cisagov / redeye Goto Github PK

View Code? Open in Web Editor NEW

2.6K 44.0 271.0 16.31 MB

RedEye is a visual analytic tool supporting Red & Blue Team operations

Home Page: https://cisagov.github.io/RedEye/

License: BSD 3-Clause "New" or "Revised" License

Shell 0.05% Dockerfile 0.05% HTML 0.07% TypeScript 85.49% JavaScript 13.66% CSS 0.70%

blue-team cybersecurity red-team

redeye's People

Stargazers

Watchers

Forkers

karimhabush simplysean natesubra zarguell gmh5225 kopp0ut silver15987 immanuelchavoya eschlueterlpp munjurhasan444 zha0 ucarepwn invokethreatguy cvlabsio y0d4a yalonso7 me009 kingdotnet havenbreaker pbutler6163 xtenex binaco crj0b fairhopeweb zmkeh global-localhost global19 nocomp nanonic costaafm damaidec 0xrobert cliffpyles pollockt the-shelter richardsonjf tsayan tourountzis alexeysolovyev ciyfly adooo cybersecops techris45 ohrekap pabit privetkakdela1337 yongliqi jawar1mx stevenace1983 timb-machine-mirrors emp4556 minhthai143 lyrl aldianiuma cybernewbies radeonares32 cmjlove1 energyray-com yogthesharma kenuoseclab psy-repos-typescript jasperh8624 jhinxs youngjun-chang bcp-infosec-repo shonker zeeneddie short soufianely slooppe 0xruta brinhosa nanderoo vbhgy77 testercc zhouzu zenmantics ashok052525 mrvn2018 0xsojalsec anir0y cryptphitraining jrcribb bbk0416 cucrisis lostindenver hassj pixelza k4ll4h4r1sh-ltc edgracilla akankushjnvku croat79 p34t1k telmoneto 5l1v3r1 lax123xxx dark5net rtz-ufa jenscolman pirenga

redeye's Issues

User setting displaying incorrect data

Describe the bug
The user setting is displaying incorrect data

To Reproduce
Steps to reproduce the behavior:

Log into the application
Click the user setting button at the top of the screen
The Change user.name did not render correctly as shown

Expected behavior
Should show as change name or the actual name of the user

Screenshots

Desktop (please complete the following information):

OS: [Mac]
Browser [Firefox]
Version [105]

Additional context
Add any other context about the problem here.

Consider adding log ingestion for common C2 frameworks

Please consider adding log ingestion for common C2 frameworks documented on thec2matrix

Turning on show hidden beacons button causes search to crash

Describe the bug
When a user is within the explorer mode, if the user clicks the settings and turns on the show hidden beacons buttons and attempts to open the search it shows that an error occurred

To Reproduce
Steps to reproduce the behavior:

Click to open a current campaign
Click the search button to view the proper state
Add some search text
Close the search modal and click the general settings
Turn on the show hidden beacon button
Close the settings modal and click the search
View the error occurred message

Expected behavior
Search opens with the search bar at the top and allows user to search

Screenshots

Desktop (please complete the following information):

OS: [Mac]
Browser [firefox]
Version [105]

Additional context
Clicking the try again button returns the modal to working state until the show hidden beacon button is clicked again

Add Information about setting up E2E Testing in README.md or Contribution Area

Is your feature request related to a problem? Please describe.
Its not very clear how to set up the end to end testing which is a part of this project to contribute to it.

Describe the solution you'd like
Add a section in the read me file about how to set up the end to end testing and getting a projectId for contribution

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Not sure how to deal with these as check in because I assume the id is unique and it gets added to the cypress.config file. There should probably be an environment variable that can be set some where for the global project unless the intention is for each user to check in one but that would mean it would be checked in with the changes from the previous authors check in and projectId for testing

Spacing Issues On The Add Campaign Modal

Describe the bug
Spacing issues in the text of the upload modal

To Reproduce
Steps to reproduce the behavior:

Log into red eye
Click on 'Add Campaign'
View the text above the browse button

Expected behavior
CobaltStrike should be Cobalt Strike . CobaltStrikeServer should be Cobalt Strike Server

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

OS: [Mac]
Browser [FireFox]
Version [105]

Additional context
Add any other context about the problem here.

Provide an example Cobalt Strike dataset for contributors

I'm interested in contributing to the project by helping implement new parsers for known C2 frameworks.
As Cobalt Strike is behind a paywall, it would be awesome if a sample log folder/dataset was provided so people that don't have access to CS could test and contribute to RedEye.

Export fails on campaign with hidden hosts

Describe the bug
Export of campaign fails if campaign contains hidden hosts.

To Reproduce
Steps to reproduce the behavior:

Create a campaign by importing logs
Hide a host
Export the campaign with option 'Remove all hidden Beacons, Hosts, and Servers' checked
See error

Expected behavior
Campaign to successfully export and the exported campaign does not contain the host(s) that were hidden.

Screenshots

Desktop (please complete the following information):

OS: macOS Monterey
Browser: Chrome
Version: 107.0.5304.110

Additional context
I created a campaign, and then hid two hosts (SA-WIN10-21H1-1 and SA-DC01-2019). I then attempted to export the campaign with the option 'Remove all hidden Beacons, Hosts, and Servers' checked, and received the errors in the above screenshots.

[Feature Request] Criminal IP

Hello,
thank you for the good service.

Can you add Criminal IP?

if it matches for IP and URL, I would like to move to Criminal IP search result.
like Mitre TID

OperatorResolvers missing @Authorized decorator

Describe the bug
The OperatorResolvers are missing @Authorized() decorators, which allows anybody to query operator names without authentication.

