Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/vysecurity/cobaltsplunk

Splunk Dashboard for CobaltStrike logs
https://github.com/vysecurity/cobaltsplunk

Last synced: 3 months ago
JSON representation

Splunk Dashboard for CobaltStrike logs

Awesome Lists containing this project

README 

          
# CobaltSplunk Splunk Application



## Authors



- **Vincent Yiu (@vysecurity)** - Original author of CobaltSplunk

- **Mariusz B. /mgeeky (@mariuszbit)** - General App refactor introducing support for CobaltStrike 4.3+, tracking screenshots/keystrokes/teamserver_events, reworking Raport queries and polishing other things. 

- **ADARMA ( tomasz.dziwok@adamra.com )** - Based on his "VirusTotal Malware Lookup" / TA-VirusTotal Splunk App, VirusTotal integration is being added to CobaltSplunk.



## Blog Post



https://vincentyiu.com/red-team/attack-infrastructure/cobaltsplunk



## What is CobaltSplunk?



CobaltSplunk is a Splunk Application that knows how to 1) ingest Cobalt Strike related logs and parse them properly, 2) display useful operational dashboards, 3) display relevant reports.



## Usage



Manually:



0) Install Splunk

	We can grab _Splunk Enterprise Trial_ (Splunk Free) which gives us 60 days of enterprise features evaluation period.

	During that time we'll be limited to upload no more than 500MB of data per file.

	Download your `splunk-8.1.2-545206cc9f70-linux-2.6-amd64.deb` package, then hit:

	`$ sudo dpkg -i splunk-8.1.2-545206cc9f70-linux-2.6-amd64.deb`



	After getting Splunk installed, enable it to run on boot-start as well as setup Administration account's username & password:



	`$ sudo /opt/splunk/bin/splunk enable boot-start`



1) Download Cobalt.spl

2) Install as application: Apps -> Manage Apps -> Install app from file

   or using CLI: `$ /opt/splunk/bin/splunk install app  -auth User:Password`



3) Ingest logs

	In a simplest way: 

		Add Data -> Monitor -> Files & Directories -> CobaltStrike logs directory

		-> Host: Regular expression on path -> Host field value: `\d{6}/([a-zA-Z-\._0-9]+)/\w+` -> Index: `cobalt` -> Save



4) View the dashboard and reports as you see fit



Or you can use automated script attached to this repository like so:



```

./install-splunk.sh    [path-to-CobaltSplunk.spl]

```



The script will automatically create `cobalt` index if none exists, install CobaltSplunk application pointed by last argument, add `operator` role to the specified username, that has default index switched to `cobalt` (so that `Data Summary` functionality will include Cobalt Strike events by default) and add monitored Teamserver log files as specified by location supplied in third parameter of the script.



Example run:



```

$ ./install-splunk.sh admin Password1! /media/sf_vmshared/cobalt/linux/logs ./Cobalt.spl

```



## Getting Started



To build your first queries searching through Cobalt Strike logs, go to the Search view and open your query with one of the helper operators:



- `index=cobalt` - Tells Splunk to search through cobalt-related events

- `sourcetype=beacon_log` - Tells Splunk to search through specific logfiles/sourcetypes, further discussed below.

- `source="*beacon_137*.log"` - Examines specific source file with wildcards in its path.



After any of these operators are specified, you can start expanding your search queries by adding further statements, values and specific search conditions.



Example: 



_To find commands issued by specific operator:_



```

sourcetype=beacon_log type=input operator=mariusz

```



However this search query will return Events, which is not something especially readable and digestible. Therefore we can enhance that search query bit further to visualise it in form of a table perhaps:



```

sourcetype=beacon_log type=input operator=mariusz

| table _time host operator command

| sort _time

```



A bit better. How about filtering only entries that were issued on a specific host? No problem at all:



```

sourcetype=beacon_log type=input operator=mariusz host="192.168.50.14"

| table _time host operator command

| sort _time

```



## App Functionality



This Splunk app collects all events coming from Cobalt Strike data inputs in `index=cobalt` and defines several useful _sourcetypes_ based on supplied Cobalt Strike logs contents. 



Defined _sourcetypes_:



- `sourcetype=beacon_log` - Contains various log entries from `beacon_*.log` files.

- `sourcetype=weblog` - Teamserver Web Server access log entries `weblog_*.log` files.

- `sourcetype=screenshots` - List of screenshots taken by Beacons `screenshots.log` files.

- `sourcetype=teamserver_events` - Teamserver events log entries:  `events.log` files.

