Added initial PoshC2 integration to RedELK

[benpturner]

Added a PoshC2 directory and subsequent install-teamserver.sh that can be used to install RedELK on a PoshC2 server.

The initial-setup.sh has been modified to copy the certs to the poshc2 folder.

Further work will include integrating alarms, thumbnails for screenshots and dashboards/searches.

[MarcOverIP]

Looking good, really excellent work!

I'll dive into the details of things at a later stage. I would like to take this possibility to also have a good look of the filed naming in the rtops-index to make it more C2framework independent.

For the next steps you mention: take a look at the cron job that runs on the poshc2 server (example here: https://github.com/outflanknl/RedELK/blob/master/teamservers/cron.d/redelk). That should set all required files ready for the rsync cron job initiated by the elkserver. This should cover screenshots, downloaded files and keystrokes.

Regarding thumbnails but also some other handy things, check these scripts: https://github.com/outflanknl/RedELK/tree/master/elkserver/logstash/ruby-scripts If you call them from the 60-c2-poshc2.conf file they should do the magic for you.

[MarcOverIP]

Just to bounce of ideas, I would appreciate your feedback: Im not sure just yet about the renaming of the fields inside the rtops- index. On the RedELK wiki (https://github.com/outflanknl/RedELK/blob/master/example-data-and-configs/RedELKFieldnames.md) I've detailed all the fields that are currently in use.

As you have seen there are several Cobalt Strike specific fields, ie beacon_*. Also, beacon is a Cobalt Strike specific name. Ideally we rename to be less CS focussed.

How about we rename it like this:
beacon_arch -> implant_arch
beacon_checkin -> implant_arch
beacon_id -> implant_id
beacon_input -> implant_input
beacon_task -> implant_task
beacon_output -> implant_output
beaconlogfile -> c2logfile (Clickable link to the full log file from C2 framework)
cslogtype -> c2logtype (values can be anything we want, but in case of CS its beacon_task, beacon_input, beacon_newbeacon, etc. I believe you renamed cslogtype to pslogtype?)
csmessage -> c2message (full log line as reported by the C2 framework
cstimestamp -> c2timestamp (timestamp inside the c2 log line)

Im not entirely sure just yet about all these. But question for you: do you think these names would work with PoshC2?

Not sure if you have used it, but we should also rename the beacondb index :-) implantdb would work I guess.

[MarcOverIP]

I've included the pull request, done some tuning to integrate it all into on directory (now only 1 dir for c2servers instead of separate dirs for every c2 framework) and modified the install scripts.

Haven't tested it all yet, I leave that up to you ;-)

Next steps are:

1. renaming of ES field names to be not-CobaltStrike specific - I will do this
2. further increase support of PoshC2, eg screenshots, downloads, keystrokes, etc ideally to the same level as with Cobalt Strike. Feel free to have a go at that!