To Reproduce
Send this POST request to the /graphql endpoint of RedEye:

POST /api/graphql HTTP/1.1
Host: localhost:4000
content-type: application/json
Content-Length: 67

{"query":"query test { globalOperators { __typename id name } }"

}

The response will leak the registered operator names. Example response:

{"data":{"globalOperators":[{"__typename":"GlobalOperator","id":"dev","name":"dev"},{"__typename":"GlobalOperator","id":"analyst01","name":"analyst01"},{"__typename":"GlobalOperator","id":"john.doe","name":"john.doe"},{"__typename":"GlobalOperator","id":"dev2","name":"dev2"}]}}

The mutation also is lacking the @Authorized decorator, thus allows creating global operators without authentication:

{

  "query": "mutation createGlobalOperator($username: String!) { createGlobalOperator(username: $username) { id name } }",
  "variables": {
    "username": "john.doe"
  }
}

To fix, simply add the @Authorized decorator to all queries.

Background Info

We created this CodeQL query live on stream to find the resolvers without the authorized decorator:

import javascript

from Decorator d1
where 
    d1.getAChildExpr().(CallExpr).getCalleeName() 
            in ["Mutation", "Query"]
    and 
    not d1.getParent().getAChild().(Decorator).getAChildExpr().(CallExpr).getCalleeName() in ["Authorized"]
select d1, "is not authorized"

We only found these affected files, the progress resolver is uninteresting. And the issue with the operator resolver is mentioned above.

RedEye/applications/server/src/store/progress-resolvers.ts
RedEye/applications/server/src/store/operator-resolvers.ts

On intel mac and node19, failing better-sqlite3 install seems to cause a confusing error on RedEye.

Describe the bug

When I run yarn install on a mac with Node 19.X, better-sqlite3 fails. This is documented all over the place in various ways.
I can build all release packages as per the instructions in the README, and everything appears to succeed
When running yarn run start:server, it exits immediately.

❯ AUTHENTICATION_PASSWORD=foo ./release/mac/RedEye --redTeam
HTTP server closed

To Reproduce

Use Node19
note that yarn install fails on better-sqlite3
build the redeye binaries
run the server

Expected behavior
The server should probably notice something is wrong, instead of just exiting suddenly.

Screenshots

❯ AUTHENTICATION_PASSWORD=foo ./release/mac/RedEye --redTeam
HTTP server closed

Desktop (please complete the following information):

OS: MacOS monterey, Intel CPU
NodeJS: 19.2.X

This was resolved by moving to Node18, but the error was really mysterious and I could not figure out what was going wrong.

Blue Team or Red Team Mode Indication

Is your feature request related to a problem? Please describe.
When using the application there is really no way to distinguish if a user is in blue team(review) mode or red team

Describe the solution you'd like
There should be an indication somewhere within the main view or once a user logs in letting them know what mode they are in

Describe alternatives you've considered
N/A

Additional context
Add any other context or screenshots about the feature request here.

Missing ability to create new campaign

Describe the bug
Trying to create a new initial campaign, but only have the ability to import a campaign and DB files.

To Reproduce
Steps to reproduce the behavior:

Login
Click on 'Add a Campaign +'
See error

Expected behavior
Screen shots on User Guide show "Create Campaign" but not in my run.

Screenshots

Desktop (please complete the following information):

OS: Windows
Browser Firefox
Version 102.3.0esr (64-bit)

Additional context
Running Windows: RedEye Server v0.8.0-beta w/no additional parameters in originally "empty" directory.

Am I missing a config to allow new campaigns? Is there a sample or an empty campaign that I can import for now to "create"?

Excessive identical job parallelism in workflow

RedEye folk,

Could you take a look at your testing workflow. When it kicks off it is occupying over half of our organization's available runners, and has starved out some of the other projects.

Please document the purpose of 12 identical jobs running in parallel in the workflow. e.g., the parallel tests are non-deterministic.
Please consider using max-parallel to limit the matrix to a couple of jobs at a time if this parallelism isn't necessary.

Thank,
@felddy

RedEye/.github/workflows/test.yml

Lines 47 to 51 in 336919c

 strategy: 

 fail-fast: false 

 matrix: 

 # run copies of the current job in parallel 

 containers: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]

RedEye/.github/workflows/test.yml

Lines 90 to 94 in 336919c

 strategy: 

 fail-fast: false 

 matrix: 

 # run copies of the current job in parallel 

 containers: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]

Exits without errors but nothing happens

(disclaimer: I'm trying to help a user. I'm not the user and not using redeye but just the messenger reporting this bug).

using the static binary from your release page on a remote server. I can start RedEye but it exists after 1 second without any output:

ssh -L5900:0:5900 [email protected] # password is 'segfault'
startxvnc

Connect to 127.0.0.1:5900 with any VNC client, then start RedEye in an Xterm:

┌──(root💀sf-TellPistol)-[~]
└─# ./RedEye

┌──(root💀sf-TellPistol)-[~]
└─#

No output. No process is started.

Stuck when importing C/S logs

After selecting C/S logs for import, the page stays at Importing... Status

The error message reported on the server is as follows
PARSING ERROR: error in exec callback {
error: Error: spawn /home/test/linux/test/parsers/cs-parser ENOENT
at Process.ChildProcess._handle.onexit (node:internal/child_process:283:19)
at onErrorNT (node:internal/child_process:478:16)
at processTicksAndRejections (node:internal/process/task_queues:83:21) {
errno: -2,
code: 'ENOENT',
syscall: 'spawn /home/test/linux/test/parsers/cs-parser',
path: '/home/test/linux/test/parsers/cs-parser',
spawnargs: [
'campaign',
'-d',
'/home/test/linux/test/campaign/13aafb0c-ecb4-43c8-827a-542c7a3c5ac6/db.redeye',
'-p',
'/home/test/linux/test/campaign/13aafb0c-ecb4-43c8-827a-542c7a3c5ac6',
'-t',
'7'
],
cmd: '/home/test/linux/test/parsers/cs-parser campaign -d /home/test/linux/test/campaign/13aafb0c-ecb4-43c8-827a-542c7a3c5ac6/db.redeye -p /home/test/linux/test/campaign/13aafb0c-ecb4-43c8-827a-542c7a3c5ac6 -t 7'
},
stdout: '',
stderror: ''
}

I'm in red team mode, but I don't see new create.

