RedEye
Overview
Sezione intitolata “Overview”RedEye is a visualization and reporting framework designed for red team operations, command-and-control (C2) infrastructure, and authorized adversarial simulations. It aggregates data from various C2 platforms (Cobalt Strike, Empire, Metasploit, Sliver) to provide unified command execution tracking, timeline visualization, and comprehensive operation reporting. Essential for coordinating complex red team engagements and documenting authorized penetration tests.
Installation
Sezione intitolata “Installation”Prerequisites
Sezione intitolata “Prerequisites”# Python 3.8+
python3 --version
# Node.js and npm
node --version
npm --version
# Docker (optional but recommended)
docker --version
docker-compose --versionFrom GitHub
Sezione intitolata “From GitHub”git clone https://github.com/offensive-security/redeye.git
cd redeyeDocker Installation
Sezione intitolata “Docker Installation”docker-compose up -d
# Web interface: http://localhost:8080Manual Installation
Sezione intitolata “Manual Installation”cd backend
pip3 install -r requirements.txt
cd ../frontend
npm install
npm run buildVerify Installation
Sezione intitolata “Verify Installation”redeye --version
redeye --help
python3 -m redeye --versionBasic Startup
Sezione intitolata “Basic Startup”# Docker (recommended)
docker-compose up
# Manual startup
python3 -m redeye.server &
npm start # in frontend directoryEssential Commands
Sezione intitolata “Essential Commands”| Command | Purpose |
|---|---|
redeye import cobalt-strike.cobaltstrike | Import Cobalt Strike log |
redeye import empire.json | Import Empire JSON data |
redeye list-campaigns | List all campaigns |
redeye timeline --campaign <id> | Generate timeline visualization |
redeye report --campaign <id> | Generate HTML report |
redeye export --campaign <id> --format json | Export campaign data |
redeye search <query> --campaign <id> | Search campaign data |
redeye stats --campaign <id> | Display campaign statistics |
redeye deduplicate --campaign <id> | Remove duplicate commands |
redeye sync --server http://server:port | Sync with remote server |
Web Interface Navigation
Sezione intitolata “Web Interface Navigation”Dashboard
Sezione intitolata “Dashboard”1. Login to http://localhost:8080
2. Navigate to Campaigns
3. Select campaign to view timeline
4. Access command execution details
5. Export reports and visualizationsCampaign Management
Sezione intitolata “Campaign Management”1. Create New Campaign
- Campaign Name
- Start Date
- Team Members
- Objectives
2. Import Logs
- Select C2 platform
- Upload operator data
- Map users and hosts
3. Manage Timeline
- Filter by date
- Group by operator
- Filter by hostC2 Data Import
Sezione intitolata “C2 Data Import”Cobalt Strike Import
Sezione intitolata “Cobalt Strike Import”# Export from Cobalt Strike
redeye import cobalt-strike.bin \
--campaign "Operation Alpha" \
--description "Red team engagement 2026"Multiple C2 Platforms
Sezione intitolata “Multiple C2 Platforms”# Combine data from multiple C2 systems
redeye import \
--cobalt-strike cobaltstrike.bin \
--empire empire-output.json \
--metasploit msf-data.json \
--campaign "Multi-C2 Engagement"Empire JSON Import
Sezione intitolata “Empire JSON Import”redeye import empire.json \
--campaign "Empire Ops" \
--sync-users true \
--auto-timelineSliver C2 Import
Sezione intitolata “Sliver C2 Import”# Sliver operator logs
redeye import sliver-session.log \
--campaign "Sliver Operations" \
--parse-implantsTimeline Visualization
Sezione intitolata “Timeline Visualization”Generate Timeline
Sezione intitolata “Generate Timeline”redeye timeline \
--campaign "Operation Alpha" \
--output timeline.html \
--format interactiveFilter by Date Range
Sezione intitolata “Filter by Date Range”redeye timeline \
--campaign "Operation Alpha" \
--start "2026-01-01" \
--end "2026-01-31" \
--output january-ops.htmlGroup by Operator
