RedELK – Red Team’s SIEM Framework


Deploying SIEM on information system is becoming a necessity to monitor security alarms and network or system intrusions. This activity going to protect existing assets and applications. SIEM today is not only implemented by Blue Team but also RedTeam should have their own SIEM. If you are looking for a ready RedTEAM SIEM you can check RedELK.

This is a Red Team’s SIEM – easy deployable tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability for the Red Team in long term operations. The goal of this SIEM project is:

  1. Enhanced usability and overview for the red team operators by creating a central location where all relevant operational logs from multiple teamservers are collected and enriched. This is great for historic searching within the operation as well as giving a read-only view on the operation (e.g. for the White Team). Especially useful for multi-scenario, multi-teamserver, multi-member and multi-month operations. Also, super easy ways for viewing all screenshots, IOCs, keystrokes output, etc. \o/
  2. Spot the Blue Team by having a central location where all traffic logs from redirectors are collected and enriched. Using specific queries its now possible to detect that the Blue Team is investigating your infrastructure.
  3. Out-of-the-box usable by being easy to install and deploy, as well as having ready made views, dashboards and alarms.
RedELK - Red Team's SIEM Framework

RedELK – Red Team’s SIEM Framework

When RedTeam will start the attacks and exploitation Blue Team have their installed tools to detect and prevent these attacks so having a centralized SIEM to monitor the protection they have will help into developing more advanced attacks and exploit. some of the the information that a RedTeam get from this SIEM is:

  • Screenshots of the targeted systems. RedELK comes with an easy way of looking at all the screenshots that were made from your targets. Select the ‘Screenshots’ search to get this overview. We added two big usability things: thumbnails and hyperlinks to the full pictures. The thumbnails are there to quickly scroll through and give you an immediate impression: often you still remember what the screenshot looked like.
  • Keystrokes just as with screenshots, its very handy to have an easy overview of all keystrokes. This search gives you the first lines of cententi, as well as again an hyperlink to the full keystrokes log file.
  • IOC data To get a quick list of all IOCs, RedELK comes with an easy overview. Just use the ‘IOCs’ search to get this list. This will present all IOC data from Cobalt Strike, both from files and from services.

There is a reach dashboard for longing events and see what are the Blue Team having in term of protection.

You can download and read more about this tool over here: