Detecting Beaconing Malware

Overview

Beaconing malware, like Cobalt Strike in its default configuration, often communicates with its Command and Control (C2) server at predictable intervals. By monitoring and analyzing the intervals between communications, we can identify patterns indicative of beaconing behavior. This guide provides a Splunk query to detect such patterns in HTTP traffic logs generated by Zeek.

Setting Up the Detection Query

This Splunk query identifies beaconing behavior by analyzing consistent intervals in HTTP traffic. It flags cases where most communication events occur at regular intervals, which may indicate malware beaconing.

Query Explanation

1. Filter for Beaconing Data:

   • index="cobaltstrike_beacon" and sourcetype="bro:http:json" specify the relevant data source and sourcetype for Cobalt Strike beaconing data in JSON format from Zeek logs.

2. Event Time Sorting:

   • sort 0 _time sorts events in ascending order based on their timestamp, ensuring time-based calculations are accurate.

3. Calculate Time Differences:

   • streamstats computes the time difference (timedelta) between consecutive events for each unique source-destination pair and destination port, grouping events by src, dest, and dest_port.

4. Calculate Average Time Interval:

   • eventstats calculates the average time interval (avg) and total count of events (total) for each source-destination pair and destination port combination.

5. Define Acceptable Time Interval Range:

   • eval upper=avg*1.1 and eval lower=avg*0.9 set upper and lower bounds for time intervals (10% margin above and below the average).

6. Filter for Consistent Intervals:

   • where timedelta > lower AND timedelta < upper filters events that fall within the acceptable time interval range, indicating a consistent beaconing interval.

7. Calculate Consistency Percentage:

   • stats aggregates the data and calculates the percentage (prcnt) of events falling within the defined time interval range for each connection.

8. Threshold Filtering:

   • where prcnt > 90 AND total > 10 includes only results where over 90% of events fall within the beaconing pattern range and there are at least 10 events, making the detection more accurate.

Splunk Query

index="cobaltstrike_beacon" sourcetype="bro:http:json" 
| sort 0 _time
| streamstats current=f last(_time) as prevtime by src, dest, dest_port
| eval timedelta = _time - prevtime
| eventstats avg(timedelta) as avg, count as total by src, dest, dest_port
| eval upper=avg*1.1
| eval lower=avg*0.9
| where timedelta > lower AND timedelta < upper
| stats count, values(avg) as TimeInterval by src, dest, dest_port, total
| eval prcnt = (count/total)*100
| where prcnt > 90 AND total > 10

Field Descriptions

• index="cobaltstrike_beacon": Filters events for the specific Cobalt Strike beaconing index.

• sourcetype="bro:http:json": Specifies the Zeek HTTP logs in JSON format as the source type.

• sort 0 _time: Sorts events chronologically.

• streamstats last(_time) as prevtime by src, dest, dest_port: Calculates the time of the previous event for each source-destination pair and port.

• eventstats avg(timedelta) as avg, count as total: Calculates the average interval and total count for each connection.

• eval upper=avg*1.1 and eval lower=avg*0.9: Sets a margin for the average interval to account for slight variations.

• where timedelta > lower AND timedelta < upper: Filters for intervals within the margin, indicating a consistent pattern.

• stats count, values(avg) as TimeInterval: Aggregates results by the average interval and connection details.

• where prcnt > 90 AND total > 10: Retains connections with high consistency and significant event counts, reducing false positives.

Interpreting Results

• Consistent Intervals: Connections showing over 90% of events within the defined time interval range suggest beaconing behavior.

• Event Count Threshold: Ensuring a minimum of 10 events avoids false positives from low-activity connections.