Millions of BEACONs, Intrusions for Thee - John Wolfram

all right let's get started without further ado millions of beacons intrusions for thee awesome thank you everybody my name is john wolfram and today i'm going to be talking about millions of beacons intrusions for thee so a little who am i um so my name as i said was john is john wolfram i'm a senior threat analyst on advanced practices at mandiant so our mission statement is to norm know more about our adversaries than anyone and make this knowledge actionable for mandia so what that really comes down to is my team is situated a pretty interesting place where we're supporting our responders as they are looking and investigating some of the most impactful intrusions out there so

our agenda for today we're going to be talking about beacon versus cobalt strike we're going to discuss the differences between the two are they the same how are they different and then we're going to go into the who and the why so what actors are using beacon and why would they do so why would they use this tool out of like the massive sea of them and then we're going to pivot from there and we're going to go into finding evil and we're going to look on and talk about a couple different ways you can look to identify beacon within your network and then potentially take that hunt and move to the wild

so cobalt strike versus beacon what is the difference between the two well it kind of comes down to this cobalt strike is a commercially available adversary emulation framework it's it was developed by initially by raphael mudge it's currently owned by help systems and it's really composed of two different parts you have the team server which is like the brains for command and control and then you have the client and the client is what operators will use to control implants when they're going through engagements or if they're bad guys if they're operating within a network and then you have beacon and beacon is the default backdoor payload used by cobalt strike so while they're related they're not synonymous

synonymous they're not the same thing they're different and a lot of this is going to be kind of talking through what makes this tool and this framework so attractive for adversaries so when we talk about the different stages of beacon we can look at it in two different ways we can talk about beacon as a stager and as a stable stageless payload so a stager is a small shell code payload that when it's executed on an endpoint it'll perform a few checks and then query out to a c2 and pull down a full implant and when we have a stageless backdoor or a stageless beacon that is the fully featured backdoor that is everything that you

need to use for cobalt strike in package in one it's typically loaded into memory through a couple different ways it can be loaded into memory through a staged beacon like we talked about before it can be loaded into memory through a default loader or you can use a separate loader malware family and one little note here loader families while they're super prevalent they're not vegan they're different and they're used by actors to get beacon into memory but you can use loaders to get almost anything in the memory and then loaders can load both staged and stageable speaking payloads so what does that mean well they're pretty agnostic and as far as shell code goes they can load either

and then or different payloads and then once stageless payload payloads are loaded into memory what do they do they check back for c2 to kind of look for commands and start operating and then when we talk about the different listeners and this is important when we talk about how beacon communicates outbound so listeners are what the beacon payload uses to communicate to their c2 and when we look here we have a couple different types of listeners that are available so raw tcp and smb are what's called bind listeners and if you're familiar with reverse shells and bind shells that's what these are they wait for commands to be sent to them they're primarily used when you're

chaining different implants together so if you're in an internal environment or an operator is in an internal environment when you want to talk to your different implants on different hosts you're probably not going to want to talk to on http between all of them so you're going to use something like smb or raw tcp to communicate between them so then moving on to different types of protocols that are mainly used for communicating outbound first one we have is dns pretty self-explanatory uses dns for outbound communication and then we have http and https and this is definitely the most common as far as listeners go um it's packaged with a default cert you can use your own but there is a default

cert we'll get into that later when we talk about hunting for beacon because it is pretty significable and then this is probably also the most heavily custom customizable listener that we can look at because there's something called malleable c2 which we'll talk about in a little bit here but it basically allows you to change almost everything that comprises how your payload will communicate outbound and then when we look up how you set up your infrastructure there's a couple different ways that you can set up your infrastructure you can do what's called a direct connection and that is where you literally just send a request directly to a team server nothing too crazy there just a direct connection you

can use something like domain fronting where you use a cdn to send your you so basically the way the cdn works for domain fronting the request gets sent to the cdn the cdn redirects that request to your team server and efc2 and then there's domain masquerading and domain masquerading is where you want to emulate a specific service so in this case what we see here is an http request where it's trying to look like jquery this is a pretty common malleable c2 profile used by a lot of different actors but what they're doing is it's still a direct connection but what they're trying to do is look like a non-threatening service so if you're an

