Article Excerpt
BeaconEye scans running processes for active CobaltStrike beacons. When processes are found to be running beacon, BeaconEye will monitor each process for C2 activity.
property | value |
tags | cobalt-strike-c2,defensive-tradecraft,tradecraft-tool |
url | |
original_word_count | 270 |
Long Summary
BeaconEye is a tool developed by @EthicalChaos to detect and monitor CobaltStrike beacons. It can scan live processes or MiniDump files for suspected CobaltStrike beacons, and when found, BeaconEye will optionally attach itself as a debugger and monitor beacon activity for C2 traffic. It is capable of decoding the AES keys used for encrypting C2 data and malleable profile, and extracting and decrypting beacon's output when commands are sent via the operator. A log folder of activity is created per process relative to the current directory where BeaconEye is executed from.
BeaconEye can detect all beacon types but only monitor HTTP/HTTPS beacons. It can detect standalone and injected beacons, and beacons masked with built in sleep_mask. It can also dump beacon config, display output from most beacon commands, and save screenshots. However, it cannot decode command requests and only works with x86_64 systems.
The tool is still in its ALPHA stage and the developer is keen to get feedback on 4.x beacons that cannot be detected or where the malleable C2 profile has not been parsed correctly resulting in incorrect decoding of output. The TODO list includes implementing 32bit beacon monitoring, adding support for monitoring named pipe beacons, TCP beacons, and CobaltStrike 3.x, adding command line argument for targeting specific processes, adding command line argument to specify output logging location, and adding support for extracting operator commands.
BeaconEye's initial beacon process detection is heavily based on @Apr4h's CobaltStrikeScan, and uses James Forshaw's NtApiDotNet library for process debugging and interaction, and @cube0x0's port of a pure managed C# MiniDump reader as a reference.
BeaconEye is a powerful tool for detecting and monitoring CobaltStrike beacons, and is still in its development stages. It is capable of decoding the AES keys used for encrypting C2 data and malleable profile, and extracting and decrypting beacon's output when commands are sent via the operator. It is also capable of dumping beacon config, displaying output from most beacon commands, and saving screenshots. The developer is keen to get feedback on 4.x beacons that cannot be detected or where the malleable C2 profile has not been parsed correctly resulting in incorrect decoding of output. The TODO list includes implementing 32bit beacon monitoring, adding support for monitoring named
Short Summary
š BeaconEye
šš½ BeaconEye scans running processes for active CobaltStrike beacons. When processes are found to be running beacon, BeaconEye will monitor each process for C2 activity. šš½ BeaconEye detects and monitors CobaltStrike beacons. šš½ It can scan live processes or MiniDump files for suspected CobaltStrike beacons. šš½ BeaconEye can attach itself as a debugger and monitor beacon activity. šš½ AES keys used for encrypting C2 data can be decoded by BeaconEye. šš½ It can extract and decrypt beacon output when commands are sent via the operator. šš½ A log folder of activity is created per process relative to the current directory. šš½ BeaconEye can detect all beacon types but only monitor HTTP/HTTPS beacons. šš½ The tool is in its ALPHA stage and feedback is welcomed. šš½ The TODO list includes implementing 32bit beacon monitoring and adding support for named pipe beacons. šš½ BeaconEye uses various libraries and is a powerful tool for detecting and monitoring CobaltStrike beacons.
š source link: https://github.com/CCob/BeaconEye
š summarized content: https://hut.threathunterz.com/battlefield-intel/tradecraft-tools/beaconeye
#BeaconEye #CobaltStrike #BeaconMonitoring #AESDecoding #FeedbackNeeded