Sezione intitolata “Group by Operator”redeye timeline \
--campaign "Operation Alpha" \
--group-by operator \
--highlight-operators "alice,bob,charlie"Host-Centric Timeline
Sezione intitolata “Host-Centric Timeline”redeye timeline \
--campaign "Operation Alpha" \
--pivot-host \
--include-hosts "server01,workstation02"Command Tracking
Sezione intitolata “Command Tracking”List All Commands
Sezione intitolata “List All Commands”redeye search "command:*" \
--campaign "Operation Alpha" \
--format tableFind Specific Commands
Sezione intitolata “Find Specific Commands”# Search by command type
redeye search "command_type:process-execution" \
--campaign "Operation Alpha"
# Search by operator
redeye search "operator:alice" \
--campaign "Operation Alpha"
# Search by host
redeye search "host:server01" \
--campaign "Operation Alpha"Command Execution Stats
Sezione intitolata “Command Execution Stats”redeye stats \
--campaign "Operation Alpha" \
--stat-type command-summaryFailed vs Successful
Sezione intitolata “Failed vs Successful”redeye search "status:success" \
--campaign "Operation Alpha" \
--count
redeye search "status:failed" \
--campaign "Operation Alpha" \
--countOperator Tracking
Sezione intitolata “Operator Tracking”List All Operators
Sezione intitolata “List All Operators”redeye search "operator:*" \
--campaign "Operation Alpha" \
--uniqueOperator Activity Summary
Sezione intitolata “Operator Activity Summary”redeye stats \
--campaign "Operation Alpha" \
--operator-activityMap Operator to Commands
Sezione intitolata “Map Operator to Commands”redeye search "operator:alice" \
--campaign "Operation Alpha" \
--include-commands \
--sort-by timestampOperator Timeline
Sezione intitolata “Operator Timeline”redeye timeline \
--campaign "Operation Alpha" \
--operator-focus alice \
--output alice-timeline.htmlHost and Network Tracking
Sezione intitolata “Host and Network Tracking”List All Hosts
Sezione intitolata “List All Hosts”redeye search "host:*" \
--campaign "Operation Alpha" \
--uniqueHost Details
Sezione intitolata “Host Details”redeye search "host:server01" \
--campaign "Operation Alpha" \
--include-os \
--include-users \
--include-processesNetwork Topology
Sezione intitolata “Network Topology”redeye export \
--campaign "Operation Alpha" \
--format network-graph \
--output network.jsonHost Compromise Timeline
Sezione intitolata “Host Compromise Timeline”redeye timeline \
--campaign "Operation Alpha" \
--host-focus server01 \
--show-access-eventsReport Generation
Sezione intitolata “Report Generation”Full Campaign Report
Sezione intitolata “Full Campaign Report”redeye report \
--campaign "Operation Alpha" \
--format html \
--output report.html \
--include-timeline \
--include-stats \
--include-objectivesExecutive Summary
Sezione intitolata “Executive Summary”redeye report \
--campaign "Operation Alpha" \
--format executive-summary \
--output executive.htmlTechnical Report
Sezione intitolata “Technical Report”redeye report \
--campaign "Operation Alpha" \
--format technical \
--output technical-report.html \
--include-iocs \
--include-commands \
--include-toolingTimeline Report
Sezione intitolata “Timeline Report”redeye report \
--campaign "Operation Alpha" \
--format timeline-only \
--output timeline-report.html \
--group-by dateData Export
Sezione intitolata “Data Export”Export to JSON
Sezione intitolata “Export to JSON”redeye export \
--campaign "Operation Alpha" \
--format json \
--output campaign-data.jsonExport to CSV
Sezione intitolata “Export to CSV”redeye export \
--campaign "Operation Alpha" \
--format csv \
--output commands.csv \
--include fields timestamp,operator,host,command,resultExport IOCs
Sezione intitolata “Export IOCs”redeye export \
--campaign "Operation Alpha" \
--format iocs \
--output indicators.txt \
--ioc-types ip,domain,hash,processExport for MITRE ATT&CK
Sezione intitolata “Export for MITRE ATT&CK”redeye export \
--campaign "Operation Alpha" \