Hello.
I am very focused on RedEye.
I have logged in in RED team mode, but I am having trouble finding the new create tab in add a campaign.

What am I doing wrong?

The OS is built on kali.
The image is accessed from an iPhone.

Bulk Host Hide

Is your feature request related to a problem? Please describe.
Importing logs with hosts that are not "engagement impactful" (e.g., sandboxes, test targets, etc). need to be manually hidden individually currently and for each host this currently takes 4 clicks, so this ends up being (4 * n) clicks where n is the number of hosts to hide.

Describe the solution you'd like
Reduce the number of clicks it takes to hide hosts, either through a bulk update, "checkbox/apply" all UX, or a context menu on the host, or a host-name filter upon import.

Describe alternatives you've considered
As a work-around I've opened the sqlitedb in sqlitebrowser and modified the specific field/value in the db directly however, that appears to only affect the metadata and leaves empty information in the sidebar and the nodes remain in the graph.

Additional context
N/A

Optional

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

Go to '...'
Click on '....'
Scroll down to '....'
See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

OS: [e.g. iOS]
Browser [e.g. chrome, safari]
Version [e.g. 22]

Additional context
Add any other context about the problem here.

Parsers for additional C2 frameworks

We're planning on integrating up to three additional C2 framework parsers this year into RedEye. The list of parsers is still being finalized, so please comment below with any framework parser you'd like to see in RedEye!

Our security product uses the name RedEye

Our threat hunting product has been using the RedEye name for the past 3 years.

https://rtfs.pl/pl/threat-hunting.html / https://rtfs.pl/en/threat-hunting.html
https://redteam.pl/pl/threat-hunting-intelligence.html / https://redteam.pl/en/threat-hunting-intelligence.html
https://redteam.pl/pl/soc-security-operations-center.html / https://redteam.pl/en/soc-security-operations-center.html
https://forsec.pl/wp-content/uploads/2021/08/SOC_opis.pdf - there's even a logo depicting a red eye on the 10th page
https://redteam.pl/images/04.svg - logo of our product RedEye
etc

Is it possible for you to change the name to avoid confusion? Our product is commercial and also intended for an identical purpose.

Our RED TEAM company is also well-known in the foreign market, including the United States:

run problem : yarn run start:server

environment:
ubuntu:20.04
nodejs:16.17.1
npm:8.19.2
yarn:3.2.3

The following error occurs when I run the yarn install command:

