Some telltale characteristics of malicious beaconing behavior can include: Next, Reveal(x) quickly identified patterns of C&C beaconing behavior from the compromised device. This was important, because the domain name of the attacker's server appeared safe. Cobalt Strike is a commercial tool for conducting red team attacks, but this tool is also known to be leveraged by adversaries for malicious purposes. Specifically, the certificate had a cryptographic fingerprint (a unique identifier that no other certificate should have) that is associated with Cobalt Strike. Reveal(x) showed that the compromised device established an outbound SSL/TLS connection with a server that had a malicious SSL certificate. Suspicious SSL/TLS detections show C&C behavior immediately after remote services launch. Next, it conducted a remote services launch on the victim print server to successfully establish a foothold inside the network. It's important to note that a VPN connection allows malware to often bypass firewalls or traditional IDS systems-so when this laptop connected to the VPN, the attack had already successfully evaded any perimeter defenses.įrom there it began the discovery phase with multiple enumerations to specifically seek out vulnerable print servers. In this case, a malware-infected laptop connected to VPN served as the exploited device. Because beaconing helps an attacker maintain periodic contact with their victim, it's an essential part of an attack. Often, beaconing is designed to blend in with normal traffic, whether that's outbound HTTPS traffic or SMTP. The beacon agent defines how the victim should contact the attacker.
#How to evade ids detection with cobalt strike beacon install
Here's how it generally works: The attacker exploits a device to install malware with a beacon agent, or tricks a victim into installing malware with the agent. The attacker might instruct a compromised device to open a remote shell (a program for running commands), install ransomware, or launch a denial-of-service (DoS) attack. The victim transmits beacons to fetch updates and ask for instructions from the attacker. What is C&C Beaconing?Ĭ&C beaconing (also called C2 beaconing) is a behavior associated with malware in which a compromised device periodically phones home to an external malicious server.
The most sinister of which was C&C beaconing.
A humble little print server is what set off a flurry of detections in an organization that had recently installed ExtraHop Reveal(x). They don't process financial information or other sensitive customer data, so they tend to avoid close monitoring. Print servers especially come to mind.Īttackers love print servers, these unassuming-yet-well-connected devices are an idyllic host for all sorts of nefarious activities. Offices were abandoned in a flash, and organizations went from an in-office model to remote work overnight, leaving more and more connected devices unpatched and forgotten. The COVID pandemic has undoubtedly added to the risks stemming from unmanaged IoT.
0 kommentar(er)
