CodeX's Terminal Window
  • root@codex
  • 🐙Red Team
    • Red Team OPSEC
      • Initial Recon
      • Weaponization
      • Infrastructure
        • Example Red Team Infra
        • Cobalt Strike Redirectors
        • Using SSH Tunneling to secure C2 infra
      • Phishing
      • Internal Recon
      • Lateral Movement
      • Post-Exploitation
      • Exfiltration
      • Cleanup
    • Red Team TTPs
      • Active Directory
      • Persistence
      • Exfiltration
      • Phishing
      • Windows Bypasses
    • Red Team Dev
      • Extending Havoc C2
        • Third Party Agents
          • 1: Understanding the interface
          • 2: Writing the agent
          • 3: Writing the agent handler
          • 4: Testing the agent
      • Loader Dev
        • In Memory OPSEC
          • PE Structures
          • Memory Permissions and Allocation Types
          • In Memory Signatures
          • Thread Stack
          • Windows Events
          • Userland Hooks
          • AMSI & ETW
        • Evasion Adventures
        • Loader basics
        • Sleep masking
        • Mimikatz vs Windows Defender
        • Indirect syscalls
    • Cobalt Strike
      • Modifying the Sleep Mask Kit
      • Discord Beacon Notifications
      • Evading Hunt-Sleeping-Beacons
      • Beacon Object Files
    • Misc. Interesting Stuff
  • 🛡️Blue Team
    • Detecting Cobalt Strike
      • Sleep Mask Kit IOCs
      • Hunting Beacon in the heap
      • Decrypting C2 traffic with known key
  • 🚩CTF Solutions
    • Cyber Defenders Discovery Camp 2021
      • 👁️‍🗨️Lets Go Hunting
      • 🐧Linux Rules The World!
      • 📻Going active
      • 🗄️File it away
      • 😷Behind the mask
  • Box challenges
    • 📦Box Writeups
  • Me myself and I
    • root@codex #
Powered by GitBook
On this page
  1. Blue Team
  2. Detecting Cobalt Strike

Hunting Beacon in the heap

WORK IN PROGRESS

PreviousSleep Mask Kit IOCsNextDecrypting C2 traffic with known key

Last updated 2 years ago

This was written before Cobalt Strike 4.5 release. Addition of heap encryption to the sleep mask kit should fix this. However, the sleep mask has its own IOCs, refer to the previous article for more details.

Even with the sleep mask of Cobalt Strike 4.4, catching beacon in memory is still possible as it leaves many beacon specific IOCs in the heap (which is not subject to the sleep mask as of 4.4).

An open source project uses this to very efficiently hunt out beacons in memory. This can be defeated by encrypting the heap as well, which is explained in as well as the chapter on sleep protection:

UPDATE: BeaconEye is a PoC tool that shows how heap indicators can be used to locate and extract information from Beacon in memory. It is NOT a catch all solution for detecting the Beacon payload, and can be easily bypassed, as described in the blog linked above.

🛡️
https://github.com/CCob/BeaconEye
https://www.arashparsa.com/hook-heaps-and-live-free/
Sleep masking