RedEye
Overview
RedEye is a visualization and reporting framework designed for red team operations, command-and-control (C2) infrastructure, and authorized adversarial simulations. It aggregates data from various C2 platforms (Cobalt Strike, Empire, Metasploit, Sliver) to provide unified command execution tracking, timeline visualization, and comprehensive operation reporting. Essential for coordinating complex red team engagements and documenting authorized penetration tests.
Installation
Prerequisites
# Python 3.8+
python3 --version
# Node.js and npm
node --version
npm --version
# Docker (optional but recommended)
docker --version
docker-compose --versionFrom GitHub
git clone https://github.com/offensive-security/redeye.git
cd redeyeDocker Installation
docker-compose up -d
# Web interface: http://localhost:8080Manual Installation
cd backend
pip3 install -r requirements.txt
cd ../frontend
npm install
npm run buildVerify Installation
redeye --version
redeye --help
python3 -m redeye --versionBasic Startup
# Docker (recommended)
docker-compose up
# Manual startup
python3 -m redeye.server &
npm start # in frontend directoryEssential Commands
| Command | Purpose |
|---|---|
redeye import cobalt-strike.cobaltstrike | Import Cobalt Strike log |
redeye import empire.json | Import Empire JSON data |
redeye list-campaigns | List all campaigns |
redeye timeline --campaign <id> | Generate timeline visualization |
redeye report --campaign <id> | Generate HTML report |
redeye export --campaign <id> --format json | Export campaign data |
redeye search <query> --campaign <id> | Search campaign data |
redeye stats --campaign <id> | Display campaign statistics |
redeye deduplicate --campaign <id> | Remove duplicate commands |
redeye sync --server http://server:port | Sync with remote server |
Web Interface Navigation
Dashboard
1. Login to http://localhost:8080
2. Navigate to Campaigns
3. Select campaign to view timeline
4. Access command execution details
5. Export reports and visualizationsCampaign Management
1. Create New Campaign
- Campaign Name
- Start Date
- Team Members
- Objectives
2. Import Logs
- Select C2 platform
- Upload operator data
- Map users and hosts
3. Manage Timeline
- Filter by date
- Group by operator
- Filter by hostC2 Data Import
Cobalt Strike Import
# Export from Cobalt Strike
redeye import cobalt-strike.bin \
--campaign "Operation Alpha" \
--description "Red team engagement 2026"Multiple C2 Platforms
# Combine data from multiple C2 systems
redeye import \
--cobalt-strike cobaltstrike.bin \
--empire empire-output.json \
--metasploit msf-data.json \
--campaign "Multi-C2 Engagement"Empire JSON Import
redeye import empire.json \
--campaign "Empire Ops" \
--sync-users true \
--auto-timelineSliver C2 Import
# Sliver operator logs
redeye import sliver-session.log \
--campaign "Sliver Operations" \
--parse-implantsTimeline Visualization
Generate Timeline
redeye timeline \
--campaign "Operation Alpha" \
--output timeline.html \
--format interactiveFilter by Date Range
redeye timeline \
--campaign "Operation Alpha" \
--start "2026-01-01" \
--end "2026-01-31" \
--output january-ops.htmlGroup by Operator
redeye timeline \
--campaign "Operation Alpha" \
--group-by operator \
--highlight-operators "alice,bob,charlie"Host-Centric Timeline
redeye timeline \
--campaign "Operation Alpha" \
--pivot-host \
--include-hosts "server01,workstation02"Command Tracking
List All Commands
redeye search "command:*" \
--campaign "Operation Alpha" \
--format tableFind Specific Commands
# Search by command type
redeye search "command_type:process-execution" \
--campaign "Operation Alpha"
# Search by operator
redeye search "operator:alice" \
--campaign "Operation Alpha"
# Search by host
redeye search "host:server01" \
--campaign "Operation Alpha"Command Execution Stats
redeye stats \
--campaign "Operation Alpha" \
--stat-type command-summaryFailed vs Successful
redeye search "status:success" \
--campaign "Operation Alpha" \
--count
redeye search "status:failed" \
--campaign "Operation Alpha" \
