Tuning pull request #25 for poshc2 support

teamservers/cron.d/redelk → c2servers/cron.d/redelk_cobaltstrike

@@ -1,6 +1,6 @@
 #
 # Part of RedELK
-# cron.d script for periodic actions related to RedELK
+# cron.d script for periodic actions related to RedELK and Cobalt Strike
 #
 # Author: Outflank B.V. / Marc Smeets 
 #
@@ -12,4 +12,4 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 # m h dom mon dow user  command
 * * * * * root /usr/bin/rsync -ax --delete /root/cobaltstrike/logs /home/scponly/; /bin/chown -R scponly:scponly /home/scponly/*
 * * * * * root /usr/bin/rsync -ax --delete /root/cobaltstrike/profiles /home/scponly/; /bin/chown -R scponly:scponly /home/scponly/*
-* * * * * root /usr/share/redelk/bin/copydownloads.sh
+* * * * * root /usr/share/redelk/bin/copydownloads_cobaltstrike.sh

c2servers/filebeat/filebeat_poshc2.yml

@@ -0,0 +1,30 @@
+filebeat.prospectors:
+- type: log
+  scan_frequency: 5s
+  enabled: true
+  fields_under_root: true
+  paths:
+    - /opt/*/poshc2_server.log
+  include_lines: ['(.*)implant\s+connected:\s+','(0[1-9]|[12]\d|3[01])/(0[1-9]|1[0-2])/[12]\d{3}\s+([0-1][0-9]|[2][0-3]):([0-5][0-9]):([0-5][0-9]):(.*?)','Download\s+file\s+part\s+(.*?)','Screenshot\s+captured:\s+(.*?)','(.*?)\:(.*?)\s+\|\s+Time:(.*?)\s+\|\s+PID:(.*?)\s+\|\s+Sleep:(.*?)\s+\|\s+(.*?)\s+@\s+(.*?)\s+\((.*?)\)\s+\|\s+URL\:(.*?)']
+  fields:
+    infralogtype: rtops
+    pslogtype: events
+
+filebeat.config.modules:
+  path: ${path.config}/modules.d/*.yml
+  reload.enabled: false  
+
+setup.template.settings:
+  index.number_of_shards: 3
+
+name: "@@HOSTNAME@@"
+fields_under_root: true
+fields:
+  attackscenario: @@ATTACKSCENARIO@@
+harvester.limit: 1
+
+output.logstash:
+  hosts: ["@@HOSTANDPORT@@"]
+  ssl.certificate_authorities: ["/etc/filebeat/redelkCA.crt"]
+
+

teamservers/install-teamserver.sh → c2servers/install-c2server-cobaltstrike.sh

@@ -127,7 +127,7 @@ if [ $ERROR -ne 0 ]; then
 fi
 
 echo "Copying new config file"
-cp ./filebeat/filebeat.yml /etc/filebeat/ >> $LOGFILE 2>&1
+cp ./filebeat/filebeat_cobaltstrike.yml /etc/filebeat/ >> $LOGFILE 2>&1
 ERROR=$?
 if [ $ERROR -ne 0 ]; then
     echoerror "Could not copy filebeat config (Error Code: $ERROR)."
@@ -218,8 +218,8 @@ if [ $ERROR -ne 0 ]; then
 fi
 
 echo "Creating crontab for local rscync of cobaltstrike logs"
-if [ ! -f /etc/cron.d/redelk ]; then
-    cp ./cron.d/redelk /etc/cron.d/redelk >> $LOGFILE 2>&1
+if [ ! -f /etc/cron.d/redelk_cobaltstrike ]; then
+    cp ./cron.d/redelk_cobaltstrike /etc/cron.d/redelk_cobaltstrike >> $LOGFILE 2>&1
 fi
 ERROR=$?
 if [ $ERROR -ne 0 ]; then

