Threat Hunting Shorts- IP Based Beacons – Video Blog
Video – Threat Hunting – IP Based Beacons
Hey folks, I’m Chris Brenton in today’s video, we’re gonna be talking about IP-based beacons specifically. How do we detect IP-based beacons? As a quick reminder, IP beacons are when one of our internal systems that have become compromised is calling out to a commander control server out on the internet. That’s sitting at a specific IP address, out there somewhere, and we want to be able to have the ability to identify that system has become compromised. There’s two different parameters we can go in and look at. Ideally, we want to be looking at both at the same time, but the first one is timing is my internal system connecting out on a repetitive basis to that some IP address out on the internet and that IP, usually I can’t explain away through some business need, you know, it’s not my window system checking for patches or something along those lines.
So first attribute we can look at is timing. The second is session size. When a system’s calling home, calling home to that command and control server, and there’s no, uh, commands for it to execute in its queue. There’s usually a specific session size that takes place that gets transferred well, if I’m seeing repetitive connections throughout the day, and that session size is the same all the time, that’s a pretty good indication that I might have a beacon. I need to go in and start doing some investigation work. So let’s take a look at how we can go through and run this down. So the first thing I wanted to dispel is that an IP-based beacon is probably going to be, you know, my largest number of connections taking place. In other words, one of the things I see folks doing is saying,
Hey, I’ll just watch who’s making the most outbound connections to the internet and anybody who’s connecting, you know, thousands or tens of thousands times a day. Those are my beacons. I’ll go in and pay attention to those. And certainly, you know, if you’ve got an internal system connecting tens of thousands of times in a day, it’s worth going in and taking a look at, but you may miss some of the sneakier beacons if that’s the only thing you’re going in and looking at. So here’s what we’re gonna do. I’m working with Zeek. So Zeek is our network recorder, it records all of our connections that go by and I’m just gonna cat out the contents of the Zeek con.log file. I’m gonna run it through Zeek cut. I’m gonna say, I want you to print out the source and destination IP address, and then I’m gonna sort them and I’m gonna count them.
So I’m just gonna count how many connections were made from one IP address to the other. And then I’m gonna sort highest to lowest which ones connected most often. And then I’m just gonna print out my first 10 entries. So when I go through and do that with this particular data set, the one that sticks out right away, or probably sticks out more than the others is this one here, because it’s got the greatest number of connections, right? 574. So if I was doing beacon research based on greatest number of connections, that might be the one I’m drawn to. Now, it’s not thousands or tens of thousands of connections in a day. You know, this is a sample data set <laugh>, but you know, you get the idea. This is my greatest number of connections. So is this a beacon? Is this something I need to go in and take a look at?
Well, one of the things we want to do is we want to go in and we want to parse that out, uh, based on, you know, how often is this thing going through and connecting. So there’s a couple of ways we can go about doing that. Um, I’ve written up a very simple script that just goes through and counts up how many connections take place each hour between any set of IP addresses that I then go in and specify. So if I go in and run this command, notice what this is showing me in the second hour of the day to the third hour, there were 15 connections hour after that, 20 connections, 16, 12, 11, and then it drops down to 6, 7, 7, 5 goes back up to 16, oh wee got fifties, all the way up to the last hour of the day where we had 31. So we’re seeing connections every hour, but it’s not repetitive, right?
It’s not like there’s five connections, every hour, six connections, every hour or 20 or whatever. Right. It’s kind of bouncing around a lot. So while that, this is an indicator that, yeah, we’ve got some persistency here. This doesn’t strike me as a potentially malicious beacon, because it doesn’t seem to be programmic. It almost looks more opportunistic in what’s taking place. Tell you what, let’s take a smaller one. Right? So I’m gonna like cut the difference. Let’s say 96 connections. So, so think about your typical environment. Would you go in and actually pay attention to an internal IP that connected 96 times in a day? Probably not. Right? Because there’s a lot of ’em. But if I go in and I analyze this one, notice what I’m seeing here. I’m seeing <laugh> four connections every single hour. Okay. At five here. And then I had three here.
So I have two slight outliers, but for the most part, look at that pattern. Four connections every hour, about every 15 minutes, I got a connection going off. That’s an IP-based beacon. That’s something I definitely want to go in and pay attention to. Now, what does not a beacon look like at all? Well, one of the things I might want to take a look at is maybe this last connection here. So I could go in and I could say, I wanna go in and do my beacon data, and I’m just gonna cheat and do a copy-paste. So I’m gonna copy those IPS. Let’s see what we get. Okay. If I look at this last connection, notice I got a couple hours where there was only one connection. I’ve got some hours missing, like hour three, hour five, hour 6, 2, 3, 1 bunch of hours missing through here.
