RedEye
Overview
Section titled “Overview”RedEye is a visualization and reporting framework designed for red team operations, command-and-control (C2) infrastructure, and authorized adversarial simulations. It aggregates data from various C2 platforms (Cobalt Strike, Empire, Metasploit, Sliver) to provide unified command execution tracking, timeline visualization, and comprehensive operation reporting. Essential for coordinating complex red team engagements and documenting authorized penetration tests.
Installation
Section titled “Installation”Prerequisites
Section titled “Prerequisites”# Python 3.8+
python3 --version
# Node.js and npm
node --version
npm --version
# Docker (optional but recommended)
docker --version
docker-compose --versionFrom GitHub
Section titled “From GitHub”git clone https://github.com/offensive-security/redeye.git
cd redeyeDocker Installation
Section titled “Docker Installation”docker-compose up -d
# Web interface: http://localhost:8080Manual Installation
Section titled “Manual Installation”cd backend
pip3 install -r requirements.txt
cd ../frontend
npm install
npm run buildVerify Installation
Section titled “Verify Installation”redeye --version
redeye --help
python3 -m redeye --versionBasic Startup
Section titled “Basic Startup”# Docker (recommended)
docker-compose up
# Manual startup
python3 -m redeye.server &
npm start # in frontend directoryEssential Commands
Section titled “Essential Commands”| Command | Purpose |
|---|---|
redeye import cobalt-strike.cobaltstrike | Import Cobalt Strike log |
redeye import empire.json | Import Empire JSON data |
redeye list-campaigns | List all campaigns |
redeye timeline --campaign <id> | Generate timeline visualization |
redeye report --campaign <id> | Generate HTML report |
redeye export --campaign <id> --format json | Export campaign data |
redeye search <query> --campaign <id> | Search campaign data |
redeye stats --campaign <id> | Display campaign statistics |
redeye deduplicate --campaign <id> | Remove duplicate commands |
redeye sync --server http://server:port | Sync with remote server |
Web Interface Navigation
Section titled “Web Interface Navigation”Dashboard
Section titled “Dashboard”1. Login to http://localhost:8080
2. Navigate to Campaigns
3. Select campaign to view timeline
4. Access command execution details
5. Export reports and visualizationsCampaign Management
Section titled “Campaign Management”1. Create New Campaign
- Campaign Name
- Start Date
- Team Members
- Objectives
2. Import Logs
- Select C2 platform
- Upload operator data
- Map users and hosts
3. Manage Timeline
- Filter by date
- Group by operator
- Filter by hostC2 Data Import
Section titled “C2 Data Import”Cobalt Strike Import
Section titled “Cobalt Strike Import”# Export from Cobalt Strike
redeye import cobalt-strike.bin \
--campaign "Operation Alpha" \
--description "Red team engagement 2026"Multiple C2 Platforms
Section titled “Multiple C2 Platforms”# Combine data from multiple C2 systems
redeye import \
--cobalt-strike cobaltstrike.bin \
--empire empire-output.json \
--metasploit msf-data.json \
--campaign "Multi-C2 Engagement"Empire JSON Import
Section titled “Empire JSON Import”redeye import empire.json \
--campaign "Empire Ops" \
--sync-users true \
--auto-timelineSliver C2 Import
Section titled “Sliver C2 Import”# Sliver operator logs
redeye import sliver-session.log \
--campaign "Sliver Operations" \
--parse-implantsTimeline Visualization
Section titled “Timeline Visualization”Generate Timeline
Section titled “Generate Timeline”redeye timeline \
--campaign "Operation Alpha" \
--output timeline.html \
--format interactiveFilter by Date Range
Section titled “Filter by Date Range”redeye timeline \
--campaign "Operation Alpha" \
--start "2026-01-01" \
--end "2026-01-31" \
--output january-ops.htmlGroup by Operator
