Kali Linux

BeaconEye : Hunts Out CobaltStrike Beacons And Logs Operator Command Output

BeaconEye scans running processes for active Cobalt Strike beacons. When processes are found to be running beacon, BeaconEye will monitor each process for C2 activity.

How It Works

BeaconEye will scan live processes or MiniDump files for suspected CobaltStrike beacons. In live process mode, BeaconEye optionally attaches itself as a debugger and will begin monitoring beacon activity for C2 traffic (HTTP/HTTPS beacons supported currently).

The AES keys used for encrypting C2 data and mallable profile are decoded on the fly, which enables BeaconEye to extract and decrypt beacon’s output when commands are sent via the operator.

A log folder of activity is created per process relative to the current directory where BeaconEye is executed from.

Usage

BeconEye by @EthicalChaos
CobaltStrike beacon hunter and command monitoring tool x86_64
-v, –verbose Display more verbose output instead of just
information on beacons found
-m, –monitor Attach to and monitor beacons found when scanning
live processes
-f, –filter=VALUE Filter process list with names starting with x (
live mode only)
-d, –dump=VALUE A folder to use for MiniDump mode to scan for
beacons (files with *.dmp or *.mdmp)
-h, –help Display this help

Features

  • A per process log folder
  • Dumps beacon config
  • Displays output from most beacon commands
  • Saves screenshots
  • Detects standalone and injected beacons
  • Detects beacons masked with built in sleep_mask
  • Scan running processes or Minidumps offline

Caveats

BeaconEye can detect all beacon types but only monitor HTTP/HTTPS beacons. At present, only command output is decoded and not command requests. See TODO list below for a full list of intended features.

BeaconEye should be considered ALPHA, I’m keen to get feedback on 4.x beacons that cannot be detected or where the malleable C2 profile has not been parsed correctly resulting in incorrect decoding of output.

R K

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

10 hours ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

10 hours ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

2 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

5 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago