17 October 2022

Bleep away...

 

www.bleepingcomputer.com

CISA releases open-source 'RedEye' C2 log visualization tool

Ionut Ilascu
3 minutes

CISA releases open-source 'RedEye' C2 log visualization tool

"The U.S. Cybersecurity and Infrastructure Security (CISA) agency has announced RedEye, an open-source analytic tool for operators to visualize and report command and control (C2) activity.

RedEye is for both red and blue teams, providing an easy way to gauge data that leads to practical decisions.

Assessing attack campaigns

A joint project from CISA and DOE’s Pacific Northwest National Laboratory, RedEye can parse logs from attack frameworks (e.g. Cobalt Strike) to present complex data in a more digestible format.

The tool allows users to upload campaign data to view relevant information such as beacons and commands.

Campaign upload feature in CISA's RedEye tool
RedEye tool - campaign data upload

Historical records of each campaign logs loaded into RedEye can be viewed in a graphical representation that correlates servers and hosts involved.

Campaign visualization in CISA's RedEye tool
RedEye tool - campaign visualization

Analysts can also explore key events in a selected campaign to discover payload activity and follow an attacker’s penetration path, such as lateral movement activity or the use of credentials to increase privileges on a machine.

Explore campaign in CISA's RedEye tool
RedEye tool - campaign playback

The features available in RedEye allow analysts to comment on the attacker’s activity for better collaboration and understanding of the attack path.

Comment support in CISA's RedEye tool
RedEye tool - comment and tags feature

Using the comments from analysts and the techniques used in the campaign, RedEye can also generate presentations that can be shared with stakeholders and clients.

All data collected from a campaign and the comments from analysts can be exported so clients can review

Blue teams can also use RedEye to understand easier the raw data received from an assessment, and view the attack path and the compromised hosts so they can take appropriate action.

Generate attack campaign presentations with CISA's RedEye tool
RedEye tool - generate presentations

At the moment, RedEye can parse logs from the Cobalt Strike framework.

It has been tested to work on Linux (Ubuntu 18 and above, Kali Linux 2020.1 or newer), macOS (El Capitan and above), and Windows 7 or newer.

The tool is available on GitHub, in CISA’s repository.

CISA has also released a video, available below, going through the main features avaialble in RedEye: 

[    ] 

RedEye is the latest in a set of tools that CISA released as open-source projects over the past few years.

Among them are Malcom - a network traffic analysis tool, ICS NPP - a tool for parsing Industrial Control Systems Network Protocols, Sparrow - a PowerShell script for detecting possible compromised accounts and apps in Azure and Microsoft 365 environments." 

READ MORE

Related Articles:

MyDeal data breach impacts 2.2M users, stolen data for sale online

Australian insurance firm Medibank confirms ransomware attack

Fast Company says Executive Board member info was not stolen in attack

Hacker shares how they allegedly breached Fast Company’s site

What the Uber Hack can teach us about navigating IT Security

No comments:

If I sat next to you on a flight what would you ask me about?

Elon Musk (Parody) @ElonMuskAOC If I sat next to you on a flight what would you ask me about? 2:37 AM · Dec 28, 2024 · 34.2K Views