average like if you're a defender and you see jquery going outbound probably not too crazy but if you see something like run dll doing outbound with jquery probably want to look at that and then so kind of pivoting from that request that's just one of the many things that you can configure when we're talking about malleable c2 c2 and so on the next slide what we're going to see here is this is kind of what comprises malleable c2 and when we talk about it it's pretty much broken into two different parts in my head at least you have the you have the c2 profile and then you have the pe profile the c2 profile controls almost everything that

you can possibly imagine for your c2 traffic you can see get post behavior uris even your user agent sleep time everything like that and then you have your pe profile and this is how you can customize the in-memory characteristics of your payload and also how your payload will operate when you're going through post-exploitation activity so one thing to note is like for process injection beacon makes heavy use of process injection for a lot of the post exploitation capabilities it uses so you can configure what process you want to spin up to do your post exploitation activity you can even configure your rich header hash which from my perspective on my team that's something that we can use to try and

identify maybe related samples based on the rich header hash you can configure like i said the spawn process compile time and even how you allocate memory whether you want to use virtual alec or ntmap and what we see on the right here are two different examples of malleable c2 profiles that were used by the conti affiliates so shout out to the whatever affiliate dropped these on i think xss because it gave us a really great insight into how these actors are using what's out there to operate in real world real world intrusions and so blowing this one up we can see the malibu c2 profile that these actors were using you can see everything from the

user agent string that they set the jitter for those and even some of those get requests and then blowing up the pe profile this is another way that we can see all the things that they were able to configure so you can see their spawn to process that they configured their rich header hash even their compile time and all this comes down to what really makes beacon attractive for adversaries is how much you can configure you can really take almost anything about your payload and configure in a way that you want and there's innumerable c2 profiles out there that can easily help you do this with all you have to do is a git clone

so not super crazy but what this really does is it changes the characteristics of how your payload's going to operate it doesn't really change how you yourself are going to operate really at the end of the day and that's where aggressor scripts come in to me i like to think of aggressor scripts as kind of like sore for operators what they do is they allow you to automate workflows they're not really adding new capability by maybe bringing in like a new function that cobalt strike didn't have have before what you're really doing is automating actor workflows they're loaded into the couple strike clients so not on the actual like host side they're loaded in the client and what they

really do is allow you to perform a lot of different checks by taking the human element out and then when we talk about detection opportunities for aggressor scripts it's pretty hard because most often times we're not going to have eyes into where these adversaries are operating out of and if you do that's pretty awesome but what we can do is look for trends if we know that a particular actor when they get on an end point is going to run like the same five commands uh the second they get access that potentially could be a workbook and something that we could potentially use as a single point for if we're trying to identify these actors operating

and what we see here again from our conti affiliates uh this is a big like i know you can't really read it right now but it's a big readme from their leaks that shows a bunch of the different malleable not malleable sorry aggressor scripts that they're using and now most of these they didn't develop themselves and actually i'm not sure if they developed any of them but they're able to use them because they're out in the open and what they do is they give these actors a way to automate a lot of their workflows because these are things that they need to use to operate fast and that's what they want to do and it kind

of takes the human element out of it and blowing this up you can see an example one right here what this is is an aggressor script to basically do an av check this was one of the aggressor scripts part of the leak and it's pretty simple it takes a lot of the human element out of it when you talk about things that could potentially tip off defenders like typos are one uh errors are one so in this case you know you take a lot of that guesswork out you take a lot of the human element out and it's literally just click a button and you get all the avs that are on an endpoint pretty awesome especially if

you want to be operating fast in an environment to try and like reduce that time to ransom so you can potentially get a bigger payout if you are a ransomware operator but again these aren't really adding new functions they're allowing you to automate functions but you're basically working within the constrains of cobalt strike at this point so if you wanted to extend the capabilities of cobalt strike or beacon what you'd want to use is beacon object files and beacon object files are pretty awesome because they are compiled c programs that are loaded into memory on the actual beacon session so as opposed to the client with aggressive scripts these are actually loaded into the actual beacon payload that's running

in memory on an endpoint so from a detection perspective that's really really hard to detect because there's not any process injection or creation where you're injecting into that it's literally just loading it into memory and if you're not running memory forensics you don't get lucky with like a mem dump it's going to be pretty hard to detect and then what we really bring to the table with beacon object files is the ability to extend post exploitation activity or capability so again there's enumerable beacon object files out there there's there there's beacon object files for almost anything you can do who am i you almost anything you can possibly think of you can do you can do with it

and they can also be combined with aggressive scripts and so what you're seeing on the right here is an example of an aggressor script that's going to load and run a beacon object file this was created by rafael mudge the creator of cobalt strike it's on his github but this was again used by the kanti affiliates we saw in the readme for one of the different beacon object files that they like to use this was one and so blowing this up what we can see here is it's not super complex again you're taking a lot of the guesswork out and all you really need to do is identify the architecture uh that's running on the endpoint load in

the correct beacon object file uh compile it with your arguments and then you're off to the races and again this takes a lot of the guesswork out and you're at the same time extending the capabilities of beacons so this is pretty awesome if you want to operate fast add new capabilities and it makes defense a lot harder because we're not seeing this necessarily as a process injection and that's something to note because like we looked at the spawn twos spawn twos are primarily used by a capability called fork and run where they spin up a process inject into it and get the results back that's not what this is doing you're literally just injecting or not injecting you're

loading a new capability into memory running it and you're good to go and so all these are some of the different features of cobalt strike that make it pretty attractive to adversaries and that kind of leads into our next point of why beacon well it pretty much comes down to this it's customizable as you saw with the malleable c2 profiles you can almost change anything it's extremely easy to use i was able to take a class on cobalt strike and beacon and your you can pretty much pick it up in a couple hours you can get pretty comfortable with it and it's primarily gui based really easy to use you'll see a little bit more of like

some of what the commands look like if you're actually operating under it it's under active development too and when we talk about active development that doesn't mean just by help systems there's a large amount of open source projects that are adding new capability all the time to cobalt strike and beacon and so if you're if you're an actor that's free capability that you didn't have to develop yourself and that comes down to it's cheaper than custom development if you develop a capability say it's a new malware family or new backdoor it gets burned by a threat intelligence company or a a government what do you do well you lose capability because while it's still going to operate well in some

environments it's going to be signature you're going to potentially have the opportunity to get discovered and you're going to eventually lose whatever you're trying to gain whether that's espionage or money and crack beacon which uh is what a lot of adversaries use is basically free um so as far as like when you look at that you're getting a lot of capability for almost nothing and you don't really have to do any development yourself and when we talk about attribution attribution is hard but when we use something like cobalt strike if you're an operator if you're an adversary you're going to muddy the waters a lot because it's not a point that we can use as like a threat intelligence analysts

to say hey we know that this adversary uses this specific backdoor this kind of points to them there's a lot of different adversaries across a lot of different like um how do i say this like capability there's like some sophisticated actors that use it like the solarwinds actors all the way down to people that are you know not super sophisticated spinning it up to use ransomware so it's really just a pretty broad platform that a lot of different adversaries can use and when we go to the who's who in the zoo we see when we're looking at it from our perspective at mandiant we have five atp apts six fin groups of financial crime actors and 594 unks that we have

attributed to using beacon and when we talk about unks when we spin up a new cluster of threat activity at mandiant or when we identify like a new potential adversary operating we cluster them unless we have like hard attribution in what's called an unk so it's a uncategorized cluster of threat activity now that's important to look at in the sense that when we when we view an unk there we may have suspicions on who it could be and so when we talk about suspected apts out of that 594 ounce we have 23 that we've observed used beacon and then when we go to fin crime we have 22 unks that we suspect to be fin groups and what this