c2servers/install-c2server-poshc2.sh

@@ -0,0 +1,188 @@
+#!/bin/sh
+#
+# Part of RedELK
+# Script to install RedELK on PoshC2 servers
+#
+# Author: Outflank B.V. / Marc Smeets / @benpturner - Ben Turner
+#
+
+LOGFILE="redelk-install.log"
+INSTALLER="RedELK PoshC2 installer"
+TIMEZONE="Europe/Amsterdam"
+ELKVERSION="6.8.2"
+
+#set locale for current session and default locale
+export LC_ALL="en_US.UTF-8"
+printf 'LANG=en_US.UTF-8\nLC_ALL=en_US.UTF-8\n' > /etc/default/locale >> $LOGFILE 2>&1
+locale-gen >> $LOGFILE 2>&1
+
+echoerror() {
+    printf "`date +'%b %e %R'` $INSTALLER - ${RC} * ERROR ${EC}: $@\n" >> $LOGFILE 2>&1
+}
+
+preinstallcheck() {
+    echo "Starting pre installation checks"
+
+    # Checking if OS is Debian / APT based
+    if [ ! -f  /etc/debian_version ]; then
+        echo "[X] This system does not seem to be Debian/APT-based. RedELK installer only supports Debian/APT based systems."
+        echoerror "System is not Debian/APT based. Not supported. Quitting."
+        exit 1
+    fi
+
+    if [ -n "$(dpkg -s filebeat 2>/dev/null| grep Status)" ]; then
+        INSTALLEDVERSION=`dpkg -s filebeat |grep Version|awk '{print $2}'` >> $LOGFILE 2>&1
+        if [ "$INSTALLEDVERSION" != "$ELKVERSION" ]; then
+            echo "[X] Filebeat: installed version $INSTALLEDVERSION, required version $ELKVERSION. Please fix manually."
+            echoerror "Filebeat version mismatch. Please fix manually."
+            exit 1
+        else
+            echo "[!] Filebeat: required version is installed ($INSTALLEDVERSION). Should be good. Stopping service now before continuing installation."
+            service filebeat stop
+            ERROR=$?
+            if [ $ERROR -ne 0 ]; then
+                echoerror "Could not stop filebeat (Error Code: $ERROR)."
+            fi
+        fi
+    fi
+}
+
+echo "This script will install and configure necessary components for RedELK on PoshC2 servers"
+printf "`date +'%b %e %R'` $INSTALLER - Starting installer\n" > $LOGFILE 2>&1
+
+if ! [ $# -eq 3 ] ; then
+    echo "[X] ERROR Incorrect amount of parameters"
+    echo "[X] require 1st parameter: identifier of this machine to set in filebeat config."
+    echo "[X] require 2nd parameter: attackscenario name."
+    echo "[X] require 3rd parameter: IP/DNS:port where to ship logs to (enter 5044 if you are using default logstash port)."
+    echoerror "Incorrect amount of parameters"
+    exit 1
+fi
+
+preinstallcheck
+
+echo "Setting timezone"
+timedatectl set-timezone $TIMEZONE >> $LOGFILE 2>&1
+ERROR=$?
+if [ $ERROR -ne 0 ]; then
+    echoerror "Could not set timezone (Error Code: $ERROR)."
+fi
+
+echo "Restarting rsyslog deamon for new timezone to take effect"
+service rsyslog restart >> $LOGFILE 2>&1
+ERROR=$?
+if [ $ERROR -ne 0 ]; then
+    echoerror "Could not restart rsyslog deamon (Error Code: $ERROR)."
+fi
+
+echo "Adding GPG key of Elastic"
+wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - >> $LOGFILE 2>&1
+ERROR=$?
+if [ $ERROR -ne 0 ]; then
+    echoerror "Could not add GPG key (Error Code: $ERROR)."
+fi
+
+echo "Installing apt-transport-https"
+apt-get install -y apt-transport-https >> $LOGFILE 2>&1
