Awesome
BeaconHunter
Behavior based monitoring and hunting tool built in C# leveraging ETW tracing. Blue teamers can use this tool to detect and respond to potential Cobalt Strike beacons. Red teamers can use this tool to research ETW bypasses and discover new processes that behave like beacons.
Author: Andrew Oliveau (@AndrewOliveau)
TL;DR
Beacon implants injected in a benign process live in a thread with a Wait:DelayExecution
state (probably related to Cobalt Strike's sleep
). Find all processes that contain a thread in a Wait:DelayExecution
state. Then, leverage ETW tracing to specifically monitor suspicious thread activity:
- HTTP/HTTPS callbacks
- DNS queries
- File system (
cd
,ls
,upload
,rm
) - Process termination (
kill
) - Shell commands (
run
,execute
)
Score suspicious behavior. Log, display, and take action against them.
Building / Installation
Pre-compiled
<a href="https://github.com/3lp4tr0n/BeaconHunter/releases">Release</a>
or git clone
and go to Release
folder.
.NET Framework version
4.5
Nuggets:
Tools -> NuGet Package Manager -> Package Manager Console
Install-Package ConsoleTables -Version 2.4.2
Install-Package Microsoft.Diagnostics.Tracing.TraceEvent -Version 2.0.64
Install-Package System.Runtime.InteropServices.RuntimeInformation -Version 4.3.0
Running BeaconHunter
- Open PowerShell or CMD as an Administrator
.\BeaconHunter.exe
MONITOR
Network Beacon Score
- Score is determined by calculating the time difference between beacon callbacks (delta), then calculating the 1st derivative of delta, and then feeding the answer to an inverse function
100/x
where x is the 1st derivative of delta. (Note: There is probably a better way, but it works)
IP and PORT Stats
DNS Queries
- Helpful to detect DNS beacons.
Directory Change
New Uploaded Files
Shell Commands
- Detects PPID spoofing
ACTION
Suspend Thread ID - Manual
Suspend Thread ID - Automated
- Set a score threshold. If Network Beacon Scores goes above threshold, BeaconHunter will automatically suspend the thread.