Yet, the pattern does not change that much. This makes it hard to write correct and reliable signatures. Most frameworks are very customizable to your needs and preferences. While static signatures are often sufficient in detecting attacks, this is not the case for beaconing. This is in our advantage while detecting this behaviour! Moreover, due to the uniform distribution used for the sleep function the jitter is symmetrical. This jitter weakens the pattern but will not dissolve the pattern entirely. Note the slight difference in calculation.
For example: 60 seconds of sleep with 10% jitter results in a uniformly random sleep between 54 and 66 seconds (PoshC2, Empire ) or a uniformly random sleep between 54 and 60 seconds (Cobalt Strike ). The sleep component indicates how long the beacon has to sleep before checking in again, and the jitter modifies the sleep time so that a random pattern emerges.
COBALT STRIKE BEACON DETECTION CODE
While the underlying code differs slightly from tool to tool, they often exist of two components to set up a pattern for a connection: a sleep and a jitter. Previous fingerprinting techniques shows that there are more than a thousand Cobalt Strike servers online in a month that are actively used by several threat actors, making this an important point to focus on. In this blog the term ‘beaconing’ is used as a general term for the call-backs of malware. In Cobalt Strike this is called a beacon, but concept is similar for many contemporary frameworks. This blog describes a method to detect one technique utilized by many popular attack frameworks based solely on connection metadata and statistics, in turn enabling this technique to be used on multiple log sources.įrameworks like Cobalt Strike, PoshC2, and Empire, but also some run-in-the-mill malware, frequently check-in at the C2 server to retrieve commands or to communicate results back.
In other words: It has to communicate back. However, it’s convenient to have the victim machine connect to you.
This can be in the form of a continuous connection or connect the victim machine directly. Attacks need to have a form of communication with their victim machines, also known as Command and Control (C2).
0 kommentar(er)
