Added filebeat configuration for Havoc C2 logs

outflanknl · Jul 27, 2024 · f9e93f2 · f9e93f2
1 parent 05bc692
commit f9e93f2
Showing 1 changed file with 8 additions and 8 deletions.
diff --git a/c2servers/filebeat/inputs.d/filebeat_havoc.yml b/c2servers/filebeat/inputs.d/filebeat_havoc.yml
@@ -11,7 +11,7 @@
     max_lines: 500
   fields:
     infra:
-      attack_scenario: @@ATTACKSCENARIO@@
+      attack_scenario: shorthaul
       log:
         type: rtops
     c2:
@@ -31,17 +31,17 @@
   fields_under_root: true
   fields:
     infra:
-      attack_scenario: @@ATTACKSCENARIO@@
-    log:
-      type: rtops
+      attack_scenario: shorthaul
+      log:
+        type: rtops
     c2:
       program: havoc
       log:
         type: teamserver
   multiline:
     pattern: '^\[\d{2}:\d{2}:\d{2}\]'
-    negate: false
-    match: pattern
+    negate: true
+    match: after
   processors:
     - dissect:
         tokenizer: '[%{timestamp}] [%{log_level}] %{message}'
@@ -52,7 +52,7 @@
           not:
             or:
               - regexp:
-                  teamserver.message: "User .*"
+                  teamserver.message: "User *"
               - regexp:
-                  teamserver.message: "Started .* listener.*"
+                  teamserver.message: "Started .* listener*"