+ERROR=$?
+if [ $ERROR -ne 0 ]; then
+    echoerror "Could not install apt-transport-https (Error Code: $ERROR)."
+fi
+
+echo "Adding Elastic APT repository"
+if [ ! -f  /etc/apt/sources.list.d/elastic-6.x.list ]; then
+    echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | tee -a /etc/apt/sources.list.d/elastic-6.x.list >> $LOGFILE 2>&1
+fi
+ERROR=$?
+if [ $ERROR -ne 0 ]; then
+    echoerror "Could not add APT repository (Error Code: $ERROR)."
+fi
+
+echo "Updating APT"
+apt-get update  >> $LOGFILE 2>&1
+ERROR=$?
+if [ $ERROR -ne 0 ]; then
+    echoerror "Could not update APT (Error Code: $ERROR)."
+fi
+
+echo "Installing filebeat ..."
+apt-get install -y filebeat=$ELKVERSION >> $LOGFILE 2>&1
+ERROR=$?
+if [ $ERROR -ne 0 ]; then
+    echoerror "Could not install filebeat (Error Code: $ERROR)."
+fi
+
+echo "Setting filebeat to auto start after reboot"
+systemctl enable filebeat >> $LOGFILE 2>&1
+ERROR=$?
+if [ $ERROR -ne 0 ]; then
+    echoerror "Could not change auto boot settings (Error Code: $ERROR)."
+fi
+
+echo "Making backup of original filebeat config"
+mv /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.ori >> $LOGFILE 2>&1
+ERROR=$?
+if [ $ERROR -ne 0 ]; then
+    echoerror "Could not make backup (Error Code: $ERROR)."
+fi
+
+echo "Copying new config file"
+cp ./filebeat/filebeat_poshc2.yml /etc/filebeat/ >> $LOGFILE 2>&1
+ERROR=$?
+if [ $ERROR -ne 0 ]; then
+    echoerror "Could not copy filebeat config (Error Code: $ERROR)."
+fi
+
+echo "Copying ca file "
+cp ./filebeat/redelkCA.crt /etc/filebeat/ >> $LOGFILE 2>&1
+ERROR=$?
+if [ $ERROR -ne 0 ]; then
+    echoerror "Could not copy ca file (Error Code: $ERROR)."
+fi
+
+echo "Altering hostname field in filebeat config"
+sed -i s/'@@HOSTNAME@@'/$1/g /etc/filebeat/filebeat.yml  >> $LOGFILE 2>&1
+ERROR=$?
+if [ $ERROR -ne 0 ]; then
+    echoerror "Could not change hostname field in filebeat config (Error Code: $ERROR)."
+fi
+
+echo "Altering attackscenario field in filebeat config "
+sed -i s/'@@ATTACKSCENARIO@@'/$2/g /etc/filebeat/filebeat.yml >> $LOGFILE 2>&1
+ERROR=$?
+if [ $ERROR -ne 0 ]; then
+    echoerror "Could not change attackscenario field in filebeat config (Error Code: $ERROR)."
+fi
+
+echo "Altering log destination field in filebeat config "
+sed -i s/'@@HOSTANDPORT@@'/$3/g /etc/filebeat/filebeat.yml >> $LOGFILE 2>&1
+ERROR=$?
+if [ $ERROR -ne 0 ]; then
+    echoerror "Could not change log destination field in filebeat config (Error Code: $ERROR)."
+fi
+
+echo "Starting filebeat"
+service filebeat start >> $LOGFILE 2>&1
+ERROR=$?
+if [ $ERROR -ne 0 ]; then
+    echoerror "Could not start filebeat (Error Code: $ERROR)."
+fi
+
+echo "Creating RedELK log directory"
+mkdir -p /var/log/redelk >> $LOGFILE 2>&1
+ERROR=$?
+if [ $ERROR -ne 0 ]; then
+    echoerror "Could not create RedELK log directory (Error Code: $ERROR)."
+fi
+
+grep -i error $LOGFILE 2>&1
+ERROR=$?
+if [ $ERROR -eq 0 ]; then
+    echo "[X] There were errors while running this installer. Manually check the log file $LOGFILE. Exiting now."
+    exit
+fi
+
+echo ""
+echo ""
+echo "Done with setup of RedELK on PoshC2 server."
+echo ""

