• Stars
    star
    879
  • Rank 51,943 (Top 2 %)
  • Language
    C#
  • Created over 3 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Hunts out CobaltStrike beacons and logs operator command output

BeaconEye

Introduction

BeaconEye scans running processes for active CobaltStrike beacons. When processes are found to be running beacon, BeaconEye will monitor each process for C2 activity.

BeaconEye

How it works

BeaconEye will scan live processes or MiniDump files for suspected CobaltStrike beacons. In live process mode, BeaconEye optionally attaches itself as a debugger and will begin monitoring beacon activity for C2 traffic (HTTP/HTTPS beacons supported currently).

The AES keys used for encrypting C2 data and mallable profile are decoded on the fly, which enables BeaconEye to extract and decrypt beacon's output when commands are sent via the operator.

A log folder of activity is created per process relative to the current directory where BeaconEye is executed from.

Usage

BeconEye by @_EthicalChaos_
  CobaltStrike beacon hunter and command monitoring tool x86_64

  -v, --verbose              Display more verbose output instead of just
                               information on beacons found
  -m, --monitor              Attach to and monitor beacons found when scanning
                               live processes
  -f, --filter=VALUE         Filter process list with names starting with x (
                               live mode only)
  -d, --dump=VALUE           A folder to use for MiniDump mode to scan for
                               beacons (files with *.dmp or *.mdmp)
  -h, --help                 Display this help

Features

  • A per process log folder
  • Dumps beacon config
  • Displays output from most beacon commands
  • Saves screenshots
  • Detects standalone and injected beacons
  • Detects beacons masked with built in sleep_mask
  • Scan running processes or Minidumps offline

Caveats

BeaconEye can detect all beacon types but only monitor HTTP/HTTPS beacons. At present, only command output is decoded and not command requests. See TODO list below for a full list of intended features.

BeaconEye should be considered ALPHA, I'm keen to get feedback on 4.x beacons that cannot be detected or where the malleable C2 profile has not been parsed correctly resulting in incorrect decoding of output.

TODO

  • Implement 32bit beacon monitoring
  • Add support for monitoring named pipe beacons
  • Add support for monitoring TCP beacons
  • Add support for CobaltStrike 3.x
  • Add command line argument for targeting specific processes
  • Add command line argument to specify output logging location
  • Add support for extracting operator commands
  • Support scanning MiniDump files

References and Thanks

  • BeaconEye's initial beacon process detection is heavily based on @Apr4h's CobaltStrikeScan.
  • James Forshaw's NtApiDotNet library, which makes process deubgging and interaction a breeze from C#.
  • @cube0x0 for his port of a pure managed C# MiniDump reader which was used as a reference.

More Repositories

1

SweetPotato

Local Service to SYSTEM privilege escalation from Windows 7 to Windows 10 / Server 2019
C#
1,598
star
2

SharpBlock

A method of bypassing EDR's active projection DLL's by preventing entry point exection
C#
1,114
star
3

ThreadlessInject

Threadless Process Injection using remote function hooking.
C#
718
star
4

BOF.NET

A .NET Runtime for Cobalt Strike's Beacon Object Files
C
668
star
5

lsarelayx

NTLM relaying for Windows made easy
C++
536
star
6

Volumiser

C#
332
star
7

okta-terrify

Okta Verify and Okta FastPass Abuse Tool
C#
286
star
8

MirrorDump

Another LSASS dumping tool that uses a dynamically compiled LSA plugin to grab an lsass handle and API hooking for capturing the dump in memory
C#
259
star
9

MinHook.NET

A C# port of the MinHook API hooking library
C#
204
star
10

goreflect

Reflective DLL loading of your favorite Golang program
C
164
star
11

SylantStrike

Simple EDR implementation to demonstrate bypass
C
155
star
12

gssapi-abuse

A tool for enumerating potential hosts that are open to GSSAPI abuse within Active Directory networks
Python
137
star
13

DGPOEdit

Disconnected GPO Editor - A Group Policy Manager launcher to allow editing of domain GPOs from non-domain joined machines
C#
135
star
14

Shwmae

C#
124
star
15

PIVert

C#
103
star
16

dnMerge

A lightweight .NET assembly dependency merger that uses dnLib and 7zip's LZMA SDK for compressing dependant assemblies.
C#
96
star
17

PinSwipe

Smart Card PIN swiping DLL
C
74
star
18

gookies

A Chrome cookie dumping utility
Go
46
star
19

PwnyForm

C#
42
star
20

ProvisionAppx

C#
36
star
21

bittrex4j

Java library for accessing the Bittrex Web API's and Web Sockets
Java
32
star
22

PoC

Exploit PoC for CVE's and non CVE's alike
Python
22
star
23

Jboss-Wilfly-Hashes-to-Hashcat

Converts JBoss/Wildfly management users properties file to hashcat format compatible with mode 20
Python
12
star
24

VulnHub

VulnHub Walkthroughs
Python
4
star
25

MediaPortal-AsteriskCid

C#
1
star