#Hunting C2 Beacon Connections For BlueTeam Members

  • What is beacon ?
    • Typically  Malware connects to adversary C2 periodically rather than permanent connection .
    •  Beaconing occurs regularly at specific intervals or at pseudorandom times , let's say it's " the call-backs of malware "  . 
    •  Cobalt Strike and Empire Frameworks  frequently check-in at the C2 server through "HTTP"  to retrieve commands or to send results back , this is called a beacon

  • Trick for hunting (assume HTTP-based beacon)same URI for different Host names ? 
    • Adversary may use an agent that has multiple C2 domains configured at the agent  , Like DGAs  & that allows agent to be evade the normal Defensive solutions and it becomes pretty simple to remain undetected .
    • Tracking URI can be acheived with http.log from BRO | Zeek NSM .
    • http.log contains HTTP requests and replies .

  • Example from Empire :


  • Example from Cobalt :

  • Splunk Query:

index=* source=http.log uri!="/" AND uri!="/favicon.ico" | stats count(host) by uri | 
eval count_host=mvcount(host) | where count_host > 2

  • Result : Will be 2 host or more that connect to same uri :)


  • Another Trick to hunt : statistical analysis for connection sessions intervals ?
    • will be discussed in another Post

Comments