teamservers/scripts/copydownloads.sh → c2servers/scripts/copydownloads_cobaltstrike.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Part of Red ELK
+# Part of RedELK
 # Script to copy downloaded files from the CobaltStrike teamserver's downloads folder to the homedir of the scponly user.
 # It also adds "_orginal file name" to the file name, e.g. 9ce6fbfb1 becomes 9ce6fbfb1_testdoc.txt
 #

initial-setup.sh

@@ -102,15 +102,14 @@ if [ $ERROR -ne 0 ]; then
     echoerror "Could not convert ELK server private key to PKCS8 format(Error Code: $ERROR)."
 fi
 
-echo "Copying certificates to relevant redir and teamserver folders."
+echo "Copying certificates to relevant redir and c2servers folders."
 cp -r ./certs ./elkserver/logstash/ >> $LOGFILE 2>&1
-cp ./certs/redelkCA.crt ./teamservers/filebeat/ >> $LOGFILE 2>&1
-cp ./certs/redelkCA.crt ./poshc2/filebeat/ >> $LOGFILE 2>&1
+cp ./certs/redelkCA.crt ./c2servers/filebeat/ >> $LOGFILE 2>&1
 cp ./certs/redelkCA.crt ./redirs/filebeat/ >> $LOGFILE 2>&1
 
 echo "Creating ssh directories if necessary"
-if [ ! -d "./sshkey" ] || [ ! -d "./elkserver/ssh" ] || [ ! -d "./teamservers/ssh" ] || [ ! -d "./poshc2/ssh" ]; then
-    mkdir -p ./sshkey && mkdir -p ./teamservers/ssh && mkdir -p ./poshc2/ssh && mkdir -p ./elkserver/ssh
+if [ ! -d "./sshkey" ] || [ ! -d "./elkserver/ssh" ] || [ ! -d "./c2servers/ssh" ] ; then
+    mkdir -p ./sshkey && mkdir -p ./c2servers/ssh && mkdir -p ./elkserver/ssh
 fi >> $LOGFILE 2>&1
 ERROR=$?
 if [ $ERROR -ne 0 ]; then
@@ -127,15 +126,13 @@ if [ $ERROR -ne 0 ]; then
 fi
 
 echo "Copying sshkeys to relevant folders."
-cp ./sshkey/id_rsa.pub ./teamservers/ssh/id_rsa.pub >> $LOGFILE 2>&1
-cp ./sshkey/id_rsa.pub ./poshc2/ssh/id_rsa.pub >> $LOGFILE 2>&1
+cp ./sshkey/id_rsa.pub ./c2servers/ssh/id_rsa.pub >> $LOGFILE 2>&1
 cp ./sshkey/id_rsa.pub ./elkserver/ssh/id_rsa.pub >> $LOGFILE 2>&1
 cp ./sshkey/id_rsa ./elkserver/ssh/id_rsa >> $LOGFILE 2>&1
 
 echo "Copying VERSION file to subfolders."
 if [ -f "./VERSION" ]; then
-    cp ./VERSION teamservers/
-    cp ./VERSION poshc2/    
+    cp ./VERSION c2servers/  
     cp ./VERSION elkserver/
     cp ./VERSION redirs/
 fi >> $LOGFILE 2>&1
@@ -159,19 +156,12 @@ ERROR=$?
 if [ $ERROR -ne 0 ]; then
     echoerror "Could not TGZ for redirs directory (Error Code: $ERROR)."
 fi
-if [ ! -f "./teamservers.tgz" ]; then
-    tar zcvf teamservers.tgz teamservers/
+if [ ! -f "./c2servers.tgz" ]; then
+    tar zcvf c2servers.tgz c2servers/
 fi >> $LOGFILE 2>&1
 ERROR=$?
 if [ $ERROR -ne 0 ]; then
-    echoerror "Could not TGZ for teamserver directory (Error Code: $ERROR)."
-fi
-if [ ! -f "./poshc2.tgz" ]; then
-    tar zcvf poshc2.tgz poshc2/
-fi >> $LOGFILE 2>&1
-ERROR=$?
-if [ $ERROR -ne 0 ]; then
-    echoerror "Could not TGZ for PoshC2 directory (Error Code: $ERROR)."
+    echoerror "Could not TGZ for c2servers directory (Error Code: $ERROR)."
 fi
 
 grep -i error $LOGFILE 2>&1
@@ -184,7 +174,7 @@ fi
 echo ""
 echo ""
 echo "Done with initial setup."
-echo "Copy the redir, teamserver or elkserver folders to every redirector, teamserver or ELK-server. Then run the relevant setup script there locally."
+echo "Copy the redir, c2servers or elkserver folders to every redirector, c2servers or ELK-server. Then run the relevant setup script there locally."
 echo ""