0% found this document useful (0 votes)

92 views

Red ELK

RedELK is a tool created by Outflank to help red teams gain operational oversight and insights into their infrastructure. It provides a centralized dashboard to monitor redirector traffic, C2 logs, indicators of compromise, and more. RedELK enriches data with information from security services and allows searching historic logs. The goal is to help red teams improve while also making blue teams stronger through the resulting lessons learned. The open source tool will soon add additional C2 framework support and integrated hunting capabilities.

Uploaded by

Lexs Tang

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

92 views

Red ELK

Uploaded by

Lexs Tang

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 32

Supercharge your

Red Team with RedELK

Marc Smeets
SANS HackFest – June 2020
ABOUT YOUR SPEAKER

Marc Smeets - @MarcOverIP

• Red Team operator, tool builder, trainer
• In offensive security since 2006
• Backgrounds: system and network engineering, and security consulting
• Blue Team Threat Hunting experience

Outflank
• Boutique Red Teaming firm in The Netherlands, founded in 2016
• Strong advocates of the TIBER framework
• Sharing knowledge via:
• IT security trainings
• https://outflank.nl/blog
• https://github.com/OutflankNL
www.outflank.nl 1
www.outflank.nl
OFFENSIVE INFRA – GENERIC OVERVIEW

Victim network Redirectors Attacker

Decoy

SMB

Delivery,
tracking, etc
HTTP(S)

Corporate
Proxy Command
DNS and control
servers
Flexible
Disposable
DNS Server Resilient
OFFENSIVE INFRA – TYPICAL SETUP FOR 1 OPERATION

Command and Control Delivery

• C2-servers (5+) • Web servers (2+)
• Redirectors / reverse proxies (5+) • Email (2+)
• Domain fronting CDN (2+) • File sharing service (0+)
• Messaging platforms (0+)
Fake identities • …
• Social media profiles (2+)
• Websites (1+) Generic backend components
• Communication channels (2+)
Tracking • Test environments (1+)
• Tracking pixels (10+) • Log aggregation (1+)

www.outflank.nl 4
OFFENSIVE INFRA – TYPICAL CHALLENGES

Oversight Insight

“Every contact leaves a trace” - Locard’s exchange principle

www.outflank.nl 5
TOOLING -> REDELK

+ =

https://github.com/outflanknl/RedELK/

https://outflank.nl/blog/2019/02/14/introducing-redelk-part-1-why-we-need-it/

https://outflank.nl/blog/2020/02/28/redelk-part-2-getting-you-up-and-running/

www.outflank.nl https://outflank.nl/blog/2020/04/07/redelk-part-3-achieving-operational-oversight/ 6
Redirectors / 1st line infra Reverse proxy
C2 servers
Domain fronts C2
Websites traffic
Tracking pixels
…

“SIEM” Dash- Index Enrich Search

board
Analyst submits Query for
samples and indicators of
IOCs our attack
Searching and alerting

Security service providers Spamhaus

White team
Virustotal
IBM X-Force Red team
Domain classifiers
www.outflank.nl … 7
DATA ENRICHMENT
reverse DNS
SEE EVERYTHING
Central overview of the operation
PRE-MADE VIEWS

www.outflank.nl 10
REDIRECTOR TRAFFIC

www.outflank.nl
C2 LOGS– HISTORIC SEARCHING

www.outflank.nl
C2 SCREENSHOTS

www.outflank.nl
ALL IOCS

www.outflank.nl
INDICATORS
ONLINE SERVICES
HASH OF MALWARE

www.outflank.nl
HASH OF MALWARE

www.outflank.nl
SANDBOX CONNECTIONS

www.outflank.nl
INDICATORS
TRAFFIC TO OFFENSIVE INFRASTRUCTURE
ANALYST TRAFFIC

www.outflank.nl
PREVIEWS BY MESSAGING APPS

www.outflank.nl
INDICATORS
TARGET INTERNAL CHECKS
KRBTGT RESET

www.outflank.nl
PASSWORD RESET OF SPECIFIC ACCOUNTS

www.outflank.nl
INDICATORS OF ANALYSES / INVESTIGATION / DETECTION
TYPE OF CHECK DETAIL

Online service AV hash : hash of our malware is known at VirusTotal or others

Infra blacklist : IP, URL of TLS cert blacklist

Traffic to infra C2 scanners : global scans for C2 tool artefacts

AV sandbox : C2 session from a known malware sandbox

Analyst traffic : traffic from analyst, e.g. TOR IP, curl, other URIs

Sec Vendor traffic : security vendor visits our infra – each with own
characteristics
Instant Messaging : ‘previews’ of Instant Messaging clients

Target internal KRBTGT / admin reset : unexpected password changes of critical

accounts
www.outflank.nl Security tool : unexpected change of AV / EDR tools installed 25
START SUPERCHARGING
YOUR RED TEAM
WHERE TO BEGIN

Planning
• RedELK server is intended per operation. Do not mix clients.
• Stores high confidential data.
• 3 components: RedELK server, c2server, redirector
• Identifiers used for Attack Scenario and Component Name
• Requires modified logging by redirector, e.g. Apache or HAProxy
• Read the docs: wiki on Github and blog post series

Installation
• Get latest release at Github. Or YOLO try master or maindev branch.
• Modify config file and run ./initial-setup.sh certs/config.cnf
• Run installers for redirs, c2servers and main RedELK server
• Post installation edits (/etc/redelk/* and /etc/cron.d/redelk)
www.outflank.nl 27
SUPPORT AND ROADMAP

Version 1
• Main focus on oversight, help the RT operator with his workflow
• Alarms for basic checks
• Support for Cobalt Strike C2
• Support for HAProxy and Apache redirectors

Version 2 – currently in dev

• Main focus on alarms and more supported tech
• More alarms and making alarms easier to manage
• Support for PoshC2, and possibly more (Scythe, Covenant)
• Support for Nginx and possibly Infra as Code redirectors
• Bring Hunting to Red Teams with integrated Jupyter Notebooks
www.outflank.nl 28
ACKNOWLEDGEMENTS