BeaconEye
BeaconEye scans running processes for active CobaltStrike beacons. When processes are found to be running beacon, it will monitor each process for C2 activity.
How it works
BeaconEye attaches itself as a debugger to each process and will begin monitoring beacon activity for C2 traffic (HTTP/HTTPS beacons supported currently).
The AES keys used for encrypting C2 data and mallable profile are decoded on the fly, which enables BeaconEye to extract and decrypt the beacon’s output when commands are sent via the operator.
A log folder is created per process relative to the current directory where BeaconEye is executed from.
Features
- A per-process log folder
- Dumps beacon config
- Displays output from most beacon commands
- Saves screenshots
- Detects standalone and injected beacons
- Detects beacons masked with built-in sleep_mask
- Scan running processes or Minidumps offline
TODO
- Add support for named pipe beacons
- Add support for TCP beacons
- Add support for CobaltStrike 3.x
- Add command-line argument to specify output logging location
- Add support for extracting operator commands
Changelog v0.3
- Added support for scanning 32 and 64 bit Minidumps from a specified folder.