root:~/RedEye# yarn install
➤ YN0000: ┌ Resolution step
➤ YN0002: │ @nrwl/cypress@npm:14.6.5 [63507] doesn't provide nx (p10390), requested by @nrwl/devkit
➤ YN0002: │ @nrwl/cypress@npm:14.6.5 [63507] doesn't provide typescript (p12f21), requested by @phenomnomnominal/tsquery
➤ YN0002: │ @nrwl/cypress@npm:14.6.5 [63507] doesn't provide typescript (p6345b), requested by fork-ts-checker-webpack-plugin
➤ YN0002: │ @nrwl/cypress@npm:14.6.5 [63507] doesn't provide typescript (pfc203), requested by ts-loader
➤ YN0002: │ @nrwl/cypress@npm:14.6.5 [7a45f] doesn't provide nx (p1f374), requested by @nrwl/devkit
➤ YN0002: │ @nrwl/cypress@npm:14.6.5 [7a45f] doesn't provide typescript (p1ce2c), requested by @phenomnomnominal/tsquery
➤ YN0002: │ @nrwl/cypress@npm:14.6.5 [7a45f] doesn't provide typescript (p88b83), requested by fork-ts-checker-webpack-plugin
➤ YN0002: │ @nrwl/cypress@npm:14.6.5 [7a45f] doesn't provide typescript (p52358), requested by ts-loader
➤ YN0002: │ @nrwl/devkit@npm:14.6.3 [7d709] doesn't provide typescript (p4b372), requested by @phenomnomnominal/tsquery
➤ YN0002: │ @nrwl/devkit@npm:14.6.3 [f7f79] doesn't provide typescript (pd13ca), requested by @phenomnomnominal/tsquery
➤ YN0002: │ @nrwl/devkit@npm:14.6.5 [466ed] doesn't provide typescript (p952f2), requested by @phenomnomnominal/tsquery
➤ YN0002: │ @nrwl/devkit@npm:14.6.5 [7a45f] doesn't provide typescript (p88aeb), requested by @phenomnomnominal/tsquery
➤ YN0002: │ @nrwl/devkit@npm:14.6.5 [e712c] doesn't provide typescript (p121bf), requested by @phenomnomnominal/tsquery
➤ YN0002: │ @nrwl/eslint-plugin-nx@npm:14.6.3 [7a45f] doesn't provide eslint (pcdd36), requested by @typescript-eslint/utils
➤ YN0002: │ @nrwl/eslint-plugin-nx@npm:14.6.3 [7a45f] doesn't provide nx (p3f0ed), requested by @nrwl/devkit
➤ YN0002: │ @nrwl/jest@npm:14.6.3 doesn't provide nx (p7bd51), requested by @nrwl/devkit
➤ YN0002: │ @nrwl/jest@npm:14.6.3 doesn't provide typescript (paa32c), requested by @phenomnomnominal/tsquery
➤ YN0002: │ @nrwl/jest@npm:14.6.5 doesn't provide nx (p51599), requested by @nrwl/devkit
➤ YN0002: │ @nrwl/jest@npm:14.6.5 doesn't provide typescript (p68cd3), requested by @phenomnomnominal/tsquery
➤ YN0002: │ @nrwl/js@npm:14.6.3 doesn't provide nx (p2cb88), requested by @nrwl/devkit
➤ YN0002: │ @nrwl/js@npm:14.6.5 doesn't provide nx (p8ee91), requested by @nrwl/devkit
➤ YN0002: │ @nrwl/linter@npm:14.6.3 [7a45f] doesn't provide typescript (pe0811), requested by @phenomnomnominal/tsquery
➤ YN0002: │ @nrwl/linter@npm:14.6.3 [89c3e] doesn't provide typescript (pbe7e7), requested by @phenomnomnominal/tsquery
➤ YN0002: │ @nrwl/linter@npm:14.6.5 [ecbee] doesn't provide typescript (pf9585), requested by @phenomnomnominal/tsquery
➤ YN0002: │ @nrwl/node@npm:14.6.5 doesn't provide @types/node (pf093b), requested by ts-node
➤ YN0002: │ @nrwl/node@npm:14.6.5 doesn't provide nx (p3e1ba), requested by @nrwl/devkit
➤ YN0002: │ @nrwl/node@npm:14.6.5 doesn't provide typescript (p931a2), requested by fork-ts-checker-webpack-plugin
➤ YN0002: │ @nrwl/node@npm:14.6.5 doesn't provide typescript (p42906), requested by ts-loader
➤ YN0002: │ @nrwl/node@npm:14.6.5 doesn't provide typescript (p3b16b), requested by ts-node
➤ YN0002: │ @nrwl/web@npm:14.6.5 doesn't provide @types/node (pbf886), requested by ts-node
➤ YN0002: │ @nrwl/web@npm:14.6.5 doesn't provide nx (p66ace), requested by @nrwl/devkit
➤ YN0002: │ @nrwl/web@npm:14.6.5 doesn't provide typescript (pd976f), requested by fork-ts-checker-webpack-plugin
➤ YN0002: │ @nrwl/web@npm:14.6.5 doesn't provide typescript (p796a9), requested by ts-loader
➤ YN0002: │ @nrwl/web@npm:14.6.5 doesn't provide typescript (p032d9), requested by ts-node
➤ YN0002: │ @nrwl/web@npm:14.6.5 doesn't provide typescript (p7ef8a), requested by rollup-plugin-typescript2
➤ YN0002: │ @nxext/vite@npm:14.0.0 [7a45f] doesn't provide nx (p23fe6), requested by @nrwl/devkit
➤ YN0002: │ @types/testing-library__react@npm:10.2.0 doesn't provide react (p31675), requested by @testing-library/react
➤ YN0002: │ @types/testing-library__react@npm:10.2.0 doesn't provide react-dom (p45428), requested by @testing-library/react
➤ YN0002: │ redeye@workspace:. doesn't provide @babel/core (p5e601), requested by @emotion/babel-plugin
➤ YN0002: │ redeye@workspace:. doesn't provide @babel/plugin-syntax-flow (p48cba), requested by eslint-plugin-flowtype
➤ YN0002: │ redeye@workspace:. doesn't provide @babel/plugin-transform-react-jsx (pbf514), requested by eslint-plugin-flowtype
➤ YN0002: │ redeye@workspace:. doesn't provide @blueprintjs/docs-theme (p9d6a0), requested by blueprint-styler
➤ YN0002: │ redeye@workspace:. doesn't provide @blueprintjs/icons (p9e3bc), requested by blueprint-styler
➤ YN0002: │ redeye@workspace:. doesn't provide @blueprintjs/table (p457d2), requested by blueprint-styler
➤ YN0002: │ redeye@workspace:. doesn't provide @blueprintjs/timezone (pcdff1), requested by blueprint-styler
➤ YN0002: │ redeye@workspace:. doesn't provide @testing-library/dom (p4b37a), requested by @testing-library/user-event
➤ YN0002: │ redeye@workspace:. doesn't provide eslint-plugin-n (p61d4a), requested by eslint-config-standard
➤ YN0060: │ redeye@workspace:. provides mobx-keystone (p05af7) with version 1.0.0, which doesn't satisfy what mk-gql requests
➤ YN0060: │ redeye@workspace:. provides prettier (p92f8b) with version 2.5.1, which doesn't satisfy what @nrwl/workspace requests
➤ YN0060: │ redeye@workspace:. provides react (pca4bc) with version 18.2.0, which doesn't satisfy what @blueprintjs/core and some of its descendants request
➤ YN0060: │ redeye@workspace:. provides react (p15ae2) with version 18.2.0, which doesn't satisfy what @blueprintjs/datetime and some of its descendants request
➤ YN0060: │ redeye@workspace:. provides react (pe4698) with version 18.2.0, which doesn't satisfy what @blueprintjs/popover2 and some of its descendants request
➤ YN0060: │ redeye@workspace:. provides react (p81fea) with version 18.2.0, which doesn't satisfy what react-resize-detector requests
➤ YN0060: │ redeye@workspace:. provides react-dom (p22dbf) with version 18.2.0, which doesn't satisfy what react-resize-detector requests
➤ YN0002: │ redeye@workspace:. doesn't provide rollup (p85155), requested by rollup-plugin-auto-external
➤ YN0060: │ redeye@workspace:. provides vite (pacda5) with version 3.1.3, which doesn't satisfy what @nxext/vite requests
➤ YN0000: │ Some peer dependencies are incorrectly met; run yarn explain peer-requirements <hash> for details, where <hash> is the six-letter p-prefixed code
➤ YN0000: └ Completed in 1s 377ms
➤ YN0000: ┌ Fetch step
➤ YN0000: └ Completed in 3m 25s
➤ YN0000: ┌ Link step
➤ YN0007: │ cypress@npm:10.9.0 must be built because it never has been before or the last one failed
➤ YN0007: │ nodemon@npm:2.0.15 must be built because it never has been before or the last one failed
➤ YN0007: │ playwright-webkit@npm:1.25.2 must be built because it never has been before or the last one failed
➤ YN0007: │ @carbon/icons-react@npm:10.44.0 [7a45f] must be built because it never has been before or the last one failed
➤ YN0007: │ type-graphql@npm:1.1.1 [7a45f] must be built because it never has been before or the last one failed
➤ YN0007: │ @parcel/watcher@npm:2.0.4 must be built because it never has been before or the last one failed
➤ YN0007: │ core-js@npm:3.22.7 must be built because it never has been before or the last one failed
➤ YN0007: │ better-sqlite3@npm:7.6.2 must be built because it never has been before or the last one failed
➤ YN0007: │ esbuild@npm:0.15.9 must be built because it never has been before or the last one failed
➤ YN0007: │ core-js-pure@npm:3.22.7 must be built because it never has been before or the last one failed
➤ YN0007: │ @apollo/protobufjs@npm:1.2.4 must be built because it never has been before or the last one failed
➤ YN0007: │ redeye@workspace:. must be built because it never has been before or the last one failed
➤ YN0007: │ nx@npm:14.6.3 [f7f79] must be built because it never has been before or the last one failed
➤ YN0007: │ nx@npm:14.6.5 [4a848] must be built because it never has been before or the last one failed
➤ YN0000: └ Completed in 1m 53s
➤ YN0000: Done with warnings in 5m 20s