--countOperator Tracking
List All Operators
redeye search "operator:*" \
--campaign "Operation Alpha" \
--uniqueOperator Activity Summary
redeye stats \
--campaign "Operation Alpha" \
--operator-activityMap Operator to Commands
redeye search "operator:alice" \
--campaign "Operation Alpha" \
--include-commands \
--sort-by timestampOperator Timeline
redeye timeline \
--campaign "Operation Alpha" \
--operator-focus alice \
--output alice-timeline.htmlHost and Network Tracking
List All Hosts
redeye search "host:*" \
--campaign "Operation Alpha" \
--uniqueHost Details
redeye search "host:server01" \
--campaign "Operation Alpha" \
--include-os \
--include-users \
--include-processesNetwork Topology
redeye export \
--campaign "Operation Alpha" \
--format network-graph \
--output network.jsonHost Compromise Timeline
redeye timeline \
--campaign "Operation Alpha" \
--host-focus server01 \
--show-access-eventsReport Generation
Full Campaign Report
redeye report \
--campaign "Operation Alpha" \
--format html \
--output report.html \
--include-timeline \
--include-stats \
--include-objectivesExecutive Summary
redeye report \
--campaign "Operation Alpha" \
--format executive-summary \
--output executive.htmlTechnical Report
redeye report \
--campaign "Operation Alpha" \
--format technical \
--output technical-report.html \
--include-iocs \
--include-commands \
--include-toolingTimeline Report
redeye report \
--campaign "Operation Alpha" \
--format timeline-only \
--output timeline-report.html \
--group-by dateData Export
Export to JSON
redeye export \
--campaign "Operation Alpha" \
--format json \
--output campaign-data.jsonExport to CSV
redeye export \
--campaign "Operation Alpha" \
--format csv \
--output commands.csv \
--include fields timestamp,operator,host,command,resultExport IOCs
redeye export \
--campaign "Operation Alpha" \
--format iocs \
--output indicators.txt \
--ioc-types ip,domain,hash,processExport for MITRE ATT&CK
redeye export \
--campaign "Operation Alpha" \
--format mitre-attack \
--output attack-mapping.jsonDeduplication and Cleanup
Find Duplicate Entries
redeye deduplicate \
--campaign "Operation Alpha" \
--analyze-onlyRemove Duplicates
redeye deduplicate \
--campaign "Operation Alpha" \
--executeMerge Campaigns
redeye merge \
--source "Operation Alpha" \
--target "Operation Beta" \
--strategy keep-bothSanitize Sensitive Data
redeye sanitize \
--campaign "Operation Alpha" \
--remove-passwords \
--redact-usernames \
--output cleaned-campaign.jsonTimeline Filtering
Filter by Activity Type
redeye timeline \
--campaign "Operation Alpha" \
--activity-filter "command,file-access,process-creation" \
--output filtered-timeline.htmlFilter by Time Range
redeye timeline \
--campaign "Operation Alpha" \
--start "2026-01-15 08:00:00" \
--end "2026-01-15 17:00:00" \
--output daily-timeline.htmlFilter by Success/Failure
redeye timeline \
--campaign "Operation Alpha" \
--status-filter success \
--output successful-only.htmlVisualization Options
Interactive Timeline
redeye timeline \
--campaign "Operation Alpha" \
--format interactive \
--output timeline-interactive.htmlLinear Timeline
redeye timeline \
--campaign "Operation Alpha" \
--format linear \
--output timeline-linear.htmlNetwork Graph
redeye export \
--campaign "Operation Alpha" \
--format network-graph \
--output network-graph.htmlSunburst Diagram
redeye export \
--campaign "Operation Alpha" \
--format sunburst \
--output sunburst.htmlMulti-Campaign Management
Create Campaign
redeye campaign create \
--name "Operation Alpha" \
--start-date "2026-01-01" \
--team-members alice,bob,charlieList Campaigns
redeye list-campaigns \
--include-statsCompare Campaigns
redeye compare \
--campaign1 "Operation Alpha" \
--campaign2 "Operation Beta" \
--output comparison.htmlArchive Campaign
redeye archive \
--campaign "Operation Alpha" \
--output archive.tar.gzSearch Syntax
Basic Search
# Search all fields
redeye search "malware" --campaign "Op Alpha"
# Specific field
redeye search "command:whoami" --campaign "Op Alpha"