comes down to is you see a lot of diverse adversaries using beacon and of the like some op 2500 that we are actively tracking um you see almost a third using beacon and that's a crazy big number when you talk about the diverse set that these actors are operating in and what we're going to look at next is a couple profiles of some of the different actors that are probably the most prolific at using beacon and the first is fin 12 this is a newly graduated actor from our team they were previously known as 1878 1878 but now they're fin 12 they moved on to the big leagues so they are one of the most prolific operators of beacon

out there bar none in crime so when we talk about how they're operating they're extremely aggressive and they're very very efficient they really look to lower that time to ransom to as low as they possibly can and when we look at how they operate they're relying on other actors for initial access it's pretty diverse but a lot of the time it's trick bot but they pri almost primarily use beacon for post exploitation activity and when we look at how they're getting beacon into endpoints they're using a lot of different in-memory loaders and we talked about loaders earlier but some of the examples that they were using were malt shake ice candle white dagger and weird loop and then when we look at how

they're operating in terms of their like c2 profiles they've been we've observed them use a bunch but some of them are amazon c2 concealer and jquery and c2 concealer is probably if i'm not mistaken the the most common one that they've been observed using and then they like to use let's encrypt ssl certs because they're not going to use the default serve so that's one profile on the crime side and now switching gears we're going to look at apt-41 another prolific operator of beacon now what's interesting about apt-41 is they're a chinese threat group that we've observed carry out state sponsored espionage operations in parallel with financial crime operations so we had a i think a blog that was called double

dragon it just kind of goes into like show that this actor is pretty diverse they're doing a lot of different things but they are still state sponsored and again we've seen them use a wide range of in-memory beacon loaders so some of the notable ones are blue blue spine mop sled and dustpan we've observed them using custom cha-cha 2.0 encryption and then for their like c2 they like to use cloudflare cdn workers and then as far as malleable c2 profiles again they use a wide range but jquery gmail google drive are the heavy hitters with cobalt strike probably being the most common for them and one thing are not copper strikes sorry c2 concealer and one thing i will note for c2

concealer the way that it builds profiles is it's automated in a sense but what's interesting is a lot of the user agents that it uses are mobile phones so you need to know your environment but if you see a bunch of hosts that aren't mobile phones connecting out as mobile phones that's potentially something to look at and it's just another point to to potentially identify some badness in your environment and now that we've talked about some of the actor profiles we've looked at some of the different ways that why some of the reasons why actors would want to use beacon in the first place but we've also talked about a bunch about loaders at this point and loaders

are really important because they're almost as significant in terms of like you're at as far as detection goes because no matter what they're going to be doing like badness and we're going to get a quick vibe check so this was a loader so vibe check is a nim based in memory loader that was used by 2602 during what we call fake updates campaigns what's interesting about this is nim as far as like loaders go pretty rare so it was really interesting to see and what this is is a yar roll that i created just to detect these this loader it uses syscalls to basically do a lot of the process injection so what you see here the first

two strings are pretty much specific to that that project and then the the next four are basically a variation that um kind of like lead to believing that this is going to be something bad because it's either is getting a process id it's a spending process it's using osproc which is for nemesis calls or it's using virtual alec so all these kind of lead us the conclusion that you know this is probably doing something bad when you combine it with those first two strings it gets even better fidelity and then when we look at this as far as like the potential for expansion here this was based off of github so this github i'll probably if you if you want to know

what it is just hit me up i'll link it that's not a problem but it's a part of a wider range of offensive nim um solutions on this github this was just one that we observed i'm sure that others are being used but this was just one that we saw that we thought was interesting and i wanted to share a rule for you guys you all and now that we've talked about some of the reasons why actors would want to use beacon we've talked about some of the actors that have used it how are we going to detect it and it probably in to me when i first looked at like trying to detect beacon it was pretty daunting

because it's such a wide uh it's such a wide threat scape as far as like what you can use with it so when i look at it from my perspective i look to try and narrow it down to some of the common detection opportunities so there are things that beacon does by default that are pretty significable and then a one quick note that ur rule all that i'll share at the end of this talk so so don't worry about taking pictures so the default name pipe is one there is a default name pipe that is used by beacon so that's one potential detection opportunity and then some of the ways that it operates when you look

