diff --git a/c2servers/cron.d/redelk_cobaltstrike b/c2servers/cron.d/redelk_cobaltstrike index c678d227..197f7ac1 100644 --- a/c2servers/cron.d/redelk_cobaltstrike +++ b/c2servers/cron.d/redelk_cobaltstrike @@ -10,8 +10,8 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # Command to sync the logs from cobaltstrike to our scponly user's home directory # m h dom mon dow user command -* * * * * root /usr/bin/rsync -rvx --append-verify --delete /root/cobaltstrike/logs /home/scponly/cobaltstrike/; /bin/chown -R scponly:scponly /home/scponly/cobaltstrike/* +* * * * * root /usr/bin/rsync -rvx --append-verify --delete /root/cobaltstrike/server/logs /home/scponly/cobaltstrike/; /bin/chown -R scponly:scponly /home/scponly/cobaltstrike/* * * * * * root /usr/bin/rsync -rvx --append-verify --delete /root/cobaltstrike/profiles /home/scponly/cobaltstrike/; /bin/chown -R scponly:scponly /home/scponly/cobaltstrike/* -* * * * * root /usr/bin/rsync -rvx --append-verify --delete /root/cobaltstrike/data /home/scponly/cobaltstrike/; /bin/chown -R scponly:scponly /home/scponly/cobaltstrike/* +* * * * * root /usr/bin/rsync -rvx --append-verify --delete /root/cobaltstrike/server/data /home/scponly/cobaltstrike/; /bin/chown -R scponly:scponly /home/scponly/cobaltstrike/* * * * * * root /usr/share/redelk/bin/export_cobaltstrikedata.sh * * * * * root /usr/share/redelk/bin/copydownloads_cobaltstrike.sh diff --git a/c2servers/filebeat/inputs.d/filebeat_cobaltstrike.yml b/c2servers/filebeat/inputs.d/filebeat_cobaltstrike.yml index 5cd14a81..57f24918 100644 --- a/c2servers/filebeat/inputs.d/filebeat_cobaltstrike.yml +++ b/c2servers/filebeat/inputs.d/filebeat_cobaltstrike.yml @@ -3,7 +3,7 @@ enabled: true fields_under_root: true paths: - - /root/cobaltstrike/logs/*/events.log + - /root/cobaltstrike/server/logs/*/events.log fields: infra: attack_scenario: @@ATTACKSCENARIO@@ @@ -19,7 +19,7 @@ enabled: true fields_under_root: true paths: - - /root/cobaltstrike/logs/*/weblog* + - /root/cobaltstrike/server/logs/*/weblog* fields: infra: attack_scenario: @@ATTACKSCENARIO@@ @@ -35,7 +35,7 @@ enabled: true fields_under_root: true paths: - - /root/cobaltstrike/logs/*/downloads.log + - /root/cobaltstrike/server/logs/*/downloads.log fields: infra: attack_scenario: @@ATTACKSCENARIO@@ @@ -51,7 +51,7 @@ enabled: true fields_under_root: true paths: - - /root/cobaltstrike/data/export_credentials.tsv + - /root/cobaltstrike/server/data/export_credentials.tsv fields: infra: attack_scenario: @@ATTACKSCENARIO@@ @@ -68,8 +68,8 @@ enabled: true fields_under_root: true paths: - - /root/cobaltstrike/logs/*/*/beacon_*.log - - /root/cobaltstrike/logs/*/*/ssh_*.log + - /root/cobaltstrike/server/logs/*/*/beacon_*.log + - /root/cobaltstrike/server/logs/*/*/ssh_*.log # Since Cobalt Strike version 3.14 the time format in the logs is changed. Here we use regex 'or' function (expr1)|(expr2) to match new or old format multiline.pattern: '(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\sUTC\s\[)|(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\s\[)' # match "06/19 12:32:56 UTC [" or "06/19 12:32:56 [" multiline.negate: true @@ -90,7 +90,7 @@ enabled: true fields_under_root: true paths: - - /root/cobaltstrike/logs/*/*/keystrokes/keystrokes_*.txt + - /root/cobaltstrike/server/logs/*/*/keystrokes/keystrokes_*.txt # Since Cobalt Strike version 3.14 the time format in the logs is changed. Here we use regex 'or' function (expr1)|(expr2) to match new or old format multiline.pattern: '(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\sUTC\s\[)|(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\s\[)' # match "06/19 12:32:56 UTC [" or "06/19 12:32:56 [" multiline.negate: true @@ -111,7 +111,7 @@ enabled: true fields_under_root: true paths: - - /root/cobaltstrike/logs/*/*/screenshots.log + - /root/cobaltstrike/server/logs/*/*/screenshots.log # Since Cobalt Strike version 3.14 the time format in the logs is changed. Here we use regex 'or' function (expr1)|(expr2) to match new or old format multiline.pattern: '(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\sUTC\s\[)|(^\d\d\/\d\d\s\d\d\:\d\d\:\d\d\s\[)' # match "06/19 12:32:56 UTC [" or "06/19 12:32:56 [" multiline.negate: true diff --git a/c2servers/scripts/copydownloads_cobaltstrike.sh