Home

Awesome

BeaconHunter

Behavior based monitoring and hunting tool built in C# leveraging ETW tracing. Blue teamers can use this tool to detect and respond to potential Cobalt Strike beacons. Red teamers can use this tool to research ETW bypasses and discover new processes that behave like beacons.

Author: Andrew Oliveau (@AndrewOliveau)

image

TL;DR

Beacon implants injected in a benign process live in a thread with a Wait:DelayExecution state (probably related to Cobalt Strike's sleep). Find all processes that contain a thread in a Wait:DelayExecution state. Then, leverage ETW tracing to specifically monitor suspicious thread activity:

Score suspicious behavior. Log, display, and take action against them.

Building / Installation

Pre-compiled

<a href="https://github.com/3lp4tr0n/BeaconHunter/releases">Release</a>

or git clone and go to Release folder.

.NET Framework version

4.5

Nuggets:

Tools -> NuGet Package Manager -> Package Manager Console

Running BeaconHunter

MONITOR

Network Beacon Score

image

IP and PORT Stats

image

DNS Queries

image

Directory Change

image

New Uploaded Files

image

Shell Commands

image

ACTION

Suspend Thread ID - Manual

image

Suspend Thread ID - Automated

image

References