- `sourcetype=keystrokes` -  Keystrokes collected across Beacons `keystrokes_*.log` files.



These sourcetypes can facilitate searches by introducing pre-built regular expressions that extract interesting fields.



Each of these entries bring its own set of extracted fields, described below:



### `sourcetype=beacon_log`



Example log entries:



```

04/09 11:26:34 UTC [metadata] beacon_1830434858 -> 172.16.100.173; computer: DCORP-STD173; user: SYSTEM *; process: dllhost.exe; pid: 4364; os: Windows; version: 10.0; beacon arch: x64 (x64)

04/09 11:26:33 UTC [output]

established link to parent beacon: 172.16.100.173



04/09 11:26:34 UTC [task] <> Tasked Beacon to find svchost.exe running as SYSTEM * and make it the PPID.

04/09 11:26:34 UTC [input]  blockdlls start

04/09 11:26:34 UTC [task]  Tasked beacon to block non-Microsoft binaries in child processes

04/09 11:26:36 UTC [checkin] host called home, sent: 417607 bytes

04/09 11:26:41 UTC [output]

```



Available fields:



- `date_time` - Log entry timestamp

- `metadata` - Metadata log line, emitted when a Beacon event is processed. Contains compromised system details

- `checkin` - Checkin log entries

- `task` - The line documenting what Beacon did at that time (`Tasked beacon to...`)

- `input` - Commands issued by operators to their beacons

- `output` - Outputs from issued commands as returned by Beacons

- `type` - Type of log line, among examples: input, output, task, metadata, indicator

- `tactic` - MITRE ATT&CK Tactic ID as reported by Cobalt Strike

- `ioc` - IOCs stored in Teamserver logs issued whenever Operator is uploading a file to compromised box.



### `sourcetype=weblog`



Example log entries:



```

82.221.105.6 unknown unknown [11/26 00:40:30 UTC] "GET /favicon.ico" 404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0 - Original IP 82.221.105.6"

82.221.105.6 unknown unknown [11/26 06:44:34 UTC] "GET /favicon.ico" 404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0 - Original IP 82.221.105.6"

```



Available fields:



- `weblog` - A single line containing values such as ip, date_time, request, status_code, user_agent



### `sourcetype=screenshots`



Example log entries:



```

12/17 09:59:20 UTC  COMMANDOVM  1   commando    screen_5aa4e767_767910548.jpg   Firefox - My Bank

12/17 09:59:20 UTC  COMMANDOVM  1   commando    screen_5dad030e_1036629838.jpg  C:\Windows\System32\cmd.exe

```



Available fields:



- `screenshot` - A single line containing values such as date_time, computer, screenshot, user, screenshot_title



### `sourcetype=teamserver_events`



Example log entries:



```

11/27 00:33:15 UTC *** mariusz quit

11/27 11:37:20 UTC *** mariusz (127.0.0.1) joined

11/27 11:47:04 UTC *** initial beacon from commando *@192.168.56.6 (COMMANDOVM)

11/27 11:52:27 UTC *** Tasked Beacon (id: 608668554, user: COMMANDOVM\commando *, 192.168.56.6@2884) to exit

```



Available fields:



- `date_time` - A log entry timestamp

- `event` - A field containing entire event message

- `initial_beacon` - An event with initial beacon check-in

- `joined` - Operator joined information (authentication success)

- `quit` - Operator quit the server

- `hosted_file` - A file was hosted on the Teamserver webserver

- `beacon_exit` - Beacon was tasked to exit

- `chat` - An operator posted a message on Teamserver chat.



### `sourcetype=keystrokes`



Example log entries:



```

12/10 14:16:49 UTC Received keystrokes from commando in desktop 1



Mozilla Firefox - My Bank

=======

start[down]

```



Available fields:



- `date_time` - A log entry timestamp

- `metadata` - Line containing context information such as application name, desktop number, username

