#Hunting C2 Beacon Connections For BlueTeam Members

• What is beacon ?

• Typically  Malware connects to adversary C2 periodically rather than permanent connection .
•  Beaconing occurs regularly at specific intervals or at pseudorandom times , let's say it's " the call-backs of malware "  . 
•  Cobalt Strike and Empire Frameworks  frequently check-in at the C2 server through "HTTP"  to retrieve commands or to send results back , this is called a beacon

• Trick for hunting (assume HTTP-based beacon): same URI for different Host names ? 
• Adversary may use an agent that has multiple C2 domains configured at the agent  , Like DGAs  & that allows agent to be evade the normal Defensive solutions and it becomes pretty simple to remain undetected .
• Tracking URI can be acheived with http.log from BRO | Zeek NSM .
• http.log contains HTTP requests and replies .

• Example from Empire :

• Example from Cobalt :
  

• Splunk Query:

index=* source=http.log uri!="/" AND uri!="/favicon.ico" | stats count(host) by uri | 

eval count_host=mvcount(host) | where count_host > 2

• Result : Will be 2 host or more that connect to same uri :)

• Another Trick to hunt : statistical analysis for connection sessions intervals ?
• will be discussed in another Post

• References:
• https://attack.mitre.org/tactics/TA0011/
• https://www.cobaltstrike.com/help-beacon
• https://blog.fox-it.com/2020/01/15/hunting-for-beacons/
• https://docs.zeek.org/en/current/index.html

By:Mohamed Ghifary