# Multiple conditions
redeye search "operator:alice AND host:server01" --campaign "Op Alpha"Advanced Operators
# Wildcards
redeye search "command:*creds*" --campaign "Op Alpha"
# Range
redeye search "timestamp:[2026-01-01 TO 2026-01-31]" --campaign "Op Alpha"
# Exclusion
redeye search "NOT status:failed" --campaign "Op Alpha"
# OR logic
redeye search "host:server01 OR host:server02" --campaign "Op Alpha"MITRE ATT&CK Mapping
Map Commands to Techniques
redeye map-attack \
--campaign "Operation Alpha" \
--output attack-mapping.jsonGenerate ATT&CK Navigator
redeye export \
--campaign "Operation Alpha" \
--format attack-navigator \
--output navigator.jsonTechnique Coverage Report
redeye report \
--campaign "Operation Alpha" \
--format attack-coverage \
--output technique-coverage.htmlServer Management
Start Local Server
redeye server start --host 0.0.0.0 --port 8080Remote Server Access
redeye sync \
--server http://remote-server:8080 \
--campaign "Operation Alpha"User Management
redeye user add --username analyst --password secure
redeye user list
redeye user delete --username analystBackup Campaign
redeye backup \
--campaign "Operation Alpha" \
--output backup.tar.gzConfiguration
Config File
# ~/.redeye/config.yaml
server:
host: 0.0.0.0
port: 8080
debug: false
database:
type: sqlite
path: ./redeye.db
import:
auto-deduplicate: true
merge-similar: false
export:
include-sensitive: true
sanitize: false
timeline:
group-by-default: date
highlight-failed: trueEnvironment Variables
export REDEYE_HOST=0.0.0.0
export REDEYE_PORT=8080
export REDEYE_DB_PATH=/data/redeye.db
export REDEYE_DEBUG=trueBest Practices
- Segregate Operations - Keep campaigns separate for security and organization
- Regular Backups - Export campaigns regularly for record preservation
- Sanitize Reports - Remove sensitive data before sharing reports
- Document Objectives - Clearly define and track engagement objectives
- Timestamp Everything - Ensure accurate timeline data for forensics
- Access Control - Limit who can view sensitive operation data
- Archive Completed - Archive finished campaigns for long-term storage
- Validate Imports - Verify C2 data integrity before importing
Real-World Workflows
Multi-Operator Engagement
# Day 1: Import Cobalt Strike data
redeye import cobalt-strike.bin --campaign "Engagement 2026"
# Day 2: Add Empire data
redeye import empire.json --campaign "Engagement 2026"
# Day 3: Generate daily report
redeye report --campaign "Engagement 2026" \
--format html --output day3-report.html
# End of week: Executive summary
redeye report --campaign "Engagement 2026" \
--format executive-summary --output executive.htmlIncident Response Attribution
# Import suspicious activity logs
redeye import activity.json --campaign "IR-2026-001"
# Timeline visualization
redeye timeline --campaign "IR-2026-001" \
--output incident-timeline.html
# Export IOCs for blocking
redeye export --campaign "IR-2026-001" \
--format iocs --output blocking-list.txtCompliance Documentation
# Generate comprehensive report
redeye report --campaign "Engagement 2026" \
--format technical \
--include-timeline \
--include-stats \
--include-objectives \
--output compliance-report.html
# Export for audit trail
redeye export --campaign "Engagement 2026" \
--format json --output audit-trail.jsonTroubleshooting
Import Failures
# Verify file format
file cobalt-strike.bin
# Check compatibility
redeye import --validate cobalt-strike.bin
# Verbose import
redeye import --verbose cobalt-strike.binDatabase Issues
# Check database integrity
redeye database check
# Repair database
redeye database repair
# Reset database
redeye database resetWeb Interface Not Responding
# Check server status
curl http://localhost:8080/api/health
# Restart services
docker-compose restart
# Check logs
docker-compose logs -fAdditional Resources
- RedEye GitHub: https://github.com/offensive-security/redeye
- Cobalt Strike Documentation: https://www.cobaltstrike.com/
- MITRE ATT&CK: https://attack.mitre.org/
- Red Team Handbook: https://redteamhandbook.com/