- `keystrokes` - Extracted keystrokes data



## Fields extraction regular expressions used



Here is the list of regular expressions comprising the `props.conf` file that instrument Splunk's indexer:



```

[beacon_log]

EXTRACT-date_time = ^(?P\d+/\d+\s+\d+:\d+:\d+)\s+\w+\s+\[

EXTRACT-metadata = ^[/A-Z0-9:\s]+\[metadata\]\s*(?P[^ ]+)\s+[<>-]+\s+(?P[^;]+);\s*computer:\s*\b(?P[^;]+);\s*user:\s*\b(?P[^;]+);\s*process:\s*\b(?P[^;]+);\s*pid:\s*\b(?[^;]+);\s*os:\s*\b(?[^;]+);\s*version:\s*\b(?P[^;]+)(?:;\s*build:\s*\b(?P[^;]+))?;\s*beacon\s+arch:\s*(?P[^\s]+)

EXTRACT-checkin = (?=[^c]*(?:checkin|c.*checkin)).+sent:\s*(?P\d+\s+bytes)

EXTRACT-task = ^(?=[^t]*(?:task|t.*task)).+(?PTasked\s+.+)$

EXTRACT-input = (?=[^i]*(?:input|i.*input))^[^<\n]*<(?P[^>]+)>\s+(?P.+)

EXTRACT-output = ^[/A-Z0-9:\s]+\[output\]\s*^(?P.*)

EXTRACT-type = ^[^\[\n]*\[(?P\w+)

EXTRACT-tactic = ^[/A-Z0-9:\s]+\[task\]\s*<(?PT\d+(?:,\s*(?:T\d+))*),?\s*>

EXTRACT-ioc = ^[/A-Z0-9:\s]+\[indicator\]\s*(?P[^:]+):\s+(?P[^\s]+)\s+(?P\d+)\s+bytes\s+(?P.*)

EXTRACT-process = (?i)^(?P(?:\[System\s+Process\])|Memory Compression|System|Registry|.+\.exe)\s+(?P\d+)\s+(?P\d+)(?:\s*(?Px\d{2})\s+(?P[^\s]+)?\s+(?P\d+))?

EXTRACT-file = ^(?P[a-zA-Z])\s+(?P\d+)\s+\b(?P\d{2}\/\d{2}\/\d{4}\s+\d{2}:\d{2}:\d{2})\s+(?P.*)$

EXTRACT-listpath = ^(?P(?:[A-Z]:\\.*)|(?:\\.*))(?:\\\*)?\s*\n^\s*[DF]\t\d+



[weblog]

EXTRACT-weblog = ^(?P[^ ]+)[^\[\n]*\[(?P[^\]]+)\]\s+"(?P[^"]+)"\s+(?P[^ ]+)(?:[^"\n]*"){3}(?P[^"]+)



[screenshots]

EXTRACT-screenshot = ^(?P\d+/\d+\s+\d+:\d+:\d+)\s+\w+\s+(?P[^\s]+)\s+\d+\s+(?P[^\s]+)\s+(?P[^\s]+)\s+(?P.*)



[teamserver_events]

EXTRACT-date_time = ^(?P\d+/\d+\s+\d+:\d+:\d+)\s+\w+\s+\*\*\*\s+

EXTRACT-event = ^(?:\d+/\d+\s+\d+:\d+:\d+)\s+\w+\s+\*\*\*\s+(?P.*)

EXTRACT-initial_beacon = ^(?:\d+/\d+\s+\d+:\d+:\d+)\s+\w+\s+\*\*\*\s+initial\s+beacon\s+from\s+(?P[^@]+)@(?P[^[\s]+)\s+\((?P[^\)]+)\)

EXTRACT-joined = ^(?:\d+/\d+\s+\d+:\d+:\d+)\s+\w+\s+\*\*\*\s+(?P[^\s]+)\s+(?:\([^\)]+\)\s*)?joined

EXTRACT-quit = ^(?:\d+/\d+\s+\d+:\d+:\d+)\s+\w+\s+\*\*\*\s+(?P[^\s]+)\s+quit

EXTRACT-hosted_file = ^(?:\d+/\d+\s+\d+:\d+:\d+)\s+\w+\s+\*\*\*\s+(?P[^\s]+)\s+hosted\s+file\s+(?P.*)

EXTRACT-beacon_exit = ^(?:\d+/\d+\s+\d+:\d+:\d+)\s+\w+\s\*\*\*\s+Tasked\s+Beacon\s+(?P.+)\s+to\s+exit\.

EXTRACT-chat = ^(?:\d+/\d+\s+\d+:\d+:\d+)\s+\w+\s<(?P[^>]+)>\s+(?P.*)



[keystrokes]

EXTRACT-date_time = ^(?P\d+/\d+\s+\d+:\d+:\d+)\s+\w+\s+Received

EXTRACT-metadata = ^(?:\d+/\d+\s+\d+:\d+:\d+)\s+\w+\s+Received\s+keystrokes\s+from\s+(?P.+)\s+in\s+desktop\s+(?P\d+).+^(?P.+)=======

EXTRACT-keystrokes = ^(?:\d+/\d+\s+\d+:\d+:\d+)\s+\w+\s+Received\s+keystrokes\s+[^\n]+\n^(?P.*)

```