run yarn release:all

✔  nx run models:build  [remote cache]
    ✔  nx run graph:build  [remote cache]
    ✔  nx run parser:build  [remote cache]
    ✔  nx run client:build:production  [remote cache]
    ✔  nx run server:build  [remote cache]

    ✖  nx run parser:release-all
       >  NX   Running target release for project parser and 2 task(s) it depends on
       
        
       
       > nx run parser:build  [existing outputs match the cache, left as is]
       
       Compiling with SWC for parser...
       Successfully compiled: 41 files with swc (58.2ms)
       
       > nx run parser:release --platform=mac
       
       > [email protected]
       > Fetching base Node.js binaries to PKG_CACHE_PATH
       
       
       > Error! Binary hash does NOT match.
       
        >  NX   ERROR: Something went wrong in run-commands - Command failed: pkg dist/packages/cs-parser/package.json -t node16-mac -o release/mac/parsers/cs-parser
       
          Pass --verbose to see the stacktrace.
       
       
        
       
        >  NX   Running target "parser:release" failed
       
          Failed tasks:
          
          - parser:release
          
          Hint: run the command with --verbose for more details.
       
       
        >  NX   ERROR: Something went wrong in run-commands - Command failed: yarn nx release parser --platform mac
       
          Pass --verbose to see the stacktrace.
       

    ✖  nx run server:release-all
       >  NX   Running target release for project server and 5 task(s) it depends on
       
        
       
       > nx run server:build  [existing outputs match the cache, left as is]
       
       Compiling with SWC for server...
       Successfully compiled: 56 files with swc (63.79ms)
       
       > nx run server:release --platform=mac
       
       > [email protected]
       > Fetching base Node.js binaries to PKG_CACHE_PATH
       
       
       node:internal/fs/utils:347
           throw err;
           ^
       
       Error: ENOENT: no such file or directory, stat '/root/.pkg-cache/v3.4/fetched-v16.16.0-macos-x64.downloading'
           at Object.statSync (node:fs:1588:3)
           at Object.statSync (/root/RedEye-cisa/node_modules/graceful-fs/polyfills.js:318:34)
           at statSync (/root/RedEye-cisa/node_modules/fs-extra/lib/util/stat.js:10:52)
           at getStatsSync (/root/RedEye-cisa/node_modules/fs-extra/lib/util/stat.js:24:19)
           at Object.checkPathsSync (/root/RedEye-cisa/node_modules/fs-extra/lib/util/stat.js:49:33)
           at Object.moveSync (/root/RedEye-cisa/node_modules/fs-extra/lib/move-sync/move-sync.js:14:28)
           at WriteStream.<anonymous> (/root/RedEye-cisa/node_modules/pkg-fetch/lib-es5/utils.js:90:56)
           at WriteStream.<anonymous> (node:internal/util:445:5)
           at WriteStream.onclose (node:internal/streams/end-of-stream:147:14)
           at WriteStream.emit (node:events:513:28) {
         errno: -2,
         syscall: 'stat',
         code: 'ENOENT',
         path: '/root/.pkg-cache/v3.4/fetched-v16.16.0-macos-x64.downloading'
       }
       
        >  NX   ERROR: Something went wrong in run-commands - Command failed: pkg dist/applications/server/package.json -t node16-mac -o release/mac/RedEye
       
          Pass --verbose to see the stacktrace.
       
       
        
       
        >  NX   Running target "server:release" failed
       
          Failed tasks:
          
          - server:release
          
          Hint: run the command with --verbose for more details.
       
       
        >  NX   ERROR: Something went wrong in run-commands - Command failed: yarn nx release server --platform mac
       
          Pass --verbose to see the stacktrace.
       

