Beacon Detection

I get AI hits that say “Beacon detection
Suricata can analyze flow data, such as packet size, jitters, and repetition, to identify patterns that may indicate beacons. Analysts can also use default settings like beacon names and certificates to help with detection.”

I can’t find where it got that but I am guessing that may have come from some Suricata docs somewhere.

Any suggestions on how to best configure Suricata to detect C2 Beacons?

Thanks

Let me provide more specific info…

I have the Cobalt Strike rules and I have Pcaps that have Cobalt strike embedded. I can detect those using RITA but not Suricata even using Cobalt Strike rules against a pcap with embedded Cobalt Strike beacons.

1 Like

Hi Jeff,

Can you share the CS rules and pcap?

What version of Suricata are you using? We strongly recommend that only 7.0 and newer versions be used as 6.0.x is no longer supported.

Attached. I found several pcaps with Cobalt Strike beacons in then from reputable places. These rules detected none of them.

I’m using Suricata 7.0.6 64 bit.

Jeff

(attachments)

cobaltstrike.rules (2.26 KB)
Cobalt-Strike.pcap (4.12 MB)

It seems to be pretty simple. The pcap you provided doesn’t contain the content that triggers the rules, at least not in cleartext.

Load the pcap in Wireshark. Search by string for content in each rule, like

“Cyberspace”

“msdownload”

"Date: "

etc.

You will not get hits on those and others needed by the rules. There will be some matches but everything needs to be present.

To test general Cobalt Strike detection in Suricata, I loaded the pcap into Cloudshark, which has Suricata support. It lit up the rules in that system like a Christmas tree.

Sincerely,

Richard

So are you saying CloudShark could detect it in the PCAPs I sent you? I just want to make sure I understand.

Thank you

Jeff

No problem. So Cloudshark is detecting a variety of alerts (including some Cobalt strike specific ones) in your pcap. But Cloudshark doesn’t use the rules you sent. Those rules will not fire on the pcap because the pcap doesn’t contain content that will trigger those rules.

Sincerely,

Richard

OK So that is clear. Does Suricata standalone have a set of rules that would detect it in those PCAPs? The reason I am asking is that we (Leidos) use Suricata as a part of one of our application packages. Suricata is already in there so if we could detect not just Cobalt Strike beacons but other C2 beacons, that is a feature that our gov customer would be interested in.

Thanks

Jeff

Jeff Garland | Leidos Dynetics

Cybersecurity Research and Development

CEMA Defensive Software Branch

CEMA Advanced Persistent Threats (CAPT)

CEMA Testing (CDAT)

jeffrey.d.garland@leidos.com

Have you looked at

https://rules.emergingthreats.net/open/suricata-7.0.3/

I do not know if Cloudshark uses the open rule set or ET PRO from Proofpoint:

Most people who provide services for customers buy an ET PRO subscription or write their own rules.

Sincerely,

Richard

OK Thank you. I will check to see if we have one.

Jeff,
Suricata rules language dose not have the semantics do describe a generic beacon detection logic, yes you have the threshold keyword, but it is pretty limited on what it can describe.

to be able to detect beacons, you will need to do post processing for Suricata NSM data (network transactions) and not alert data, Just like RITA does it.

This can be done using analytical solution (eg: Spark) or even a python script.