cisagov/RedEye cisagov/RedEye

  • This repository has been archived on 20/Oct/2023
  • Stars
    star
    2,613
  • Rank 17,081 (Top 0.4 %)
  • Language
    TypeScript
  • License
    BSD 3-Clause "New...
  • Created over 1 year ago
  • Updated 8 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
cisagov/RedEye
github

cisagov

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

RedEye is a visual analytic tool supporting Red & Blue Team operations

RedEye

Red Team C2 Log Visualization

RedEye Screenshot

RedEye is an open-source analytic tool developed by CISA and DOE’s Pacific Northwest National Laboratory to assist Red Teams with visualizing and reporting command and control activities. This tool allows an operator to assess and display complex data, evaluate mitigation strategies, and enable effective decision making in response to a Red Team assessment. The tool parses logs, such as those from Cobalt Strike, and presents the data in an easily digestible format. The users can then tag and add comments to activities displayed within the tool. The operators can use the RedEye’s presentation mode to present findings and workflow to stakeholders.

RedEye can assist an operator to efficiently:

  • Replay and demonstrate Red Team’s assessment activities as they occurred rather than manually pouring through thousands of lines of log text.
  • Display and evaluate complex assessment data to enable effective decision making.
  • Gain a clearer understanding of the attack path taken and the hosts compromised during a Red Team assessment or penetration test.

Red Team: Red Team

Blue Team: Blue Team

User Guide

Follow along with the User Guide to learn about RedEye's feature set.

Quick start

  1. Download the latest RedEye binaries for your OS* from the Releases page. 2. Pick a mode and Run the server
    • Red Team mode enables the full feature set: upload C2 logs, explore data, and create presentations. To start the server in Red Team mode, run the following in a terminal. You must provide a password to run in RedTeam mode.
      ./RedEye --redTeam --password <your_password>
    • Blue Team mode (default) enables a simplified, read-only UI for reviewing campaigns exported by a Red Team. To start the server in Blue Team mode. Double-click on the 'RedEye' executable or run ./RedEye from the command line.
  2. Use the web app in a browser at http://127.0.0.1:4000. The RedEye binary runs as a server in a terminal window and will automatically open the web app UI your default browser. You must close the terminal window to quit the RedEye server.

MacOS Issue - When running RedEye for the first time, you may get a "not verified" error. You must go to "System Preferences" > "Security & Privacy" > "General" and click "Open Anyway." More info on the Apple support page.

Red Team & Blue Team Modes

RedEye has two modes that cover two stages of the Red Teaming process. Red Team mode allows importing C2 data, editing imported data, and making comments and presentations. After curating and annotating campaign data, Red Teams can export their campaign as a standalone .redeye file and hand it off to a Blue Team for reporting and remediation. Blue Team mode runs RedEye in a simplified read-only mode for viewing curated data exported by a Red Team.

Note: Both Red and Blue Team modes can be started from the same RedEye application binary.

Red Team

The downloaded binary comes in two parts:

  • The RedEye application binary
  • The parsers folder containing parser binaries (e.g. cobalt-strike-parser Cobalt Strike log parser binary)

There are three options to run RedEye in Red Team mode:

  1. Run the downloaded binary, passing in the --redTeam and password options: 
    ./RedEye --redTeam --password <your_password>
  2. Clone, install, and run the project directly (covered in the Local Build section).
  3. Docker Compose
    1. Clone the repo
    2. Update the environment variables in docker-compose.yml.
    3. Run: 
      docker-compose -f docker-compose.yml up -d redeye-core

Blue Team

The Blue Team mode is a simplified, read-only UI for displaying data that has been curated, annotated, and exported by a Red Team. This mode runs by default to make startup more simple for the Blue Team.

The Blue Team version can be run by double-clicking the 'RedEye' application binary. RedEye runs at http://127.0.0.1:4000 (by default) and will automatically open your default browser.

Blue Team Presentation Handoff

If a campaigns folder is located in the same directory as the RedEye application, RedEye will attempt to import any .redeye campaign files within. Campaign files can be exported in the Red Team mode.

To prepare a version for the Blue Team, follow these two steps:

  1. Copy the RedEye application binary to an empty folder.
  2. Create a campaigns folder in the same directory and place the .redeye campaign files you want to send inside.
Folder/
	RedEye
	campaigns/
		Campaign-01.redeye
		Campaign-02.redeye

.redeye files can also be uploaded in Blue Team mode via the "+ Add Campaign" dialog.