 —————————————————————————————————————————————————————————————————————————————————————————————————————————

 >  NX   Ran target release-all for 2 projects and 5 task(s) they depend on (12s)
 
    ✔    5/7 succeeded [5 read from cache]
 
    ✖    2/7 targets failed, including the following:
         - nx run parser:release-all
         - nx run server:release-all
 
   Nx Cloud made it possible to reuse 5 tasks: https://nx.app/runs/mXmOCfDmj8

run yarn run start:server

root:~/RedEye# yarn run start:server

> nx run server:serve

Compiling with SWC for models...
Successfully compiled: 27 files with swc (134.79ms)
Compiling with SWC for parser...
Successfully compiled: 41 files with swc (92.14ms)

 >  NX   inotify_add_watch on '/root/RedEye-cisa/node_modules/@faker-js/faker/dist/types/locales/hy/color' failed: No space left on device

   Pass --verbose to see the stacktrace.


 —————————————————————————————————————————————————————————————————————————————————————————————————————————

 >  NX   Running target "server:serve" failed

   Failed tasks:
   
   - server:serve
   
   Hint: run the command with --verbose for more details.

   See Nx Cloud run details at https://nx.app/runs/Ck14JFu42J

"How-to" guide for writing a RedEye parser

Clicking in the "bar graph area" of the timeline should move the time slider.

Is your feature request related to a problem? Please describe.

When I first used RedEye, I attempted to navigate the time slider by clicking into the upper 'canvas' area with the activity bar graph as (poorly) circled here.

Since this UI doesn't do anything else, it might be a nice improvement to jump the timeline to the area clicked.

Tt might just be, but that was the first thing I tried to do when I inspected the timeline, and it did not work as expected.

Describe the solution you'd like
Clicking in the area above the draggable dot jumps the dot to the horizontal spot you clicked on.

Describe alternatives you've considered
I guess the current implementation is the most obvious alternative.

Export Find & Replace

Scrubbing credentials from command tasks (and potential output) is burdensome. I'd like to be able to define a regex pattern to replace with a value. For example, when running SharpDPAPI, it's quite common for us to specify /pvk:...... . It would be useful to have that regex to be supplied at export, rather than individual specific values.

An alternative would be able to paste or upload multiple value to be replaced at once. For example, if we have 30 credentials in the command line, rather than having to add a new find & replace row for each credential, we'd paste/upload all of them at once.

Thanks!

Live Parsing

Artifact Listing Per Host

Is your feature request related to a problem? Please describe.
No way to include any list of artifacts for each host.

Describe the solution you'd like
Either the ability to add comments directly to hosts (would be good for notating certain things about hosts in general. i.e. DC, FileServer, etc.) or when selecting a host from the "Hosts" tab, include a new tab for "Artifacts" that allows an operator to copy/paste them in.

Describe alternatives you've considered
Selecting the first command entered on a host and adding a comment for it, then including all the hosts artifacts.

Updates to parsed campaigns

Is your feature request related to a problem? Please describe.
We are planning on using RedEye as a visualization tool during our red team assessments. As of now, it seems like RedEye is unable to add data to a campaign once it has been parsed initially.

Describe the solution you'd like
A solution to allow upload of additional/updated log files would allow RedEye to be used as a live-view of a running campaign.

Describe alternatives you've considered
I attempted to create a wrapper script that parses new log files and uploads them to the API with the corresponding campaign ID, but it seems like this is currently not supported. As of now, I don't see an alternative way.

Additional context
None

Tips for building on mac? No luck with binary or docker thus far

Currently using:

macos montery
node v18.11.0
rancher desktop 1.6.1 for container build

When I run yarn run release with mac or linux, I fail with varying errors.

> yarn run release --platform linux
  ✔  nx run models:build  [existing outputs match the cache, left as is]
  ✔  nx run graph:build  [existing outputs match the cache, left as is]
  ✔  nx run parser:build  [existing outputs match the cache, left as is]
  ✔  nx run client:build:production  [existing outputs match the cache, left as is]
  ✔  nx run server:build  [existing outputs match the cache, left as is]

  ✖  nx run server:release
       > [email protected]
       /Users/[REDACTED]/.pkg-cache/v3.4/fetched-v16.16.0-macos-x64-signed: No such file or directory
       > Error! Cannot generate bytecode
         pkg fails to run "codesign" utility. Due to the mandatory signing
         requirement of macOS, executables must be signed. Please ensure the
         utility is installed and properly configured.

Same issue when building --platform mac

It's worth noting that I do have codesign in my PATH

Docker gets farther, and appears to build my version, but fails when running it.

