Support for PoshC2

[MarcOverIP]

Have full support for the PoshC2 framework (https://github.com/nettitude/PoshC2).

I will need help from others with understanding the exact way of logging performed by PoshC2.

[MarcOverIP]

At first glance, logging by PoshC2 seems somewhat similar to that of Cobalt Strike. So this should not be a lot of work.

Generically speaking I expect the following things to be required to be created:

1. Filebeat config to read the log file of PoshC2 on the c2 server
2. Logstash rules that receive and filter the log lines
3. Cron scripts running on the c2 server to copy relevant files (screenshots, downloaded files, etc) from the PoshC2 directory to the /home/scponly directory
4. Modified rsync script on elkserver to copy files from /home/scponly on c2 server.
5. Review of field names in rtops- index to check if they are relevant for c2 in general, or (still) are too Cobalt Strike dedicated.
6. Update on documentation.

My main problem at this moment is that I have no experience with PoshC2 and don't have access to demo logs that I can test with.

Any help with above steps is well received. Help with access to demo logs would also work.

[BaffledJimmy]

Here's some example files from a test VM.

• /downloads includes anything pulled from the target (as PNG for screenshots, whatever file they were downloaded as for everything else (.docx etc)
• Rewrite rules are generated by Posh when you start the server (similar to starting a teamserver) for you to paste into your C2 proxy for Apache rewriting.
• Zip file contains the SQLite DB so the log structure should be viewable.

rewrite-rules.txt
webserver.log
PowershellC2.SQLite.zip
poshc2_server.log

[MarcOverIP]

Thanks, this is something we can work with.

A few quick questions:

1. In the webserver.log I see a lot of URIs, but none of them relate to the data in poshc2_server.log. I expect that is to be expected, but want to clarify with you. In other words, is there anything of useful info in the webserver.log file?
2. Upon startup I see a lot of message about payloads written to specific paths. Is that useful info at any later stage of the operation, or should I ignore that (at least for now)?
3. What's up with the "�[0m", "�[92m" other messages a like in the log?
4. Are times in UTC?
5. Is "Mac" the username in these example logs?
6. Is "LTYYZ0074993" the hostname in these example logs?
7. Is it correct that every input command starts with "Task $Some5DigitNr ($User) issued against implant $Nr on host" etc etc?
8. Is it correct that every output command starts with "Task $Some5DigitNr ($USer) returned against implant $Nr on host" etc ect?

[BaffledJimmy]

Hey there,

1. webserver.log contains a list of the individual URLs that the implant talked to (similar to the different URLs that you can define in your MalleableC2. eg attacker.com/foo, outflank.com/banana, wibble.net/foo . Can be handy to see if particular URLs aren't being hit (eg your rewrite rules on the proxy aren't correct and that particular beacon/implant checkin is not reaching the c2 server)
2. • Startup paths probably not required to be logged (can't think of a reason atm, 100% open to being corrected though!).
3. Not sure, will investigate. Think it might be colouring in Python or something not-important like that!
4. Times UTC
5. Mac is username yes
6. Yes to hostname (or Testmachine)
7. Thats right, you can queue up lots of commands / tasks to an implant (eg lots of powerview commands on a 2 hour beacon), it gets queued, then the implant collects them, executes them sequentially, then posts them back to the C2 proxy -> C2 server. It's a way of making sure that each task is logged, as well as seeing if tasks 'don't return' eg implant died or no response or similar.

Each task should have a:
Task 123 issued by Mac against implant 123 on $hostname

Then when the task or implant command completes, and it is sent back to the C2 server, that is displayed to the Op in his other tmux/terminator window with a

Task 123 returned against implant 123 on $hostname.

Vast majority of Posh users use a setup like this (which might help explain the tasking / returning system)

8. Yep see 7 :)

[BaffledJimmy]

With some commands / tasks being sent (standalone VM not on domain, hence Get-Domain failing)

[MarcOverIP]

Ah great, thanks for clearing up the terminal/tmux setup!

I believe I understand enough to get going. Few remaining things:

1. the "�[0m", "�[92m" thing is important to understand. Filebeat will be reading text files and I need to create exact text matches.
2. Is poshc2_server.log file enabled by default, and what's the path?

[BaffledJimmy]

1. I'll get on this and get back to you
2. Yes that is always there.

Every file relating to a project is kept in a project folder, which is usually in /opt/PoshC2_$PROJECTNAME (although configurable by the operator)

The $PROJECTNAME is configured in the config.yaml in the /opt/PoshC2 folder.

