RedELK server installation

In short

1. extract elkserver.tgz on your RedELK server
2. edit mounts/redelk-config/etc/redelk/config.json
3. run install-elkserver.sh (optional with parameters)
4. post installation config of mounts/redelk-config/etc/cron.d/redelk
5. post installation config of mounts/redelk-config/etc/redelk/iplist_* files

In detail

Installation

Copy and extract elkserver.tgz on your RedELK server as part of your red team infra deployment procedures.

Modify mounts/redelk-config/etc/redelk/config.json to include:

• loglevel option to define the logging level for the daemon (possible values: CRITICAL, ERROR, WARNING, INFO, DEBUG - Default: WARNING)
• redelkserver_letsencrypt options if you want to use certbot certificates for your Kibana interface.
• notifications options for delivering notifications such as SMTP details
• alarms options to enable which alarms you want
• alarm_filehash with details on querying virustotal and others

Run: install-elkserver.sh. Optional parameters:

• dryrun : only do pre install checks and write config to .env file. Its good practice to run this parameter the first time.
• fixedmemory : skips the auto memory adjustment and sets memory for elasticsearch and neo4j to 1GB
• limited: do not install Neo4j and Jupyter notebooks
• dev : only used for development (rebuilds all docker containers and inserts some test logs)

This script will install docker images of logstash, elasticsearch, kibana, neo4j, jupyter notebook and certbot. The local .env. file contains all docker specific parameters

Configuration

You are not done yet. You need to manually enter the details of your C2 servers in mounts/redelk-config/etc/cron.d/redelk, as well as tune the config files in mounts/redelk-config/etc/redelk/:

• iplist_redteam.conf : public IP addresses of your red team, one per line. Convenient for identifying testing done by red team members. Including an address here will set a tag for applicable records in the redirhaproxy-* index.
• iplist_customer.conf : public IP addresses of your target, one per line. Including an address here will set a tag for applicable records in the redirhaproxy-* index.
• iplist_unknown.conf : public IP addresses of gateways that you are not sure about yet, but don't want to be warned about again. One per line. Including an address here will set a tag for applicable records in the redirhaproxy-* index.
• rogue_useragents.conf: User agents that are known bad when they access your C2 backend. We have included a basic list of UAs like curl, python-urllib and some other tools blue teamers like to use. The list also contains a list of UAs of instant messaging tools such as WhatsApp, Skype and Slack. Very useful for when your C2 us shared amongst analysts using IM. Feel free to add UAs to this list.
• known_testsystems.conf : beacon characteristics of known test systems. You probably want to add info regarding your own test systems. One per line. Including data here here will set a tag for applicable records in the rtops-* index.
• iplist_alarmed.conf : one IP per line that you don't want to be alarmed about.

Other config files not recommended to edit:

• abusebotnetc2ip.conf : auto-updated list of known C2 IP addresses as listed by abuse.ch
• abusesslcert.conf : auto-updated list of known hashes of C2 TLS certs C2 as listed by abuse.ch
• roguedomains.conf : auto-updated list of known bad domains, from multiple sources.
• torexitnodes.conf : auto-updated list of known TOR exit node IP addresses.
• known_sandboxes.conf : beacon characteristics of known AV sandbox systems. One per line. Including data here here will set a tag for applicable records in the rtops-* index. This is not really relevant anymore as more and more sandboxes have fully random names.
• redteamdomains.conf : list of domains as used by your offensive infrastructure. As there is no alarm coded yet to check this, there is no need to edit this file.