In the complex landscape of RedELK deployment, adhering to precise naming requirements is crucial for operational success.
This article delves into the essential naming conventions necessary for a smoothly functioning RedELK setup.
From FilebeatID to Redirector configurations, understand the specifics that ensure your cybersecurity infrastructure is effective and efficient.
For a properly working RedELK setup it is required to pay attention to the following requirements.
Name | Description | Specifics to pay attention to |
---|---|---|
FilebeatID | Name given to the host by Filebeat. | The name is given during running the install-redir.sh or install-c2server.sh scripts.For the c2 servers: have the identifier match the name in the mounts/redelk-config/etc/cron.d/redelk and the name passed to install-c2server.sh scriptIf entered incorrectly during installation, background scripts will fail and implant log files, screenshots and keystrokes will not be accessible via RedELK interface. You can change it in the /etc/filebeat/filebeat.yml config file on the specific host or in mounts/redelk-config/etc/cron.d/redelk on the RedELK server |
attackscenario | Name of the attack scenario this infra component belongs to. | An infra component can only belong to a single attackscenario. In case of TIBER or the likes this will likely be something like scenario1, scenario2 and scenarioX. Could also be more descriptive, e.g. ransomware, fingain, or your internally used code name. Name needs to be the same for all other components in the same scenario; it is an important way for filtering within the Kibana interface. The name is given during running the install-redir.sh or install-c2server.sh scripts. If entered incorrectly during installation, you can change it in the /etc/filebeat/filebeat.yml config file on the specific host. |
Redirector backend | Name given in the config of the redirector application (Apache, HAProxxy, etc) for the backend. | Must start with c2 or decoy Use a descriptive name, e.g. decoy-phishrun1 or c2-https. Stock Kibana views and dashboards expect the naming standard. Some alarms are hardcoded triggered for these c2 * names |
Redirector frontend | Name given in the config of the redirector application (Apache, HAProxxy, etc) for the frontend. | Let it be descriptive for you as you will use this in the RedELK interface to understand where traffic was coming in. Better not use spaces in the name. |
Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…
Embark on the journey of becoming a certified Red Team professional with our definitive guide.…
This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…
This took me like 4 days (+2 days for an update), but I got it…