RedEye Server parameters

Type ./Redeye -h to view the options

-d, --developmentMode [boolean]  put the database and server in development mode
-r, --redTeam [boolean]          run the server in red team mode
--port [number]                  the port the server should be exposed at
-p, --password [string]          the password for user authentication
--parsers [string...]            A list of parsers to use or a flag to use all parsers in the parsers folder
-t, --childProcesses [number]    max # of child processes the parser can use
-h, --help                       display help for command

you can also configure the server parameters in a config.json file that sits next to the RedEye binary

{
	"password": "937038570",
	"redTeam": true,
	"parsers": ["cobalt-strike-parser", "brute-ratel-parser"]
}

Local Build

Required Packages

  • Node.js >= v16
  • Install yarn: npm install -g yarn
  • Run: yarn install // Installs all packages
  • Run either:
    1. yarn release:all to build a binary for Linux, macOS, and Windows
    2. yarn release:(mac|windows|linux) .
  • platform options:
    • mac
    • windows
    • linux

Development

Setup

Install Node.js >= v16 Install yarn globally via npm

npm install -g yarn

Install package dependencies

yarn install

Quick Start Development

Runs the project in development mode

yarn start

Advanced Development

It is recommended to run the server and client in two separate terminals

yarn start:client

...in another terminal

yarn start:server

Build

to build a binary for Linux, macOS, and Windows

yarn release:all

to build for a specific platform, replace all with the platform name

yarn release:(mac|windows|linux)

Platform support

  • Linux
    • Ubuntu 18 and newer
    • Kali Linux 2020.1 and newer
    • Others may be supported but are untested
  • macOS
    • El Capitan and newer
  • Windows
    • Windows 7 and newer
    • ARM support is experimental
CISA Logo RedEye Logo

More Repositories

1

Malcolm

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
Python
1,504
star
2

ScubaGear

Automation to assess the state of your M365 tenant against CISA's baselines
Open Policy Agent
1,430
star
3

Sparrow

Sparrow.ps1 was created by CISA's Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment.
PowerShell
1,371
star
4

cset

Cybersecurity Evaluation Tool
TSQL
1,305
star
5

log4j-scanner

log4j-scanner is a project derived from other members of the open-source community by CISA to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.
Java
1,262
star
6

log4j-affected-db

A community sourced list of log4j-affected software
Shell
1,115
star
7

CHIRP

A DFIR tool written in Python.
Python
1,040
star
8

decider

A web application that assists network defenders, analysts, and researchers in the process of mapping adversary behaviors to the MITRE ATT&CK® framework.
HTML
1,021
star
9

LME

Logging Made Easy (LME) is a no-cost and open logging and protective monitoring solution serving all organizations.
Python
757
star
10

untitledgoosetool

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.
Python
699
star
11

pshtt

Scan domains and return data based on HTTPS best practices
Python
668
star
12

crossfeed

External monitoring for organization assets
TypeScript
320
star
13

ESXiArgs-Recover

A tool to recover from ESXiArgs ransomware
Shell
293
star
14

bad-practices

CISA's catalog of bad practices that are exceptionally risky.
Shell
181
star
15

development-guide

A set of guidelines and best practices for an awesome engineering team
Python
180
star
16

trustymail

Scan domains and return data based on trustworthy email best practices
Python
180
star
17

cyber.dhs.gov

A site for CISA directives
SCSS
138
star
18

ScubaGoggles

SCuBA Security Configuration Baselines and assessment tool for Google Workspace
Open Policy Agent
125
star
19

dotgov-data

Official list of .gov domains
108
star
20

check-cve-2019-19781

Test a host for susceptibility to CVE-2019-19781
Python
105
star
21

ICSNPP

Industrial Control Systems Network Protocol Parsers
104
star
22

findcdn

findCDN is a tool created to help accurately identify what CDN a domain is using.
Python
92
star
23

prescup-challenges

President's Cup Cybersecurity Competition Challenges
Python
78
star
24

ansible-role-cobalt-strike

An Ansible role for installing Cobalt Strike.
HCL
66
star
25

parsnip

Python
62
star
26

shareable-soar-workflows

This is a repository of vendor-agnostic workflows provided for those interested in deploying Security Orchestration, Automation, and Response capabilities within their organizations.
62
star
27

cybersecurity-performance-goals

CISA's space for collaboration on the Cybersecurity Performance Goals.
Shell
53
star
28

