Skip to content

Recommendations and systems requirements

Jump to bottom
Marc Smeets edited this page Feb 11, 2020 · 8 revisions

Recommendations

It is very much recommended to destroy and reinstall your red team infrastructure per engagement. Of course you already know this, but it can't hurt to re-state this.

This means that we highly recommend to:

  • Create and destroy a RedELK installation per engagement. RedELK does allow you to define different attack scenario names within a single engagement. This comes very in handy for multi-scenario engagements such as TIBER.
  • Install redirector, teamserver and RedELK components on different systems. You don't want to mix these functionalities.
  • At the start of your red team engagement, deploy new systems used as redirectors, teamservers and as RedELK server.
  • The installation scripts bundled with RedELK are only tested on new (vanilla) systems.
  • The installation scripts bundled with RedELK are not intended to upgrade RedELK. Want a newer version of RedELK: nuke your system, git clone latest release and perform a new installation.

HW and SW specs

The main RedELK component needs to be installed on a dedicated system. Ubuntu 16.04 and 18.04 were tested for this. If you are using a non-APT based Linux system the install script will fail 100% sure.

For the main RedELK server we recommend at least dual core and at least 8GB ram. Also very important: the RedELK server needs to have a TCP port reachable for the redirs and teamservers.

Besides the installation on the central RedELK system, you also need to run installers on your teamservers and on your redirectors. The footprint on the redirectors as well as the teamservers is insignificant. They only run filebeat to monitor the relevant logs and forward them to your RedELK system, and some local periodic shell scripts.

Supported red team tools

RedELK currently supports:

  • Cobalt Strike teamservers. We are working on other C2 frameworks like FactionC2, Covenant and Empire.
  • HAProxy and Apache for HTTP(S) redirectors at this moment. We are working on support Nginx.

Important: RedELk requires modified logging of the defaults of your redirector tech in order to get more and relevant info. You can find an example configuration files in the Redirector installation section and in the example-data-and-configs folder

Clone this wiki locally