at it enough you can see okay this is probably beacon doing like get system or jump ps exec with powershell and what we're going to look at on the next slide is a detection opportunity so jump ps exec powershell is a way that beacon will laterally move within an environment using the windows service control manager what it does is it creates a service on a remote system runs a basic c4 encoded powershell stager and then gets a lateral movement and what you can see in the bottom left is an example of what that looks like when you actually run it you can see the command jump lists all the different options that you have available

for lateral movement then we run the command and we get another target in our belt so when we look at detecting this the first thing we want to look for is an event id 745 for service creation so then from there we want to look for a couple different strings um we want to look for comspec powershell knob hidden and jbz and jbz is a base64 string that when you decode is dollar sign s and that's part of the powershell stager for beacon and so this is also going to be on the github share with you guys and this is a sigma rule so what you can do with this is turn it into any type of detection you

want whether that's a sim edr whatever whatever you have it's kind of like an open framework and i'm a really big fan of sigma and so moving into another detection opportunity we're going to talk about get system and git system is one of the common ways that you can use beacon to get privilege escalation on an endpoint it uses nameplace name pipe impersonation to get nt authority and what you can see here on the on the bottom left is another example of what that actually looks like when you run git system so we test the system to run git system it does the same pipe impersonation we run it who am i who are we we're uh nt system authority so

awesome how do we detect that again a 745 and then what we're going to want to look for is a cmd slash c a cmd a slash c a echo and then a pipe and when you actually see this run on a command line or in like your logs you're going to see a couple different um strings that are like being echoed into a specifically named name pipe those are all generated on the fly um if you you can use regex to identify them pretty easily if you have any questions on that hit me up after the talk i'm happy to work with you on that i didn't put them in here just because i honestly

don't know how you use regex and sigma but i can talk with it after and so these are just two of the detection opportunities that you can use to potentially identify beacon within your environment now we talked about a lot of others like c2 concealer we talked about some of the different ways you can look at rich hash headers and there's an innumerable amount of detection opportunities but i wanted to highlight some of the pretty common ones that can get you started on this path and so if we did identify beacon what do we want to do well we want to investigate it so we want to investigate evil so if we identify it running in our

environment or what we think is it we need to be able to parse the payload emulate it analyze how it's running or operating and then use those artifacts to hunt across our environment and so that's kind of at least in my head how i kind of work through identifying and investigating beacon in in in the real world so one of my favorite tools for doing that is cyber chef if you're not familiar with it it was made by i think the gchq um it's a pretty awesome framework allows you to do a lot of different manipulation on artifacts and then speakeasy is another tool that i'm a big fan of it was created by the reverse

engineers at mandiant and it is an awesome emulator we'll go into that a little bit later though so starting off we're going to make the beacon and what we see here is it's probably hard to see but you can see like the comm spec jbz so this is that powershell stage where we were talking that powershell command being run and what we see here is that being run in a big block of basic c4 so using cyber chef we want to start decoding this and again so this recipe for cyber chef will be also on my github as a guest so if you want it feel free to go ahead and grab it it's pretty awesome

and what you'll first do is do a from base64 we'll do a decode and then we'll run a regex to pull out any basic c4 that we get as a result so we run that and we get back another big blob of base64 and if you looked at basic c4 enough you notice pretty quickly that h4si is basic z4 encoded gzip so taking that knowledge and this recipe if you take it if you choose you can move on to the next step in making the beacon and what we're going to do is another from base64 but we're going to add on a g unzip and what we're going to see here is some code pop-up and this does look

interesting and this is actually the stager that we were talking about earlier and i know it's really hard to read so let's make it a little easier and so this is what the full smb stager is going to look like so there's a lot here and there's a lot to focus on but really the primary point that we want to look at is right here so this little tidbit of code right here is really the nuts and bolts of what this is doing and when we talk about it that first big block of base64 is the actual shell code that this is going to be loading and executing in memory and then in that little for loop is the xor key

