Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cobalt Strike 4.2 support #110

Merged
merged 5 commits into from
Nov 13, 2020
Merged

Cobalt Strike 4.2 support #110

merged 5 commits into from
Nov 13, 2020

Conversation

MarcOverIP
Copy link
Member

This fixes issue #105:

  • CobaltStrike 4.2 screenshot info is now parsed the new screenshots.log, backward compatibility for pre 4.2 is kept
  • CobaltStrike 4.2 keylogger info is now parsed with all the new information available, backward compatibility for pre 4.2 is kept
  • Event log join and leave messages are now parsed, including c2.operator and c2.operator_ip

Also overall cleanup of filter rules:

  • Timestamp and c2.message is now parsed and set once at the beginning
  • Comments provide more structure
  • Several smaller things

@github-actions github-actions bot added docker Related to docker container builds elkserver Related to RedELK server components c2servers Related to RedELK C2 server components labels Nov 13, 2020
@MarcOverIP MarcOverIP merged commit 47597e7 into master Nov 13, 2020
@MarcOverIP MarcOverIP mentioned this pull request Nov 13, 2020
Closed
@fastlorenzo
Copy link
Collaborator

@MarcOverIP it looks like you introduced some new fields ([screenshot][file_name], [screenshot][desktop_session], [screenshot][title]) but did not update the index template and index pattern.

@fastlorenzo
Copy link
Collaborator

Same for [c2][operator], [c2][operator_ip], [keystrokes][user], [keystrokes][desktop_session]

@fastlorenzo
Copy link
Collaborator

additionally, shouldn't we put keystrokes.user under user.name instead?

@fastlorenzo fastlorenzo mentioned this pull request Nov 15, 2020
Closed
@MarcOverIP
Copy link
Member Author

I was going for a single update of fields in one go (we are missing several others as well besides these new ones).

I thought about user.name but decided keystrokes.user is more adhering to the truth as it is possible that an implant running as $userA intercepts keystrokes from a process of $userB. Also, user.name is automatically populated by enrichment scripts anyway.

@fastlorenzo
Copy link
Collaborator

I was going for a single update of fields in one go (we are missing several others as well besides these new ones).

I thought about user.name but decided keystrokes.user is more adhering to the truth as it is possible that an implant running as $userA intercepts keystrokes from a process of $userB. Also, user.name is automatically populated by enrichment scripts anyway.

makes sense indeed then

@MarcOverIP MarcOverIP deleted the cs4.2 branch June 23, 2021 12:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
c2servers Related to RedELK C2 server components docker Related to docker container builds elkserver Related to RedELK server components
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MarcOverIP @fastlorenzo