Again, this doesn’t look like a beacon. So from a, is it persistent and it looks like it’s been program perspective, out of the three I investigated this one, this one and then the last one, that middle one is the only one that really looks like something I need to be worried about. Okay. Well, now I’m like cutting through data. Is there an easy way to go through this? Yeah. This is what our open-source RITA tool is for. So with RITA, I can just input this data, which I’ve already done. And I can say, show me beacons. <laugh> show me the beacons. Right. And I’m gonna pump that through multi, and then it’s gonna ask me for my password, cuz I’ve got this system locked down and then it’s gonna go through and say, okay, let me process that data for you and boom.
This is what it spits out. Okay. What does this mean? This first value is our persistency score. This is how likely is this a programmed automatic connection that’s taking place. So if I go in and I look for that 91 97, this is it right here. So what’s this 0.981 mean that means that we are 98.1%. Certain, this is a persistent connection that you need to go in and pay attention to. So as you can see, yeah, this is something that I may want to go in and watch that first one, we looked at notice that’s down here. This is saying we’re a 73.5% certain, this is something you want to go in and look at. Typically you want to look at like 85% or higher. Those are the ones you definitely wanna pay attention to. And then after that, it kind of comes down to do you have the free time?
So you notice, you know, there’s a couple in here and the point nines, those are definitely the ones we’d want to go through and investigate as part of a threat hunt. That last one we looked at that we said, yeah, definitely not a beacon notice that doesn’t even show up on this output at all. REA looked at that and said, yeah, no, don’t, don’t bother paying attention to that. So it’s a great way to go through and very quickly be able to focus in on, um, the values you need to worry about. So what kind of data is in this line? So I have that score that we talked about. I have my source IP address here. Here’s my destination IP address. This is how many connections took place. Remember there was 96 before this is the amount of data that was transmitted on average 331 bites.
So that’s not a whole lot. What’s the rest of this stuff? This is the total bites that was transmitted over the course of the day. And the rest of this is score information that quite honestly, don’t worry about it. <laugh> in other words, this is stuff that the developers use in order to optimize the code, to make sure that we can do a really good job at detection. Is there a better way to go in and kind of take a look at this data? Well, yeah, in fact, there there is. Here’s our commercial AC-Hunter tool. To me, the real tell this graph right along the bottom, my X access is time. Each one of these bars represents an hour. I can change the scale to different things if I want to, you know, like every 15 minutes like we’re doing here, but the default is it comes in in an hour.
So let’s just leave it at that for now. So my X access is time. My Y access is quantity. So what each bar is describing is how many connections took place each hour. Notice I could pretty much draw a flat line across the top, over that 24-hour period of time. Anytime I can do that, that’s a really good indicator that we get a beacon taking place here. This graph up here is showing how often did I see a certain time interval between connections? So three times there were 728 seconds that went by between my connections over on the other end, there were four times that there was 1,060 seconds that took place between my connections. But notice these are kind of grouped together. You know, the from about 700 to a thousand seconds, that’s only about a 302nd range. That’s not much. So all of my connections took place at a fairly regular interval.
That’s a really good indication that this has been programmed in this way. This is something I need to worry about. Now what’s it look like when it’s not that. Well, here’s an example of that. So notice no flat line, right? No flat line taking place. Good portion of the day. There’s no data at all. And when I go up and analyze here, this is saying 213 connections were at zero second adults. Okay. So zero seconds means it was less than a half or second for all of those connections. But if I go up and look at the longest one here, I have one connection at 39 77. Okay. Let’s say, let’s say that’s an outlier and we’ll leave that out. It’s probably not. But just saying it is, if I go to my next one, 2,460 seconds, well, there’s a 2462nd scope between my lowest and my highest time versus the other one that was only 300.
That was a whole lot tighter spread. So anytime I see these tight spreads taking place, that’s something I want to go in and pay attention to. If you’d like to learn more about IP-based beacons, we run a free threat hunting class. This is an intensive six-hour class. Uh, about half of it is lecture time. Half of it is hands-on lab. There’s a virtual machine you can download and you can go hands-on and go through these labs where you’re actually doing real threat hunting. So we kinda walk you through the initial steps and then kind of let you know, give you a little shove and let you kind of go at it from there. Uh, we’ve had well over 20,000 people go through this training, which has just been awesome. Uh, and the next class is coming up October 4th. So if you’re interested, uh, there’s the link below, sign up, uh, feel free to come in and check out the class. Thanks and hope you found this information useful.
More Threat Hunting Shorts
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.