>docker compose build
...
...
 => ERROR [redeye-core:latest redeye-linux-builder 5/5] RUN yarn run release --platform=linux                                                       39.6s
------
 > [redeye-core:latest redeye-linux-builder 5/5] RUN yarn run release --platform=linux:
#0 4.290
#0 4.292  >  NX   Running target release for 2 project(s) and 5 task(s) they depend on:
#0 4.292
#0 4.292     - parser
#0 4.292     - server
#0 4.292
#0 4.292    With additional flags:
#0 4.292      --platform=linux
#0 4.292
#0 4.293
#0 4.983
#0 4.984 > nx run models:build  [remote cache]
#0 4.984
#0 4.984 Compiling with SWC for models...
#0 4.984 Successfully compiled: 27 files with swc (67.66ms)
#0 5.008
#0 5.008 > nx run graph:build  [remote cache]
#0 5.008
#0 5.008 vite v3.1.3 building for production...
#0 5.008 transforming...
#0 5.008 ✓ 28 modules transformed.
#0 5.008 rendering chunks...
#0 5.008 ../../dist/packages/graph/graph.es.js                 69.13 KiB / gzip: 17.36 KiB
#0 5.008 ../../dist/packages/graph/assets/index.7f7ce887.css   973.22 KiB / gzip: 736.92 KiB
#0 5.008 ../../dist/packages/graph/graph.umd.js   57.00 KiB / gzip: 16.07 KiB
#0 5.008 Copying asset files...
#0 5.008 Done copying asset files.
#0 5.008 Bundle complete.
#0 5.409
#0 5.409 > nx run parser:build  [remote cache]
#0 5.409
#0 5.409 Compiling with SWC for parser...
#0 5.409 Successfully compiled: 41 files with swc (47.54ms)
#0 5.609
#0 5.609 > nx run client:build:production  [remote cache]
#0 5.609
#0 5.609 vite v3.1.3 building for production...
#0 5.609 transforming...
#0 5.609 transforming...
#0 5.609 ✓ 9 modules transformed.
#0 5.609 rendering chunks...
#0 5.609 ✓ 3790 modules transformed.
#0 5.609 rendering chunks...
#0 5.609 ../../dist/applications/client/assets/Logo-Dark.cca6b38e.svg                        7.72 KiB
#0 5.609 ../../dist/applications/client/assets/ibm-plex-sans-all-400.205b5e5a.woff2          51.82 KiB
#0 5.609 ../../dist/applications/client/assets/ibm-plex-sans-all-400-italic.f8bbd0e3.woff2   56.15 KiB
#0 5.609 ../../dist/applications/client/assets/ibm-plex-sans-all-500.1212e7ab.woff2          55.14 KiB
#0 5.609 ../../dist/applications/client/assets/ibm-plex-sans-all-500-italic.c62c7ee9.woff2   59.40 KiB
#0 5.609 ../../dist/applications/client/assets/ibm-plex-sans-all-600.d8b4efc9.woff2          55.66 KiB
#0 5.609 ../../dist/applications/client/assets/ibm-plex-sans-all-600-italic.3778adf3.woff2   58.68 KiB
#0 5.609 ../../dist/applications/client/assets/ibm-plex-sans-all-700.36fc9410.woff2          51.78 KiB
#0 5.609 ../../dist/applications/client/assets/ibm-plex-sans-all-700-italic.ac0eed09.woff2   55.39 KiB
#0 5.609 ../../dist/applications/client/assets/ibm-plex-mono-all-400.0581085d.woff2          32.63 KiB
#0 5.609 ../../dist/applications/client/assets/ibm-plex-mono-all-400-italic.738db8c6.woff2   36.53 KiB
#0 5.609 ../../dist/applications/client/assets/ibm-plex-mono-all-500.10aef5a3.woff2          33.51 KiB
#0 5.609 ../../dist/applications/client/assets/ibm-plex-mono-all-500-italic.91e97a3c.woff2   37.52 KiB
#0 5.609 ../../dist/applications/client/assets/ibm-plex-mono-all-600.01f3197a.woff2          34.47 KiB
#0 5.609 ../../dist/applications/client/assets/ibm-plex-mono-all-600-italic.36e707a0.woff2   38.11 KiB
#0 5.609 ../../dist/applications/client/assets/ibm-plex-mono-all-700.25a2510f.woff2          33.80 KiB
#0 5.609 ../../dist/applications/client/assets/ibm-plex-mono-all-700-italic.88c19110.woff2   36.98 KiB
#0 5.609 ../../dist/applications/client/assets/file-worker.348138a2.js                       1.90 KiB
#0 5.609 ../../dist/applications/client/index.html                                           0.87 KiB
#0 5.609 ../../dist/applications/client/assets/index.cbda0dd0.css                            303.86 KiB / gzip: 35.74 KiB
#0 5.609 ../../dist/applications/client/assets/vendor.00901628.js                            306.09 KiB / gzip: 96.90 KiB
#0 5.609 ../../dist/applications/client/assets/index.05ec905a.js                             3691.92 KiB / gzip: 797.72 KiB
#0 5.609 Bundle complete.
#0 6.194
#0 6.195 > nx run server:build  [remote cache]
#0 6.196
#0 6.196 Compiling with SWC for server...
#0 6.196 Successfully compiled: 56 files with swc (66.29ms)
#0 14.02
#0 14.02 > nx run server:release --platform=linux
#0 14.02
#0 14.02 > [email protected]
#0 14.02 > Fetching base Node.js binaries to PKG_CACHE_PATH
#0 14.02
#0 14.02
#0 14.02 node:internal/fs/utils:347
#0 14.02     throw err;
#0 14.02     ^
#0 14.02
#0 14.02 Error: ENOENT: no such file or directory, stat '/root/.pkg-cache/v3.4/fetched-v16.16.0-linux-x64.downloading'
#0 14.02     at Object.statSync (node:fs:1583:3)
#0 14.02     at Object.statSync (/app/node_modules/graceful-fs/polyfills.js:318:34)
#0 14.02     at statSync (/app/node_modules/fs-extra/lib/util/stat.js:10:52)
#0 14.02     at getStatsSync (/app/node_modules/fs-extra/lib/util/stat.js:24:19)
#0 14.02     at Object.checkPathsSync (/app/node_modules/fs-extra/lib/util/stat.js:49:33)
#0 14.02     at Object.moveSync (/app/node_modules/fs-extra/lib/move-sync/move-sync.js:14:28)
#0 14.02     at WriteStream.<anonymous> (/app/node_modules/pkg-fetch/lib-es5/utils.js:90:56)
#0 14.02     at WriteStream.<anonymous> (node:internal/util:453:5)
#0 14.02     at WriteStream.onclose (node:internal/streams/end-of-stream:147:14)
#0 14.02     at WriteStream.emit (node:events:513:28) {
#0 14.02   errno: -2,
#0 14.02   syscall: 'stat',
#0 14.02   code: 'ENOENT',
#0 14.02   path: '/root/.pkg-cache/v3.4/fetched-v16.16.0-linux-x64.downloading'
#0 14.02 }
#0 14.02
#0 14.02  >  NX   ERROR: Something went wrong in run-commands - Command failed: pkg dist/applications/server/package.json -t node16-linux -o release/linux/RedEye
#0 14.02
#0 14.02    Pass --verbose to see the stacktrace.
#0 14.02
#0 39.23
#0 39.23 > nx run parser:release --platform=linux
#0 39.23
#0 39.24 > [email protected]
#0 39.24 > Fetching base Node.js binaries to PKG_CACHE_PATH
#0 39.24
#0 39.24
#0 39.24 > Warning Failed to make bytecode node16-x64 for file /snapshot/app/node_modules/supports-color/index.js
#0 39.24
#0 39.24
#0 39.24
#0 39.24  >  NX   Running target "release" failed
#0 39.25
#0 39.25    Failed tasks:
#0 39.25
#0 39.25    - server:release
#0 39.25
#0 39.41    Nx Cloud made it possible to reuse 5 tasks: https://nx.app/runs/CjpHlyxcIr
#0 39.41
------
failed to solve: executor failed running [/bin/sh -c yarn run release --platform=linux]: exit code: 1

