP
Copy link
Member

Can we automate searching for valuable strings in downloaded files? Eg password, pwd, connectionstring, etc? Possibly make an extra config file in /etc/redelk/loot.comf (or any other better name) where the operator can enter other terms he may be interested in, e.g. in case of local language translations for 'password'

Questions that come up thinking about this:

  1. Do we store in an extra index, e.g. called loot? I think this is not necessarily required although IM ok if it does.
  2. Do you want an alarm every time something is found, or will this potentially overload you with alarms?
  3. How do we technically do this? Perhaps simple local (python) script that periodically scans the downloaded files directory, excludes c2implant logs, and outputs to a log file that is ingested by logstash on the redelk server?
  4. Can we do the same for logged keystrokes? One thing that we do want to have in the keystroke loot checking is the title of the screen where the interesting data was found, and/or the content of the keystroke log when the interesting data was the name of a program you are interested in, e.g. content that was entered in a keepass window.
  5. How can we set this up as much C2 dependent as possible?
@MarcOverIP MarcOverIP added enhancement New feature or request help wanted Extra attention is needed labels Aug 14, 2020
@fastlorenzo
Copy link
Collaborator

I would say regex parsing could be interesting on new keystroke/download (can be filtered by tagging the ones already looted).

  1. I would add a flag/field in the existing rtops-* index
  2. We could have an "aggregated" alarm that only alerts every x (hours, days, whatever you prefer) on all findings
  3. Python script sounds a good plan, maybe it could interact with ES to check if a download has been gathered, then check if the local file already exists otherwise try on next run
  4. Maybe we could extract the title of the screen and put it in a field in the index (I started doing it for the Empire implementation I'm working on)
  5. Difficult to say for now, maybe let's try to implement with CS first and then try with other C2?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fastlorenzo @MarcOverIP