nightHawkResponse is a custom built application for asynchronus forensic data presentation on an Elasticsearch backend. This application is designed to ingest a Mandiant Redline “collections” file and give flexibility in search/stack and tagging. The application was born out of the inability to control multiple investigations (or hundreds of endpoints) in a single pane of glass.
Redline is a free endpoint security tool that provide users the possibility to identify malicious or suspicious activity on the operating system. it will collect running process, drivers, file system metadata , event logs , network information , services and web history. This is useful during a full scooping of an incident. Combining Redline with nightHawkResponse will make the collection of data faster and easier to visualize in a distributed network.
Some of the feature for this framework:
- Single view endpoint forensics (multiple audit types).
- Global search.
- Interactive process tree view.
- Multiple file upload & Named investigations.
Download ISO: nightHawk v1.0.3
Configure the hardware, mount the ISO into the VM, start the installtion script.
Once complete, in your browser (Chrome/FireFox), goto;
Log into the system with ‘nighthawk/nighthawk’ – click “goto site” to get into application
If you need to access Kibana, goto;
If you need to SSH into the box, the login details are;
If you want to change the IP address (reflected application wide);
/opt/nighthawk/bin/nighthawkctl set-ip <new_ipaddress>
Redline Audit Collection Script can be found in the root of this repo. Use this when using the standalone redline collector as this will return the documents you need to populate nightHawk correctly.