I think my current plan is try to build the mac binaries in the a container build step and copy them out.

code: 'ERR_DLOPEN_FAILED' on Windows & Linux

Describe the bug
Receiving an error when trying to run on Windows

No config file found, using defaults
No parsers specified in config, only .redeye files can be uploaded
Error: C:\Users\user\AppData\Local\Temp\pkg\6090aceae56dd7014cf4fb03930bc2a1031f87eb0a8f1f8ce4b2d9e7f1524366\better-sqlite3\build\Release\better_sqlite3.node is not a valid Win32 application.
C:\Users\user\AppData\Local\Temp\pkg\6090aceae56dd7014cf4fb03930bc2a1031f87eb0a8f1f8ce4b2d9e7f1524366\better-sqlite3\build\Release\better_sqlite3.node
    at process.dlopen (pkg/prelude/bootstrap.js:2251:28)
    at Object.Module._extensions..node (node:internal/modules/cjs/loader:1189:18)
    at Module.load (node:internal/modules/cjs/loader:981:32)
    at Function.Module._load (node:internal/modules/cjs/loader:822:12)
    at Module.require (node:internal/modules/cjs/loader:1005:19)
    at Module.require (pkg/prelude/bootstrap.js:1851:31)
    at require (node:internal/modules/cjs/helpers:102:18)
    at bindings (C:\snapshot\RedEye\node_modules\bindings\bindings.js:112:48)
    at new Database (C:\snapshot\RedEye\node_modules\better-sqlite3\lib\database.js:48:64)
    at Client_BetterSQLite3.acquireRawConnection (C:\snapshot\RedEye\node_modules\knex\lib\dialects\better-sqlite3\index.js:12:12) {
  code: 'ERR_DLOPEN_FAILED'
}
Cleaning up... {
  type: 'error.platform.SERVER_MACHINE.loadDatabase:invocation[0]',
  data: undefined,
  toString: [Function (anonymous)]
}

Receiving an error when trying to run on Ubuntu 22.04.2 Linux

$ ./RedEye -r -p password
No config file found, using defaults
No parsers specified in config, only .redeye files can be uploaded
Error: /tmp/pkg/6090aceae56dd7014cf4fb03930bc2a1031f87eb0a8f1f8ce4b2d9e7f1524366/better-sqlite3/build/Release/better_sqlite3.node: invalid ELF header
    at process.dlopen (pkg/prelude/bootstrap.js:2251:28)
    at Object.Module._extensions..node (node:internal/modules/cjs/loader:1189:18)
    at Module.load (node:internal/modules/cjs/loader:981:32)
    at Function.Module._load (node:internal/modules/cjs/loader:822:12)
    at Module.require (node:internal/modules/cjs/loader:1005:19)
    at Module.require (pkg/prelude/bootstrap.js:1851:31)
    at require (node:internal/modules/cjs/helpers:102:18)
    at bindings (/snapshot/RedEye/node_modules/bindings/bindings.js:112:48)
    at new Database (/snapshot/RedEye/node_modules/better-sqlite3/lib/database.js:48:64)
    at Client_BetterSQLite3.acquireRawConnection (/snapshot/RedEye/node_modules/knex/lib/dialects/better-sqlite3/index.js:12:12) {
  code: 'ERR_DLOPEN_FAILED'
}
Cleaning up... {
  type: 'error.platform.SERVER_MACHINE.loadDatabase:invocation[0]',
  data: undefined,
  toString: [Function (anonymous)]
}

To Reproduce
Steps to reproduce the behavior:

Download latest version and extract.
Run RedEye --redTeam --password REDACTED
Observe error

Expected behavior
Work

Desktop (please complete the following information):

OS: Windows 10 & Ubuntu 22.04.2 LTS
Browser: N/A
Version: [email protected]

Forensic Version

Would a forensic version be possible? It would allow the use of redEye for the analysis of cobaltstrike cybercriminal C2 servers.

Unlike a RedTeam, Cobaltstrike is used on simultaneous multi-campaigns.

This requires much more resources for the graphical display

On this version, it could have for example :

The IP of the attacker enriched with the country
The public IP of the victim enriched with the country
Possibility to display only one "victim and export the result in a new campaign
Possibility to display only one attacker and export the result in a new campaign

Thanks

	strategy:
	fail-fast: false
	matrix:
	# run copies of the current job in parallel
	containers: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]

cisagov / redeye Goto Github PK

redeye's People

Stargazers

Watchers

Forkers

redeye's Issues

Recommend Projects

Recommend Topics

Recommend Org

Jobs