Section titled “Group by Operator”redeye timeline \
--campaign "Operation Alpha" \
--group-by operator \
--highlight-operators "alice,bob,charlie"Host-Centric Timeline
Section titled “Host-Centric Timeline”redeye timeline \
--campaign "Operation Alpha" \
--pivot-host \
--include-hosts "server01,workstation02"Command Tracking
Section titled “Command Tracking”List All Commands
Section titled “List All Commands”redeye search "command:*" \
--campaign "Operation Alpha" \
--format tableFind Specific Commands
Section titled “Find Specific Commands”# Search by command type
redeye search "command_type:process-execution" \
--campaign "Operation Alpha"
# Search by operator
redeye search "operator:alice" \
--campaign "Operation Alpha"
# Search by host
redeye search "host:server01" \
--campaign "Operation Alpha"Command Execution Stats
Section titled “Command Execution Stats”redeye stats \
--campaign "Operation Alpha" \
--stat-type command-summaryFailed vs Successful
Section titled “Failed vs Successful”redeye search "status:success" \
--campaign "Operation Alpha" \
--count
redeye search "status:failed" \
--campaign "Operation Alpha" \
--countOperator Tracking
Section titled “Operator Tracking”List All Operators
Section titled “List All Operators”redeye search "operator:*" \
--campaign "Operation Alpha" \
--uniqueOperator Activity Summary
Section titled “Operator Activity Summary”redeye stats \
--campaign "Operation Alpha" \
--operator-activityMap Operator to Commands
Section titled “Map Operator to Commands”redeye search "operator:alice" \
--campaign "Operation Alpha" \
--include-commands \
--sort-by timestampOperator Timeline
Section titled “Operator Timeline”redeye timeline \
--campaign "Operation Alpha" \
--operator-focus alice \
--output alice-timeline.htmlHost and Network Tracking
Section titled “Host and Network Tracking”List All Hosts
Section titled “List All Hosts”redeye search "host:*" \
--campaign "Operation Alpha" \
--uniqueHost Details
Section titled “Host Details”redeye search "host:server01" \
--campaign "Operation Alpha" \
--include-os \
--include-users \
--include-processesNetwork Topology
Section titled “Network Topology”redeye export \
--campaign "Operation Alpha" \
--format network-graph \
--output network.jsonHost Compromise Timeline
Section titled “Host Compromise Timeline”redeye timeline \
--campaign "Operation Alpha" \
--host-focus server01 \
--show-access-eventsReport Generation
Section titled “Report Generation”Full Campaign Report
Section titled “Full Campaign Report”redeye report \
--campaign "Operation Alpha" \
--format html \
--output report.html \
--include-timeline \
--include-stats \
--include-objectivesExecutive Summary
Section titled “Executive Summary”redeye report \
--campaign "Operation Alpha" \
--format executive-summary \
--output executive.htmlTechnical Report
Section titled “Technical Report”redeye report \
--campaign "Operation Alpha" \
--format technical \
--output technical-report.html \
--include-iocs \
--include-commands \
--include-toolingTimeline Report
Section titled “Timeline Report”redeye report \
--campaign "Operation Alpha" \
--format timeline-only \
--output timeline-report.html \
--group-by dateData Export
Section titled “Data Export”Export to JSON
Section titled “Export to JSON”redeye export \
--campaign "Operation Alpha" \
--format json \
--output campaign-data.jsonExport to CSV
Section titled “Export to CSV”redeye export \
--campaign "Operation Alpha" \
--format csv \
--output commands.csv \
--include fields timestamp,operator,host,command,resultExport IOCs
Section titled “Export IOCs”redeye export \
--campaign "Operation Alpha" \
--format iocs \
--output indicators.txt \
--ioc-types ip,domain,hash,processExport for MITRE ATT&CK
Section titled “Export for MITRE ATT&CK”redeye export \
--campaign "Operation Alpha" \
