RedEye is a visual analytic tool for supporting Red Team operations, analytics, and reporting. A critical aspect of Red Team engagements is to communicate to customers how successful breaches unfold so that they can assess mitigation strategies. Visualizing breaches can be a helpful but time-consuming task. RedEye offers a visualization tool to help Red Teams easily assess complex data for effective decision-making.
Table of Contents
- RedEye User Guide
To create a new user, type a username in the user textbox, and click "+ New User" from the dropdown.
Once logged in, you will be directed to the campaign cards screen. This is where you can upload new campaigns, and view a list of your previously uploaded campaigns.
Redeye provides two ways to upload and visualize your campaign data.
When uploading multi-server or single-server folders, RedEye will automatically remove files that are
not necessary. To view a list of all the files that were removed, hover over the "File Removed" icon.
Upload database files ending with .redeye or .sqlite. These are usually campaigns that were previously exported.
Filter through the list of uploaded campaigns by typing in the input field next to "Add a campaign" button.
To rename, delete or export the campaign as a database file, click on the "More" icon.
After uploading and selecting a campaign, you will be directed to the Explore Tab.
This tab shows the different servers linked to the campaign being viewed, as well as the Cobalt Strike server. Select a host to see all commands executed by the beacons on the server.
Any operators, along with the number of beacons and commands that it's associated with will appear here.
All comments, including multi-command comments that have been added to the campaign, will be displayed here. Other functionalities include:
- Deleting comments
- Editing a comment
- Add/Remove Tags
- Replying to a comment
- Favoriting a comment
All beacons and the total number of commands executed by the beacon are displayed. In addition, any tags, such as Privilege Escalation, Goldenticket, jump, or elevate will be indicated by an icon.
Select a beacon from the Beacons Tab to find out more information, such as the commands, operators, comments, and metadata that it is associated with.
Select a command from the list to view the raw logs executed by the beacon. Here, you'll be able to see the different types of associated MITRE attacks, as well as the option to copy the log file text.
Hover over a command and click on the "Add Comment" button to add a new comment.
Within the new comment modal, you can favorite this comment, add a tag, and comments about
the command.
Use the multi-command comment function to group multiple commands with one comment. Use the checkbox to select one or more comments, then click "Comment on commands".
The Command Types tab displays a list of all commands and the number of times the command was executed by the beacons in the campaign.
The timeline located above the graph provides users the ability to:
- Filter the campaign by a time range
- Display the graph as events occurred.
- Fast forward / reverse the time
- Use the scrubber to filter.
By default, the timezone should be automatically set to appear as your current timezone. To view the campaign in a different timezone, uncheck the "AutoSelect" button and use the drop-down to select your desired timezone.
To display or hide beacons, check or uncheck the "Show Hidden Beacons, Host, and Servers" button.
The graph shows how hosts and beacons are connected to the Cobalt Strike server. Hover over the host node to view how the beacons are linked to the host and hover over the beacons inside the host node to see how it's linked to one another.
Clicking on the host node will display a list of all commands, beacons, operators, comments, and metadata about the host. Selecting the beacon node will display all commands, operators, comments, and metadata about the beacon.
Use the graph controls located on the right to view graph legends, zoom in and out of the graph, and reset the graph.
To export the graph as displayed as an image, simply click the export button.
Search is available from the eyeglass icon in the navigation bar.
Search enables:
-
Full-text search across:
- Beacons
- Hosts
- Teamservers
- Operators
- Comments
- Commands
- Command Type
- Tags
-
Filtering results in any of the above item types.
-
Sorting results by:
- Relevance (ascending and descending)
- Name (ascending and descending)
- Type (ascending and descending)
Search can be activated from anywhere within a campaign with an OS-specific key combination:
- Windows -
CTRL + K - Mac -
CMD + K - Linux -
CTRL + K
Presentation mode is available from the presentation icon in the navigation bar.
Presentations are a collection of comments and commands ordered by time and grouped by tag.
The first screen is a list of presentations:
- The first two are a collection of "All" and "Favorite" comments in the campaign.
- The remaining are organized by the tags
Clicking on an item in the list will open the presentation
Each presentation has "slides" ordered by the time of the command tied to the comment.
Move forward in the presentation using the Next button and move backward with the previous arrow button to the left of Next. There is a slide indicator below those controls that allows changing to a specific slide.
To return to the presentations list, click the left arrow button at the far left of the panel