and this is really important when we talk about getting to the next stage of actually emulating this we need to take these and use them to kind of get to the next step and so taking that we're going to take that we're going to run another regex we're going to do another from base64 and this time we're going to xor it with the xor key and again i know this is pretty hard to see but what this is is the raw output of the actual um shell code and what we see here in in red is a name pipe and that's the name pipe that this sample itself is using for communication and this sample it's

not super secret i got it off of virustotal you can do that if you have a virustotal account or you can use something like mouseshare if you don't and just as a way to start like kind of getting through this yourself and this is really important because this is just shows one of the ways that we can identify artifacts but we're still not emulating we're just looking at strings here another thing you could do with this you could throw an md5 on it get this md5 string for the shell code throw it in a virus or something like that see if it's already been analyzed by someone else but we want to bring home the beacon and

we're going to use speakeasy for that so speakeasy as i talked about earlier was developed by the reverse engineers of mandia it is a portable emulator for both user mode and kernel mode malware it's really really good at identifying key artifacts and then you can even take it a step further when you run it and you can dump memory from a sample and then when we look at two examples here we see an http beacon shell code being executed against speakeasy and then an smb sample and when we look at this what we're seeing happening here is that the the shell code is going to open up is going to load when a net which is

used for internet connections it's going to open a socket and create a connection outbound to a 192 address we can see the uri and we can even see the user agent string and when you're talking about identifying this stuff and trying to identify more evil in your environment this is just another way that you can quickly identify some of the key points to look for across your network and then we look at the smb beacon payload that we looked at before and this is just we see here it's running virtual alec it's creating the name pipe and from there we can start hunting again and all this is really important when you talk about being able to

take like just one alert and expand that identify some artifacts and hunt across your environment but we can take this a step further and we can find evil across the the great wide world web and what we can do here is use the analytical points that we identified previously through our like investigation and we can identify some more ways that we can look and potentially identify this adversary operating in other places so one really great service that i like to do for this is called jarm it's like a tls fingerprint if you identify accurate infrastructure you get the tls charm for that you get the charm for that that's pretty great http headers are also another way that you can create

a pivot point ssl certs that's something we'll talk about when you when you look at like the default cert if you throw that into something like census or showdan you're going to get a lot of hits if you see some of those running in your environment probably should look at that that is pretty well signatured though so the cobalt strike server id is another one when you get like a license for cobalt strike your server is going to have a server id now when you're running like something like cracked if you're an adversary that's not legit and that server id could be blacklisted so getting that could be a potential indicator that hey i'm dealing

with something that's not like potentially a red team and then even the malleable c2 profile or the malleable pe profile are other pivot points that you can use in a lot of different data sets to identify more badness and when we look at how do we expand this out we take our simple we take our one beacon sample and we're able to use all these different pivots to identify more evil and so you can talk about the default cert in one potential way jarm hash we talked about that common import hashes is another way or using the name pipe that that beacon sample is using like that beacon sample that we saw earlier that was using a pretty specific name

pipe and that doesn't look super common or if you identify the malleable c2 profile and you have something like virustotal enterprise what you can do is look for files that are making like requests on that same uri and so this kind of just shows a lot of the different ways that you can take what you identify from investigations or hunts and you can expand that out and grow your data set to identify more beacon and so wrapping up i want to give a couple quick shout outs so one of my teammates alyssa she created one of the best guides i've ever seen for cobalt strike it's on the top there it's really great then i'd also like to give a shout out

to two of my teammates van ta and aaron stevens for their work on spooky rookies so the fin 12 graduation and then there's a bunch of different references here there's one for a nmap nse script that you can use to pull beacon configs from servers just note do it over under trip or tor don't do that from your network and then at the very bottom you can see the link to the gist for the cyber chef recipe and then you can see the link to my github for signatures and i'm going to share the talk on my github it'll be the same same link and if you have any questions like about any of this stuff and you'd like to talk

to me afterwards feel free but from here anyone have any questions

nope thank you

you