--format mitre-attack \
--output attack-mapping.jsonDeduplication and Cleanup
Section titled “Deduplication and Cleanup”Find Duplicate Entries
Section titled “Find Duplicate Entries”redeye deduplicate \
--campaign "Operation Alpha" \
--analyze-onlyRemove Duplicates
Section titled “Remove Duplicates”redeye deduplicate \
--campaign "Operation Alpha" \
--executeMerge Campaigns
Section titled “Merge Campaigns”redeye merge \
--source "Operation Alpha" \
--target "Operation Beta" \
--strategy keep-bothSanitize Sensitive Data
Section titled “Sanitize Sensitive Data”redeye sanitize \
--campaign "Operation Alpha" \
--remove-passwords \
--redact-usernames \
--output cleaned-campaign.jsonTimeline Filtering
Section titled “Timeline Filtering”Filter by Activity Type
Section titled “Filter by Activity Type”redeye timeline \
--campaign "Operation Alpha" \
--activity-filter "command,file-access,process-creation" \
--output filtered-timeline.htmlFilter by Time Range
Section titled “Filter by Time Range”redeye timeline \
--campaign "Operation Alpha" \
--start "2026-01-15 08:00:00" \
--end "2026-01-15 17:00:00" \
--output daily-timeline.htmlFilter by Success/Failure
Section titled “Filter by Success/Failure”redeye timeline \
--campaign "Operation Alpha" \
--status-filter success \
--output successful-only.htmlVisualization Options
Section titled “Visualization Options”Interactive Timeline
Section titled “Interactive Timeline”redeye timeline \
--campaign "Operation Alpha" \
--format interactive \
--output timeline-interactive.htmlLinear Timeline
Section titled “Linear Timeline”redeye timeline \
--campaign "Operation Alpha" \
--format linear \
--output timeline-linear.htmlNetwork Graph
Section titled “Network Graph”redeye export \
--campaign "Operation Alpha" \
--format network-graph \
--output network-graph.htmlSunburst Diagram
Section titled “Sunburst Diagram”redeye export \
--campaign "Operation Alpha" \
--format sunburst \
--output sunburst.htmlMulti-Campaign Management
Section titled “Multi-Campaign Management”Create Campaign
Section titled “Create Campaign”redeye campaign create \
--name "Operation Alpha" \
--start-date "2026-01-01" \
--team-members alice,bob,charlieList Campaigns
Section titled “List Campaigns”redeye list-campaigns \
--include-statsCompare Campaigns
Section titled “Compare Campaigns”redeye compare \
--campaign1 "Operation Alpha" \
--campaign2 "Operation Beta" \
--output comparison.htmlArchive Campaign
Section titled “Archive Campaign”redeye archive \
--campaign "Operation Alpha" \
--output archive.tar.gzSearch Syntax
Section titled “Search Syntax”Basic Search
Section titled “Basic Search”# Search all fields
redeye search "malware" --campaign "Op Alpha"
# Specific field
redeye search "command:whoami" --campaign "Op Alpha"
# Multiple conditions
redeye search "operator:alice AND host:server01" --campaign "Op Alpha"Advanced Operators
Section titled “Advanced Operators”# Wildcards
redeye search "command:*creds*" --campaign "Op Alpha"
# Range
redeye search "timestamp:[2026-01-01 TO 2026-01-31]" --campaign "Op Alpha"
# Exclusion
redeye search "NOT status:failed" --campaign "Op Alpha"
# OR logic
redeye search "host:server01 OR host:server02" --campaign "Op Alpha"MITRE ATT&CK Mapping
Section titled “MITRE ATT&CK Mapping”Map Commands to Techniques
Section titled “Map Commands to Techniques”redeye map-attack \
--campaign "Operation Alpha" \
--output attack-mapping.jsonGenerate ATT&CK Navigator
Section titled “Generate ATT&CK Navigator”redeye export \
--campaign "Operation Alpha" \
--format attack-navigator \
--output navigator.jsonTechnique Coverage Report
Section titled “Technique Coverage Report”redeye report \
--campaign "Operation Alpha" \
--format attack-coverage \
--output technique-coverage.htmlServer Management
Section titled “Server Management”Start Local Server