b/c2servers/scripts/copydownloads_cobaltstrike.sh index 7421afa1..e396eed4 100755 --- a/c2servers/scripts/copydownloads_cobaltstrike.sh +++ b/c2servers/scripts/copydownloads_cobaltstrike.sh @@ -13,11 +13,11 @@ mkdir -p /home/scponly/cobaltstrike/downloads >> $LOGFILE 2>&1 echo "`date` # Start CS downloads copy" >> $LOGFILE 2>&1 -for fileid in $(ls /root/cobaltstrike/downloads/ | grep -v '\.'); do - orifilename=`grep -rn $fileid /root/cobaltstrike/logs/*/downloads.log|awk 'BEGIN {FS="\t"}; {print $6}'` +for fileid in $(ls /root/cobaltstrike/server/downloads/ | grep -v '\.'); do + orifilename=`grep -rn $fileid /root/cobaltstrike/server/logs/*/downloads.log|awk 'BEGIN {FS="\t"}; {print $6}'` if [ -z "$orifilename" ]; then orifilename="filenameunknown"; fi if [ ! -f "/home/scponly/cobaltstrike/downloads/${fileid}_${orifilename}" ]; then - cp /root/cobaltstrike/downloads/${fileid} "/home/scponly/cobaltstrike/downloads/${fileid}_${orifilename}" + cp /root/cobaltstrike/server/downloads/${fileid} "/home/scponly/cobaltstrike/downloads/${fileid}_${orifilename}" chown scponly:scponly "/home/scponly/cobaltstrike/downloads/${fileid}_${orifilename}" fi done diff --git a/c2servers/scripts/export_cobaltstrikedata.sh b/c2servers/scripts/export_cobaltstrikedata.sh index b52434e3..1cf8b13d 100755 --- a/c2servers/scripts/export_cobaltstrikedata.sh +++ b/c2servers/scripts/export_cobaltstrikedata.sh @@ -8,7 +8,7 @@ # LOGFILE="/var/log/redelk/exportcobaltstrikesdata.log" -CSDIR="/root/cobaltstrike" +CSDIR="/root/cobaltstrike/server" echo "`date` ######## Start CS data export" >> $LOGFILE 2>&1 diff --git a/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makebeaconlogpath.rb b/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makebeaconlogpath.rb index d4f2c675..ad6cef2f 100644 --- a/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makebeaconlogpath.rb +++ b/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makebeaconlogpath.rb @@ -8,7 +8,7 @@ def filter(event) host = event.get("[agent][name]") logpath = event.get("[log][file][path]") - temppath = logpath.split('/cobaltstrike') + temppath = logpath.split('/cobaltstrike/server') implantlogpath = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath[1]}" event.tag("_rubyparseok") event.set("[implant][log_file]", implantlogpath) diff --git a/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makekeystrokespath.rb b/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makekeystrokespath.rb index 050ccc4c..49662e7a 100644 --- a/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makekeystrokespath.rb +++ b/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makekeystrokespath.rb @@ -11,9 +11,10 @@ def filter(event) logpath = event.get("[log][file][path]") implant_id = event.get("[implant][id]") desktop_session = event.get("[keystrokes][desktop_session]") - temppath = logpath.split('/cobaltstrike') + temppath = logpath.split('/cobaltstrike/server') temppath2 = temppath[1].split(/\/([^\/]*)$/) - keystrokespath = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath2[0]}" + "/keystrokes_" + "#{implant_id}" + "." + "#{desktop_session}" + ".txt" + filename = temppath2[1] + keystrokespath = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath2[0]}" + "/" + "#{filename}" event.tag("_rubyparseok") event.set("[keystrokes][url]", keystrokespath) return [event] diff --git a/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makescreenshotpath.rb b/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makescreenshotpath.rb index 94f8a68d..287cdb7f 100644 --- a/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makescreenshotpath.rb +++ b/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makescreenshotpath.rb @@ -10,7 +10,7 @@ def filter(event) host = event.get("[agent][name]") logpath = event.get("[log][file][path]") filename = event.get("[screenshot][file_name]") - temppath = logpath.split('/cobaltstrike') + temppath = logpath.split('/cobaltstrike/server') temppath2 = temppath[1].split(/\/([^\/]*)$/) screenshoturl = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath2[0]}" + "/screenshots/"+ "#{filename}" thumburl = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath2[0]}" + "/screenshots/"+ "#{filename}" + ".thumb.jpg"