--format mitre-attack \
--output attack-mapping.jsonDeduplication and Cleanup
Sezione intitolata “Deduplication and Cleanup”Find Duplicate Entries
Sezione intitolata “Find Duplicate Entries”redeye deduplicate \
--campaign "Operation Alpha" \
--analyze-onlyRemove Duplicates
Sezione intitolata “Remove Duplicates”redeye deduplicate \
--campaign "Operation Alpha" \
--executeMerge Campaigns
Sezione intitolata “Merge Campaigns”redeye merge \
--source "Operation Alpha" \
--target "Operation Beta" \
--strategy keep-bothSanitize Sensitive Data
Sezione intitolata “Sanitize Sensitive Data”redeye sanitize \
--campaign "Operation Alpha" \
--remove-passwords \
--redact-usernames \
--output cleaned-campaign.jsonTimeline Filtering
Sezione intitolata “Timeline Filtering”Filter by Activity Type
Sezione intitolata “Filter by Activity Type”redeye timeline \
--campaign "Operation Alpha" \
--activity-filter "command,file-access,process-creation" \
--output filtered-timeline.htmlFilter by Time Range
Sezione intitolata “Filter by Time Range”redeye timeline \
--campaign "Operation Alpha" \
--start "2026-01-15 08:00:00" \
--end "2026-01-15 17:00:00" \
--output daily-timeline.htmlFilter by Success/Failure
Sezione intitolata “Filter by Success/Failure”redeye timeline \
--campaign "Operation Alpha" \
--status-filter success \
--output successful-only.htmlVisualization Options
Sezione intitolata “Visualization Options”Interactive Timeline
Sezione intitolata “Interactive Timeline”redeye timeline \
--campaign "Operation Alpha" \
--format interactive \
--output timeline-interactive.htmlLinear Timeline
Sezione intitolata “Linear Timeline”redeye timeline \
--campaign "Operation Alpha" \
--format linear \
--output timeline-linear.htmlNetwork Graph
Sezione intitolata “Network Graph”redeye export \
--campaign "Operation Alpha" \
--format network-graph \
--output network-graph.htmlSunburst Diagram
Sezione intitolata “Sunburst Diagram”redeye export \
--campaign "Operation Alpha" \
--format sunburst \
--output sunburst.htmlMulti-Campaign Management
Sezione intitolata “Multi-Campaign Management”Create Campaign
Sezione intitolata “Create Campaign”redeye campaign create \
--name "Operation Alpha" \
--start-date "2026-01-01" \
--team-members alice,bob,charlieList Campaigns
Sezione intitolata “List Campaigns”redeye list-campaigns \
--include-statsCompare Campaigns
Sezione intitolata “Compare Campaigns”redeye compare \
--campaign1 "Operation Alpha" \
--campaign2 "Operation Beta" \
--output comparison.htmlArchive Campaign
Sezione intitolata “Archive Campaign”redeye archive \
--campaign "Operation Alpha" \
--output archive.tar.gzSearch Syntax
Sezione intitolata “Search Syntax”Basic Search
Sezione intitolata “Basic Search”# Search all fields
redeye search "malware" --campaign "Op Alpha"
# Specific field
redeye search "command:whoami" --campaign "Op Alpha"
# Multiple conditions
redeye search "operator:alice AND host:server01" --campaign "Op Alpha"Advanced Operators
Sezione intitolata “Advanced Operators”# Wildcards
redeye search "command:*creds*" --campaign "Op Alpha"
# Range
redeye search "timestamp:[2026-01-01 TO 2026-01-31]" --campaign "Op Alpha"
# Exclusion
redeye search "NOT status:failed" --campaign "Op Alpha"
# OR logic
redeye search "host:server01 OR host:server02" --campaign "Op Alpha"MITRE ATT&CK Mapping
Sezione intitolata “MITRE ATT&CK Mapping”Map Commands to Techniques
Sezione intitolata “Map Commands to Techniques”redeye map-attack \
--campaign "Operation Alpha" \
--output attack-mapping.jsonGenerate ATT&CK Navigator
Sezione intitolata “Generate ATT&CK Navigator”redeye export \
--campaign "Operation Alpha" \
--format attack-navigator \
--output navigator.jsonTechnique Coverage Report
Sezione intitolata “Technique Coverage Report”redeye report \
--campaign "Operation Alpha" \
--format attack-coverage \
--output technique-coverage.htmlServer Management
