RedEye, an open-source analytic tool for operators to visualize and report C2 activity, was announced by the United States’ Cybersecurity and Infrastructure Security Agency (CISA). Whether you’re on the “Red” or “Blue” team, RedEye will help you quickly and easily assess data and make decisions that will have real-world impacts.
CISA and the Pacific Northwest National Laboratory of the Department of Energy collaborated to create RedEye, an open-source analytic tool that helps Red Teams visualize and report command and control activities. In response to a Red Team assessment, an operator can use this tool, which was released in October 2022 on GitHub, to analyze and visualize complex data, assess mitigation strategies, and enable sound decision making. Data from logs, such as those generated by Cobalt Strike, are analyzed and presented in a format that is simple to understand thanks to this tool. Users can then annotate activities they see within the tool with tags and comments. When presenting their findings and workflow to stakeholders, operators can use the RedEye’s presentation mode.
RedEye can aid a pilot in effectively doing the following:
- Show how the Red Team conducted its assessment in real time, rather than having to sift through thousands of lines of log text.
- Ability to visualise and analyse intricate assessment data for sound judgement.
- Learn more about the hosts that were compromised and the attack path that was taken during a Red Team assessment or penetration test.
Assessing Attack Campaigns
RedEye Tool – Campaign Data Upload
The tool allows users to upload campaign data to view relevant information such as beacons and commands.
RedEye Tool – Campaign Data Upload
RedEye Tool – Campaign Visualization
RedEye provides a visual representation of campaign logs over time, which can be used to look for trends between servers and hosts
RedEye Tool – Campaign Playback
Key events in a campaign can be investigated by analysts in order to learn about payload activity and trace an attacker’s penetration path, such as lateral movement or the use of credentials to gain administrative access
RedEye Tool – Comment and Tags Feature
Analysts can collaborate more effectively and gain a deeper understanding of the attack path by using RedEye’s commenting features to provide feedback on the attacker’s actions.
RedEye tool – Generate Presentations
RedEye also has the ability to generate presentations that can be shared with stakeholders and clients based on the campaign’s data, including analyst feedback and implementation details. Campaign data and analyst feedback can be exported and shared with clients. RedEye isn’t just for use by red teams, though; blue teams can use it to better digest assessment data, too, and see where attacks originated, and which hosts were compromised.
RedEye currently supports analysing Cobalt Strike framework logs. It has been validated on the latest versions of Ubuntu (18+), Kali Linux (2020.1+), macOS (El Capitan+), and Windows (7+).
The tool is available on GitHub, in CISA’s repository.
In addition, CISA has published a video that can be accessed via the link below and which provides an overview of RedEye’s primary features:
Among them are Malcom – a network traffic analysis tool, ICS NPP – a tool for parsing Industrial Control Systems Network Protocols, Sparrow – a PowerShell script for detecting possible compromised accounts and apps in Azure and Microsoft 365 environments.
