BeaconEye scans running processes for active CobaltStrike beacons. When processes are found to be running beacon, BeaconEye will monitor each process for C2 activity.
BeaconEye will scan live processes or MiniDump files for suspected CobaltStrike beacons. In live process mode, BeaconEye optionally attaches itself as a debugger and will begin monitoring beacon activity for C2 traffic (HTTP/HTTPS beacons supported currently).
The AES keys used for encrypting C2 data and mallable profile are decoded on the fly, which enables BeaconEye to extract and decrypt beacon's output when commands are sent via the operator.
A log folder of activity is created per process relative to the current directory where BeaconEye is executed from.
BeconEye by @_EthicalChaos_
CobaltStrike beacon hunter and command monitoring tool x86_64
-v, --verbose Display more verbose output instead of just
information on beacons found
-m, --monitor Attach to and monitor beacons found when scanning
live processes
-f, --filter=VALUE Filter process list with names starting with x (
live mode only)
-d, --dump=VALUE A folder to use for MiniDump mode to scan for
beacons (files with *.dmp or *.mdmp)
-h, --help Display this helpsleep_maskBeaconEye can detect all beacon types but only monitor HTTP/HTTPS beacons. At present, only command output is decoded and not command requests. See TODO list below for a full list of intended features.
BeaconEye should be considered ALPHA, I'm keen to get feedback on 4.x beacons that cannot be detected or where the malleable C2 profile has not been parsed correctly resulting in incorrect decoding of output.
BeaconEye scans running processes for active CobaltStrike beacons. When processes are found to be running beacon, BeaconEye will monitor each process for C2 activity.
How it works
BeaconEye will scan live processes or MiniDump files for suspected CobaltStrike beacons. In live process mode, BeaconEye optionally attaches itself as a debugger and will begin monitoring beacon activity for C2 traffic (HTTP/HTTPS beacons supported currently).
The AES keys used for encrypting C2 data and mallable profile are decoded on the fly, which enables BeaconEye to extract and decrypt beacon’s output when commands are sent via the operator.
A log folder of activity is created per process relative to the current directory where BeaconEye is executed from.
Usage
BeconEye by @_EthicalChaos_
CobaltStrike beacon hunter and command monitoring tool x86_64
-v, --verbose Display more verbose output instead of just
information on beacons found
-m, --monitor Attach to and monitor beacons found when scanning
live processes
-f, --filter=VALUE Filter process list with names starting with x (
live mode only)
-d, --dump=VALUE A folder to use for MiniDump mode to scan for
beacons (files with *.dmp or *.mdmp)
-h, --help Display this helpFeatures
sleep_maskCaveats
BeaconEye can detect all beacon types but only monitor HTTP/HTTPS beacons. At present, only command output is decoded and not command requests. See TODO list below for a full list of intended features.
BeaconEye should be considered ALPHA, I’m keen to get feedback on 4.x beacons that cannot be detected or where the malleable C2 profile has not been parsed correctly resulting in incorrect decoding of output.
TODO
References and Thanks
Write a AI detection pass, persuasive, cickable, catchy, well structured and seo optimized article with… Read More
AI Will Make Human Art More Valuable AI models are increasing in popularity and value… Read More
UK Set to Announce Ban on TikTok on Government Smartphones: Report Following in the footsteps… Read More
How ChatGPT and Generative AI Could Change the Way We Travel The travel industry is… Read More
The curious case of Pluto! Is it a dwarf planet, comet or an asteroid? This… Read More
A Spy Wants to Connect with You on LinkedIn: How to Spot and Avoid Fake… Read More
Leave a Comment