BeaconEye

Article Excerpt

BeaconEye scans running processes for active CobaltStrike beacons. When processes are found to be running beacon, BeaconEye will monitor each process for C2 activity.

property
value
tags
cobalt-strike-c2,defensive-tradecraft,tradecraft-tool
url
original_word_count
270

Long Summary

BeaconEye is a tool developed by @EthicalChaos to detect and monitor CobaltStrike beacons. It can scan live processes or MiniDump files for suspected CobaltStrike beacons, and when found, BeaconEye will optionally attach itself as a debugger and monitor beacon activity for C2 traffic. It is capable of decoding the AES keys used for encrypting C2 data and malleable profile, and extracting and decrypting beacon's output when commands are sent via the operator. A log folder of activity is created per process relative to the current directory where BeaconEye is executed from.

BeaconEye can detect all beacon types but only monitor HTTP/HTTPS beacons. It can detect standalone and injected beacons, and beacons masked with built in sleep_mask. It can also dump beacon config, display output from most beacon commands, and save screenshots. However, it cannot decode command requests and only works with x86_64 systems.

The tool is still in its ALPHA stage and the developer is keen to get feedback on 4.x beacons that cannot be detected or where the malleable C2 profile has not been parsed correctly resulting in incorrect decoding of output. The TODO list includes implementing 32bit beacon monitoring, adding support for monitoring named pipe beacons, TCP beacons, and CobaltStrike 3.x, adding command line argument for targeting specific processes, adding command line argument to specify output logging location, and adding support for extracting operator commands.

BeaconEye's initial beacon process detection is heavily based on @Apr4h's CobaltStrikeScan, and uses James Forshaw's NtApiDotNet library for process debugging and interaction, and @cube0x0's port of a pure managed C# MiniDump reader as a reference.

BeaconEye is a powerful tool for detecting and monitoring CobaltStrike beacons, and is still in its development stages. It is capable of decoding the AES keys used for encrypting C2 data and malleable profile, and extracting and decrypting beacon's output when commands are sent via the operator. It is also capable of dumping beacon config, displaying output from most beacon commands, and saving screenshots. The developer is keen to get feedback on 4.x beacons that cannot be detected or where the malleable C2 profile has not been parsed correctly resulting in incorrect decoding of output. The TODO list includes implementing 32bit beacon monitoring, adding support for monitoring named

Short Summary

šŸ““ BeaconEye

šŸ‘‰šŸ½ BeaconEye scans running processes for active CobaltStrike beacons. When processes are found to be running beacon, BeaconEye will monitor each process for C2 activity. šŸ‘‰šŸ½ BeaconEye detects and monitors CobaltStrike beacons. šŸ‘‰šŸ½ It can scan live processes or MiniDump files for suspected CobaltStrike beacons. šŸ‘‰šŸ½ BeaconEye can attach itself as a debugger and monitor beacon activity. šŸ‘‰šŸ½ AES keys used for encrypting C2 data can be decoded by BeaconEye. šŸ‘‰šŸ½ It can extract and decrypt beacon output when commands are sent via the operator. šŸ‘‰šŸ½ A log folder of activity is created per process relative to the current directory. šŸ‘‰šŸ½ BeaconEye can detect all beacon types but only monitor HTTP/HTTPS beacons. šŸ‘‰šŸ½ The tool is in its ALPHA stage and feedback is welcomed. šŸ‘‰šŸ½ The TODO list includes implementing 32bit beacon monitoring and adding support for named pipe beacons. šŸ‘‰šŸ½ BeaconEye uses various libraries and is a powerful tool for detecting and monitoring CobaltStrike beacons.

šŸ”— source link: https://github.com/CCob/BeaconEye

#BeaconEye #CobaltStrike #BeaconMonitoring #AESDecoding #FeedbackNeeded