Cyber security

RedELK – Essential Naming Requirements For Deployment

In the complex landscape of RedELK deployment, adhering to precise naming requirements is crucial for operational success.

This article delves into the essential naming conventions necessary for a smoothly functioning RedELK setup.

From FilebeatID to Redirector configurations, understand the specifics that ensure your cybersecurity infrastructure is effective and efficient.

For a properly working RedELK setup it is required to pay attention to the following requirements.

NameDescriptionSpecifics to pay attention to
FilebeatIDName given to the host by Filebeat.
The name is given during running the install-redir.sh or install-c2server.sh scripts.

For the c2 servers: have the identifier match the name in the mounts/redelk-config/etc/cron.d/redelk and the name passed to install-c2server.sh script

If entered incorrectly during installation, background scripts will fail and implant log files, screenshots and keystrokes will not be accessible via RedELK interface. You can change it in the /etc/filebeat/filebeat.yml config file on the specific host or in mounts/redelk-config/etc/cron.d/redelk on the RedELK server
attackscenarioName of the attack scenario this infra component belongs to.An infra component can only belong to a single attackscenario.

In case of TIBER or the likes this will likely be something like scenario1, scenario2 and scenarioX. Could also be more descriptive, e.g. ransomware, fingain, or your internally used code name.

Name needs to be the same for all other components in the same scenario; it is an important way for filtering within the Kibana interface.

The name is given during running the install-redir.sh or install-c2server.sh scripts. If entered incorrectly during installation, you can change it in the /etc/filebeat/filebeat.yml config file on the specific host.
Redirector backendName given in the config of the redirector application (Apache, HAProxxy, etc) for the backend.Must start with c2 or decoy

Use a descriptive name, e.g. decoy-phishrun1 or c2-https.

Stock Kibana views and dashboards expect the naming standard. Some alarms are hardcoded triggered for these c2* names
Redirector frontendName given in the config of the redirector application (Apache, HAProxxy, etc) for the frontend.Let it be descriptive for you as you will use this in the RedELK interface to understand where traffic was coming in. Better not use spaces in the name.
Tamil S

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.

Recent Posts

ShadowDumper – Advanced Techniques For LSASS Memory Extraction

Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…

19 hours ago

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

2 weeks ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

3 weeks ago

Red Team Certification – A Comprehensive Guide To Advancing In Cybersecurity Operations

Embark on the journey of becoming a certified Red Team professional with our definitive guide.…

3 weeks ago

CVE-2024-5836 / CVE-2024-6778 : Chromium Sandbox Escape via Extension Exploits

This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…

4 weeks ago

Rust BOFs – Unlocking New Potentials In Cobalt Strike

This took me like 4 days (+2 days for an update), but I got it…

4 weeks ago