Sezione intitolata “Server Management”Start Local Server
Sezione intitolata “Start Local Server”redeye server start --host 0.0.0.0 --port 8080Remote Server Access
Sezione intitolata “Remote Server Access”redeye sync \
--server http://remote-server:8080 \
--campaign "Operation Alpha"User Management
Sezione intitolata “User Management”redeye user add --username analyst --password secure
redeye user list
redeye user delete --username analystBackup Campaign
Sezione intitolata “Backup Campaign”redeye backup \
--campaign "Operation Alpha" \
--output backup.tar.gzConfiguration
Sezione intitolata “Configuration”Config File
Sezione intitolata “Config File”# ~/.redeye/config.yaml
server:
host: 0.0.0.0
port: 8080
debug: false
database:
type: sqlite
path: ./redeye.db
import:
auto-deduplicate: true
merge-similar: false
export:
include-sensitive: true
sanitize: false
timeline:
group-by-default: date
highlight-failed: trueEnvironment Variables
Sezione intitolata “Environment Variables”export REDEYE_HOST=0.0.0.0
export REDEYE_PORT=8080
export REDEYE_DB_PATH=/data/redeye.db
export REDEYE_DEBUG=trueBest Practices
Sezione intitolata “Best Practices”- Segregate Operations - Keep campaigns separate for security and organization
- Regular Backups - Export campaigns regularly for record preservation
- Sanitize Reports - Remove sensitive data before sharing reports
- Document Objectives - Clearly define and track engagement objectives
- Timestamp Everything - Ensure accurate timeline data for forensics
- Access Control - Limit who can view sensitive operation data
- Archive Completed - Archive finished campaigns for long-term storage
- Validate Imports - Verify C2 data integrity before importing
Real-World Workflows
Sezione intitolata “Real-World Workflows”Multi-Operator Engagement
Sezione intitolata “Multi-Operator Engagement”# Day 1: Import Cobalt Strike data
redeye import cobalt-strike.bin --campaign "Engagement 2026"
# Day 2: Add Empire data
redeye import empire.json --campaign "Engagement 2026"
# Day 3: Generate daily report
redeye report --campaign "Engagement 2026" \
--format html --output day3-report.html
# End of week: Executive summary
redeye report --campaign "Engagement 2026" \
--format executive-summary --output executive.htmlIncident Response Attribution
Sezione intitolata “Incident Response Attribution”# Import suspicious activity logs
redeye import activity.json --campaign "IR-2026-001"
# Timeline visualization
redeye timeline --campaign "IR-2026-001" \
--output incident-timeline.html
# Export IOCs for blocking
redeye export --campaign "IR-2026-001" \
--format iocs --output blocking-list.txtCompliance Documentation
Sezione intitolata “Compliance Documentation”# Generate comprehensive report
redeye report --campaign "Engagement 2026" \
--format technical \
--include-timeline \
--include-stats \
--include-objectives \
--output compliance-report.html
# Export for audit trail
redeye export --campaign "Engagement 2026" \
--format json --output audit-trail.jsonTroubleshooting
Sezione intitolata “Troubleshooting”Import Failures
Sezione intitolata “Import Failures”# Verify file format
file cobalt-strike.bin
# Check compatibility
redeye import --validate cobalt-strike.bin
# Verbose import
redeye import --verbose cobalt-strike.binDatabase Issues
Sezione intitolata “Database Issues”# Check database integrity
redeye database check
# Repair database
redeye database repair
# Reset database
redeye database resetWeb Interface Not Responding
Sezione intitolata “Web Interface Not Responding”# Check server status
curl http://localhost:8080/api/health
# Restart services
docker-compose restart
# Check logs
docker-compose logs -fAdditional Resources
Sezione intitolata “Additional Resources”- RedEye GitHub: https://github.com/offensive-security/redeye
- Cobalt Strike Documentation: https://www.cobaltstrike.com/
- MITRE ATT&CK: https://attack.mitre.org/
- Red Team Handbook: https://redteamhandbook.com/