PNT-Integrity

The PNT Integrity Library provides users a method to verify the integrity of the received GPS data and ranging signals, thereby improving resiliency against potential GPS signal loss.
C++
49
star
29

join-cisagov

CISA is hiring! We’re looking for candidates passionate about our mission to lead the national effort to understand and manage cyber and physical risk to our critical infrastructure.
Shell
45
star
30

gophish-tools

Helpful tools for interacting with a GoPhish phishing instance
Python
40
star
31

ioc-scanner

Search a filesystem for indicators of compromise (IoC).
Python
39
star
32

gophish-docker

Docker container for the gophish phishing framework.
Shell
33
star
33

vdp-in-fceb

Vulnerability disclosure policies in the US Government's executive branch
32
star
34

Epsilon

The Epsilon Algorithm Suite provides users a method to verify the integrity of the received GPS data and ranging signals, thereby improving resiliency against potential GPS signal loss.
Python
31
star
35

pca-gophish-composition

Phishing campaign docker composition for Gophish
Shell
31
star
36

check-your-pulse

This utility can help determine if indicators of compromise (IOCs) exist in the log files of a Pulse Secure VPN Appliance for CVE-2019-11510.
Python
28
star
37

getgov

Building a new .gov registrar for a bright .gov future
Python
27
star
38

postfix-docker

Docker container with a postfix server designed for use during phishing campaigns
Shell
26
star
39

dotgov-home

Homepage for the .gov registry
SCSS
25
star
40

assessment-reporting-engine

Python
24
star
41

skeleton-python-library

A skeleton project for quickly getting a new cisagov Python library started.
Python
19
star
42

scanner

Automated pshtt, trustymail, and sslyze scanning
Shell
18
star
43

cyhy_amis

AWS infrastructure for Cyber Hygiene and BOD 18-01 scanning
HCL
16
star
44

icsnpp-opcua-binary

Zeek OPCUA Binary Parser - CISA ICSNPP
JavaScript
14
star
45

admiral

Distributed certificate transparency log harvester
Python
14
star
46

skeleton-docker

A skeleton project for quickly getting a new cisagov Docker container started.
Shell
14
star
47

icsnpp-enip

Zeek Ethernet/IP and CIP Parser - CISA ICSNPP
Zeek
13
star
48

pe-reports

Automated process to build and distribute Posture & Exposure Reports' bi-weekly to customers.
Python
13
star
49

icsnpp-bacnet

Zeek BACnet Parser - CISA ICSNPP
JavaScript
12
star
50

ansible-role-clamav

Ansible role to install and enable the ClamAV virus scanner
Shell
12
star
51

lambda_functions

Generate AWS Lambda environment zip files for use by cisagov/domain-scan
Shell
12
star
52

icsnpp-s7comm

Zeek S7comm, S7comm-plus, and COTP Parser - CISA ICSNPP
JavaScript
11
star
53

network-architecture-verification-and-validation

The NAVV (Network Architecture Verification and Validation) tool creates a spreadsheet for network traffic analysis from PCAP data and Zeek logs, automating Zeek analysis of PCAP files, the collation of Zeek logs and the dissection of conn.log and dns.log to create a summary or network traffic in an XLSX-formatted spreadsheet.
Python
11
star
54

docker-kali-ansible

A systemd-enabled Kali Linux Docker image, in the spirit of geerlingguy/docker-debian11-ansible.
Dockerfile
10
star
55

tic3.0

Collaborating on Trusted Internet Connection 3.0 use cases
10
star
56

icsnpp-genisys

Industrial Control Systems Network Protocol Parsers (ICSNPP) - Genisys over TCP/IP
Python
10
star
57

gh-skeleton

This extension for the gh CLI provides the ability to easily start new projects from our existing library of skeleton repositories.
Shell
10
star
58

scoping-validation-tool

SVT is a tool that can be used to verify ownership and location of assets during the scoping process of a penetration test.
Python
9
star
59