So you config up Posh, run posh-server, and it creates your /opt/Project_$PROJECTNAME folder, generates your Apache rewrite rules, preps the SQLiteDB, compiles all your payloads etc.

[riskydissonance]

Hey :)

• yeah the [0m etc is bash colouring, as this log is what is viewed by the user when it's running. They're technically:

class Colours:
    BLUE = '\033[94m'
    GREEN = '\033[92m'
    RED = '\033[91m'
    END = '\033[0m'
    YELLOW = '\033[93m'

in 'text' form.

• Times are server time, so depends what the timezone is for the c2 server
• the poshc2_server.log is in the PoshC2 project directory, which is configurable in the config.yml but is by default /opt/PoshC2_Project. The idea is one project directory is used per, well, project. :)

[MarcOverIP]

Are these colouring characters really present in the raw log file, or is this an interpretation by Jimmy's terminal.

Jikes, server time... Any way to make that UTC?

Clear on the project names. I can have Filebeat understand this and work with those subdirs, no prob.

[riskydissonance]

They are present in the log file aye, which are then interpreted by the terminal as colours.

For the time we can switch to UTC but I'm not sure if that's desirable; the operator may prefer timestamps in their local time making it easier to digest. That's one for @benpturner.

[riskydissonance]

Happy to help out with this btw if we get some direction.

If you want to hop on a hangouts call or similar just DM me on twitter to set one up :)

[MarcOverIP]

Thanks for the offer!

The roadmap to have this included is listed above (#22 (comment)).

Looking at my agenda for the next 1-2 weeks I don't see enough time to have a proper go at this. So feel free to start working on it.

I think steps 1 (filebeat setup) and 2 (logstash filters) are easiest for you to pick up. The other items require specific RedELK knowledge. Overall, it certainly does help if you have previous experience with ELK (not RedELK per se). If not, there is a lot of info within RedELK already to leverage. For example: the filebeat config will largely be a modification of: https://github.com/outflanknl/RedELK/blob/master/teamservers/filebeat/filebeat.yml. For the logstash filter rule I expect https://github.com/outflanknl/RedELK/blob/master/elkserver/logstash/conf.d/50-c2-cobaltstrike.conf to be of great inspiration.

If this feels to stretched for you, no worries. I'll pick it up when I see the time.

Would be happy to discuss on a call when there is tangible progress.

[benpturner]

Added initial PR for this - #25

[MarcOverIP]

For the record (I previously commented on the PR not on the issue, my bad):

I've included the pull request into the maindev branch that will become version2 in the coming time. I did some tuning to integrate it all into one directory (now only 1 dir for c2servers instead of separate dirs for every c2 framework) and modified the install scripts.

I have tested it to the level I can without access PoSHC. Let me know your findings.

Next steps are:

• renaming of ES field names to be not-CobaltStrike specific
• Further increase support of PoshC2, eg screenshots, downloads, keystrokes, etc ideally to the same level as with Cobalt Strike. Feel free to have a go at that!

[benpturner]

Awesome, will give this a test on the maindev branch. I’ll also try to sort the downloads for the screenshots, should be fairly straightforward I think.

[MarcOverIP]

Gents, gentle request to test with latest RedELK version 2 BETA 1 release.

There was significant overhauling of field names. We believe we got them all. But it couldn't hurt you PoshC2 expert do the final checking.

[benpturner]

Yeah 100% - looking forward to have a blast

[benpturner]

Having a few issues with install on the latest version, looking at the log its not overly helpful