Section titled “Start Local Server”redeye server start --host 0.0.0.0 --port 8080Remote Server Access
Section titled “Remote Server Access”redeye sync \
--server http://remote-server:8080 \
--campaign "Operation Alpha"User Management
Section titled “User Management”redeye user add --username analyst --password secure
redeye user list
redeye user delete --username analystBackup Campaign
Section titled “Backup Campaign”redeye backup \
--campaign "Operation Alpha" \
--output backup.tar.gzConfiguration
Section titled “Configuration”Config File
Section titled “Config File”# ~/.redeye/config.yaml
server:
host: 0.0.0.0
port: 8080
debug: false
database:
type: sqlite
path: ./redeye.db
import:
auto-deduplicate: true
merge-similar: false
export:
include-sensitive: true
sanitize: false
timeline:
group-by-default: date
highlight-failed: trueEnvironment Variables
Section titled “Environment Variables”export REDEYE_HOST=0.0.0.0
export REDEYE_PORT=8080
export REDEYE_DB_PATH=/data/redeye.db
export REDEYE_DEBUG=trueBest Practices
Section titled “Best Practices”- Segregate Operations - Keep campaigns separate for security and organization
- Regular Backups - Export campaigns regularly for record preservation
- Sanitize Reports - Remove sensitive data before sharing reports
- Document Objectives - Clearly define and track engagement objectives
- Timestamp Everything - Ensure accurate timeline data for forensics
- Access Control - Limit who can view sensitive operation data
- Archive Completed - Archive finished campaigns for long-term storage
- Validate Imports - Verify C2 data integrity before importing
Real-World Workflows
Section titled “Real-World Workflows”Multi-Operator Engagement
Section titled “Multi-Operator Engagement”# Day 1: Import Cobalt Strike data
redeye import cobalt-strike.bin --campaign "Engagement 2026"
# Day 2: Add Empire data
redeye import empire.json --campaign "Engagement 2026"
# Day 3: Generate daily report
redeye report --campaign "Engagement 2026" \
--format html --output day3-report.html
# End of week: Executive summary
redeye report --campaign "Engagement 2026" \
--format executive-summary --output executive.htmlIncident Response Attribution
Section titled “Incident Response Attribution”# Import suspicious activity logs
redeye import activity.json --campaign "IR-2026-001"
# Timeline visualization
redeye timeline --campaign "IR-2026-001" \
--output incident-timeline.html
# Export IOCs for blocking
redeye export --campaign "IR-2026-001" \
--format iocs --output blocking-list.txtCompliance Documentation
Section titled “Compliance Documentation”# Generate comprehensive report
redeye report --campaign "Engagement 2026" \
--format technical \
--include-timeline \
--include-stats \
--include-objectives \
--output compliance-report.html
# Export for audit trail
redeye export --campaign "Engagement 2026" \
--format json --output audit-trail.jsonTroubleshooting
Section titled “Troubleshooting”Import Failures
Section titled “Import Failures”# Verify file format
file cobalt-strike.bin
# Check compatibility
redeye import --validate cobalt-strike.bin
# Verbose import
redeye import --verbose cobalt-strike.binDatabase Issues
Section titled “Database Issues”# Check database integrity
redeye database check
# Repair database
redeye database repair
# Reset database
redeye database resetWeb Interface Not Responding
Section titled “Web Interface Not Responding”# Check server status
curl http://localhost:8080/api/health
# Restart services
docker-compose restart
# Check logs
docker-compose logs -fAdditional Resources
Section titled “Additional Resources”- RedEye GitHub: https://github.com/offensive-security/redeye
- Cobalt Strike Documentation: https://www.cobaltstrike.com/
- MITRE ATT&CK: https://attack.mitre.org/
- Red Team Handbook: https://redteamhandbook.com/