Hunting Beacon in the heap

WORK IN PROGRESS

This was written before Cobalt Strike 4.5 release. Addition of heap encryption to the sleep mask kit should fix this. However, the sleep mask has its own IOCs, refer to the previous article for more details.

Even with the sleep mask of Cobalt Strike 4.4, catching beacon in memory is still possible as it leaves many beacon specific IOCs in the heap (which is not subject to the sleep mask as of 4.4).

An open source project https://github.com/CCob/BeaconEye uses this to very efficiently hunt out beacons in memory. This can be defeated by encrypting the heap as well, which is explained in https://www.arashparsa.com/hook-heaps-and-live-free/ as well as the chapter on sleep protection:

UPDATE: BeaconEye is a PoC tool that shows how heap indicators can be used to locate and extract information from Beacon in memory. It is NOT a catch all solution for detecting the Beacon payload, and can be easily bypassed, as described in the blog linked above.

PreviousSleep Mask Kit IOCs NextDecrypting C2 traffic with known key

Last updated 2 years ago