orchestrator

Orchestrate gatherer, scanner, saver, and trustymail_reporter
Shell
9
star
60

pshtt_reporter

Generate HTTPS reports based on scan data
Python
9
star
61

cyhy-mailer

Email Cyber Hygiene, Trustworthy Email, and HTTPS reports to the appropriate technical or distribution addresses
Python
9
star
62

trustymail_reporter

Generate Trustworthy Email reports based on scan data
Python
9
star
63

pre-commit-packer

Provides pre-commit hooks for Packer projects.
Shell
9
star
64

nessus-packer

Create machine images containing the Nessus vulnerability scanner
HCL
9
star
65

domain-manager-api

Flask API for Domain Manager
Python
9
star
66

gatherer

Gather domains as a precursor to scanning
Shell
9
star
67

certboto-docker

Certbot container that stores its configuration in an AWS S3 bucket
Shell
9
star
68

icsnpp-modbus

Zeek Modbus Extension Scripts - CISA ICSNPP
Zeek
8
star
69

aws-profile-sync

Synchronize AWS credential profiles from remote sources
Python
8
star
70

ansible-role-kali

An Ansible role for provisioning kali
HCL
8
star
71

icsnpp-dnp3

Zeek DNP3 Extension Scripts - CISA ICSNPP
Zeek
8
star
72

dmarc-import

A tool for parsing DMARC aggregate reports.
Python
8
star
73

icsnpp-bsap-ip

Zeek BSAP over IP Parser - CISA ICSNPP
JavaScript
8
star
74

CISASuite

The CSET, Malcom, Con-PCA suite of tools
HTML
8
star
75

skeleton-generic

A generic skeleton project for quickly getting a new cisagov project started.
Shell
8
star
76

icsnpp-ethercat

Zeek Ethercat Parser - CISA ICSNPP
C++
8
star
77

Sogu

This script generates a list of possible SOGU filenames based on serial numbers of active drives. It has the added functionality of searching each drive from the generated file list.
PowerShell
8
star
78

travis-wait-improved

A tool to help long-running, yet reticent, processes avoid death at the hands of Traivs-CI.
Python
7
star
79

con-pca-api

API Docker Container for Con-PCA
HTML
7
star
80

.dotfiles

Generic set of dotfiles to get you started with a cisagov development environment
Shell
7
star
81

domain-manager-ui

UI for the Domain Manager
HTML
7
star
82

pen-testing-findings

A collection of Active Directory, phishing, mobile technology, system, service, web application, and wireless technology weaknesses that may be discovered during a penetration test.
7
star
83

vulnerable-instances

Virtual machines that are set up with a variety of known vulnerabilities.
HCL
7
star
84

openvpn-server-tf-module

Terraform module to create an OpenVPN server instance
HCL
6
star
85

scan-target-data

Contains data used to identify targets for scanning
Shell
6
star
86

ansible-role-burp-suite-pro

An Ansible role for installing Burp Suite Professional
HCL
6
star
87

con-pca-web

The website source and terraform code for continuous phishing assessment.
HTML
6
star
88

kali-packer

This project can be used to create AMIs based on Kali Linux, a penetration testing distribution.
HCL
6
star
89

security-contact-finder

Making government security contacts accessible
CSS
6
star
90

saver

Save scan results to a database
Python
6
star
91

con-pca-cicd

continuous phishing main repository
HCL
6
star
92

megazord-composition

Shell
6
star
93

ansible-role-openvpn

Ansible role to install an OpenVPN server and configure it to authenticate users certificates against FreeIPA.
Shell
6
star
94

ansible-role-amazon-efs-utils

An Ansible role for installing aws/efs-utils
Shell
5
star
95

PNT-Integrity-Toolkit

The PNT Integrity DIY Toolkit describes how a perspective end-user of the PNT Integrity Library can assemble a demonstrational toolkit with commercial-off-the-shelf (COTS) hardware.
C++
5
star
96

awssh

Tool to simplify secure shell connections over AWS simple systems manager.
Python
5
star
97

sslyze-lambda

AWS Lambda function for sslyze
Python
5
star
98

cyhy-core

Python
5
star
99

cool-assessment-terraform

Terraform to deploy an assessment environment to the COOL
HCL
5
star
100

ncats-data-dictionary

Shell
5
star