Behavior based monitoring and hunting tool built in C# leveraging ETW tracing. Blue teamers can use this tool to detect and respond to potential Cobalt Strike beacons. Red teamers can use this tool to research ETW bypasses and discover new processes that behave like beacons.
Author: Andrew Oliveau (@AndrewOliveau)
Beacon implants injected in a benign process live in a thread with a Wait:DelayExecution
state (probably related to Cobalt Strike's sleep
). Find all processes that contain a thread in a Wait:DelayExecution
state. Then, leverage ETW tracing to specifically monitor suspicious thread activity:
- HTTP/HTTPS callbacks
- DNS queries
- File system (
cd
,ls
,upload
,rm
) - Process termination (
kill
) - Shell commands (
run
,execute
)
Score suspicious behavior. Log, display, and take action against them.
or git clone
and go to Release
folder.
4.5
Tools -> NuGet Package Manager -> Package Manager Console
Install-Package ConsoleTables -Version 2.4.2
Install-Package Microsoft.Diagnostics.Tracing.TraceEvent -Version 2.0.64
Install-Package System.Runtime.InteropServices.RuntimeInformation -Version 4.3.0
- Open PowerShell or CMD as an Administrator
.\BeaconHunter.exe
- Score is determined by calculating the time difference between beacon callbacks (delta), then calculating the 1st derivative of delta, and then feeding the answer to an inverse function
100/x
where x is the 1st derivative of delta. (Note: There is probably a better way, but it works)
- Helpful to detect DNS beacons.
- Detects PPID spoofing
- Set a score threshold. If Network Beacon Scores goes above threshold, BeaconHunter will automatically suspend the thread.