Behavior based monitoring and hunting tool built in C# leveraging ETW tracing. Blue teamers can use this tool to detect and respond to potential Cobalt Strike beacons. Red teamers can use this tool to research ETW bypasses and discover new processes that behave like beacons.
Author: Andrew Oliveau (@AndrewOliveau)
Beacon implants injected in a benign process live in a thread with a Wait:DelayExecution state (probably related to Cobalt Strike's sleep). Find all processes that contain a thread in a Wait:DelayExecution state. Then, leverage ETW tracing to specifically monitor suspicious thread activity:
- HTTP/HTTPS callbacks
- DNS queries
- File system (
cd,ls,upload,rm) - Process termination (
kill) - Shell commands (
run,execute)
Score suspicious behavior. Log, display, and take action against them.
or git clone and go to Release folder.
4.5
Tools -> NuGet Package Manager -> Package Manager Console
Install-Package ConsoleTables -Version 2.4.2Install-Package Microsoft.Diagnostics.Tracing.TraceEvent -Version 2.0.64Install-Package System.Runtime.InteropServices.RuntimeInformation -Version 4.3.0
- Open PowerShell or CMD as an Administrator
.\BeaconHunter.exe
- Score is determined by calculating the time difference between beacon callbacks (delta), then calculating the 1st derivative of delta, and then feeding the answer to an inverse function
100/xwhere x is the 1st derivative of delta. (Note: There is probably a better way, but it works)
- Helpful to detect DNS beacons.
- Detects PPID spoofing
- Set a score threshold. If Network Beacon Scores goes above threshold, BeaconHunter will automatically suspend the thread.
- ETW Providers: https://gist.github.com/guitarrapc/35a94b908bad677a7310#file-providerlist-md
- ETW Events: https://github.com/jdu2600/Windows10EtwEvents
- TraceEvent Library Guide: https://github.com/microsoft/perfview/blob/main/documentation/TraceEvent/TraceEventProgrammersGuide.md