"status" : 400
}
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 159 100 21 100 138 420 2760 --:--:-- --:--:-- --:--:-- 3180
{"acknowledged":true} % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 29250 100 21 100 29229 617 839k --:--:-- --:--:-- --:--:-- 840k
{"acknowledged":true} % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 30402 100 21 100 30381 552 780k --:--:-- --:--:-- --:--:-- 781k
{"acknowledged":true} % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 29633 100 21 100 29612 567 781k --:--:-- --:--:-- --:--:-- 782k
{"acknowledged":true} % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 71575 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 107k 100 204 100 107k 6000 3163k --:--:-- --:--:-- --:--:-- 3169k
{"statusCode":400,"error":"Bad Request","message":"child "attributes" fails because ["attributes" is required]. "file" is not allowed","validation":{"source":"payload","keys":["attributes","file"]}} % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 9572 100 204 100 9368 8500 381k --:--:-- --:--:-- --:--:-- 389k
{"statusCode":400,"error":"Bad Request","message":"child "attributes" fails because ["attributes" is required]. "file" is not allowed","validation":{"source":"payload","keys":["attributes","file"]}} % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 12827 100 204 100 12623 8160 493k --:--:-- --:--:-- --:--:-- 501k
{"statusCode":400,"error":"Bad Request","message":"child "attributes" fails because ["attributes" is required]. "file" is not allowed","validation":{"source":"payload","keys":["attributes","file"]}} % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 47817 100 204 100 47613 8500 1937k --:--:-- --:--:-- --:--:-- 1945k
{"statusCode":400,"error":"Bad Request","message":"child "attributes" fails because ["attributes" is required]. "file" is not allowed","validation":{"source":"payload","keys":["attributes","file"]}} % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 28383 100 204 100 28179 6800 917k --:--:-- --:--:-- --:--:-- 923k
{"statusCode":400,"error":"Bad Request","message":"child "attributes" fails because ["attributes" is required]. "file" is not allowed","validation":{"source":"payload","keys":["attributes","file"]}} % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 28478 100 204 100 28274 7285 986k --:--:-- --:--:-- --:--:-- 958k
{"statusCode":400,"error":"Bad Request","message":"child "attributes" fails because ["attributes" is required]. "file" is not allowed","validation":{"source":"payload","keys":["attributes","file"]}} % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 31344 100 204 100 31140 7846 1169k --:--:-- --:--:-- --:--:-- 1224k
{"statusCode":400,"error":"Bad Request","message":"child "attributes" fails because ["attributes" is required]. "file" is not allowed","validation":{"source":"payload","keys":["attributes","file"]}} % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 15825 100 204 100 15621 8869 663k --:--:-- --:--:-- --:--:-- 671k
{"statusCode":400,"error":"Bad Request","message":"child "attributes" fails because ["attributes" is required]. "file" is not allowed","validation":{"source":"payload","keys":["attributes","file"]}} % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 64489 100 204 100 64285 7846 2414k --:--:-- --:--:-- --:--:-- 2422k
{"statusCode":400,"error":"Bad Request","message":"child "attributes" fails because ["attributes" is required]. "file" is not allowed","validation":{"source":"payload","keys":["attributes","file"]}} % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 29625 100 204 100 29421 8160 1149k --:--:-- --:--:-- --:--:-- 1157k
{"statusCode":400,"error":"Bad Request","message":"child "attributes" fails because ["attributes" is required]. "file" is not allowed","validation":{"source":"payload","keys":["attributes","file"]}} % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 547 100 96 100 451 1548 7274 --:--:-- --:--:-- --:--:-- 8822
{"message":"An internal server error occurred","statusCode":500,"error":"Internal Server Error"} % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 496k 100 60 100 496k 2608 21.0M --:--:-- --:--:-- --:--:-- 22.0M
{"statusCode":404,"error":"Not Found","message":"Not Found"} % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5455 100 134 100 5321 3621 140k --:--:-- --:--:-- --:--:-- 143k
{"statusCode":400,"error":"Bad Request","message":""imageUrl" is not allowed","validation":{"source":"payload","keys":["imageUrl"]}}#

[benpturner]

thats where I got upto in the install

[MarcOverIP]

Yes I agree that the logging is not that helpful. I just changed this a bit in commit 4a71fc7 (not part of a new beta release yet)

That having said, it seems that your installation only had issues with importing Kibana prepared data. If this is the case, you will miss some easy-to-use things but its not a big issue per se. So perhaps your install might actually work.

You may also be happy to know that we are working on a docker-compose version of the RedELK server, helping you with that install. Not ready yet, and prolly will take another few weeks.

[MarcOverIP]

fyi, the v2.0.0-beta.3 release is out. This release has the elkserver side entirely overhauled into a docker-compose setup. Should make your life easier (although its still is beta, )

[benpturner]

[benpturner]

Hi - just trying the docker stuff and getting this on the initial install

[benpturner]

Had to modify these VARS in the .env before this installed

[benpturner]

[] Running initial Let's Encrypt script
./install-elkserver.sh: line 444: ./init-letsencrypt.sh: Permission denied
[] Building RedELK from redelk-full.yml file
ERROR: Named volume "{{CERTS_DIR_NGINX_LOCAL}}:/etc/nginx/certs:rw" is used in service "nginx" but no declaration was found in the volumes section.

[fastlorenzo]

@benpturner on which version did you encounter the error?

Regarding this one, I'm guessing this is executable bit missing

./install-elkserver.sh: line 444: ./init-letsencrypt.sh: Permission denied

[benpturner]

I checked out master today - is that the latest branch?

[MarcOverIP]

Better use the latest release, beta3 in this case. Also, in your case as you are developing, you may want to pass the dev parameter to the install-elkserver.sh script. This ao will make sure the logstash config files are live mounted to files on your host.