5.7.2.17. `Beacon detect` screen
5.7.2.17.1. Introduction
`Beacon detect` screen is used:To activate the engine
To configure detection sensitivity
To define the list of url not to be analyzed and therefore consider them to be healthy
This screen is only accessible to members of the operator group.
5.7.2.17.2. Links associated
5.7.2.17.3. Screen Description
After pressing the `Beacon` command on the `Detection Strategy\C&C` menu, the `Beacon detect` screen is displayed.
For administrator group members, the following message is displayed: `Error 403:Insufficient permissions`.
Area |
Function |
|---|---|
|
Engine settings |
|
List of ignored url are considered healthy |
5.7.2.17.4. `Settings` area of the `Beacon detect` screen
The `Settings` section (1) displays the engine settings.
Item |
Name |
Function |
|---|---|---|
1 |
|
Includes all engine settings |
2 |
|
Engine Activation Zone |
3 |
|
This selector activates or deactivates the engine |
4 |
|
This field displays the selected GCaps |
5 |
|
Area to limit the alerts generated for the same suspicious connection` |
6 |
|
Selector to activate the function |
7 |
|
Limit of the maximum number of alerts |
8 |
|
Duration during which the counting is done |
9 |
|
engine sensitivity adjustment area |
10 |
|
Sensitivity level setting slider
The sensibility level is the combinaison of the activation of different parameters.
This combinaison can be define manually (
`Custom` choice) or use predefined settingss (`Presets` choice)If cursor is in position
`Presets`, setting the sensitivity level is done by the selector `Sensitivity level`.If the selector is in the
`Custom` position, the sensitivity level is set by the `Filtered domains` area that appears. For more details see below. |
11 |
|
Slider setting sensitivity by preset levels. Default: Standard |
12 |
|
Button to cancel current changes |
13 |
|
Button to save current changes |
5.7.2.17.4.1. Filtered domains area
Item |
Name |
Function |
|---|---|---|
1 |
|
Configuration window to filter domains ie the listed domains are considered healthy |
2 |
|
If selected, the domains that correspond to Most visited sites in the world are filtered |
3 |
|
The
`Double-check ignored domains with malleable profile detection` is displayed only when `Social media APIs is displayed.This option only applies to http event-type whose hostname is not an IP address.
This option is only used when a hostname associated with a http beaconing connection is present in one of the public ignore lists (known public domains and social network APIs).
It is then necessary to verify that the hostname is present in a DNS log and that its IP address (found in the DNS log) corresponds to the dest_ip of the connection.
The presence of the hostname in the ignore list but also in the DNS logs confirms that it is a legitimate beacon.
The presence of the hostname in the ignore list but not in the DNS logs can indicate the presence of a potentially malicious beacon that has undergone a change in the Host field of the HTTP header.
This scan should be performed if there are at least 24 hours of DNS events.
These 24 hours are necessary because the default configuration of most DNS servers is a 24-hour cache.
Thus, not finding a domain resolution in the last 24 hours does not necessarily mean that the domain has not been resolved (and is therefore a malleable profile), since it could be in the cache.
|
4 |
|
If selected, the domains that correspond to social media APIs are filtered
The
`Double-check ignored domains with malleable profile detection` is displayed only when `Social media APIs is displayed. |
5 |
|
This option allows only alerts with a public IP destination to be displayed in the |
6 |
|
Ignore commonly accessed domains
This option filters frequently accessed/popular domains within the company.
The popularity of a domain is determined by the number of unique customers in the company who have accessed that domain.
This number is defined in the parameter
`unique clients to consider a domain as common`.By default, the time range [now; -3 days] determines the popularity of a domain.
However, there is the following risk. Taking into account the last 24 hours, a C2 that has implants on several machines that can be activated simultaneously, making the C2 domain a popular domain.
Hence the presence of the option
`Do not ignore new domains for the last 24h (better detection in case of multiple and simultaneous activation of beacons)` |
7 |
|
Defines the number of different clients that have accessed this domain. |
8 |
|
This option allows to not ignore (i.e., allow the analysis of new domains) new domains from the last 24 hours.
In conclusion, after analysis on the 24h, the new analysed and therefore healthy domains can then be ignored because being part of
`Ignore commonly accessed domains` |
5.7.2.17.4.2. Presets choices and the associated parameters
Parameter |
|
|
|
|
|---|---|---|---|---|
`Most visited worldwide sites` |
Active
with malleable profile detection option is inactive
|
Active
with malleable profile detection option is inactive
|
Active
with malleable profile detection option is active
|
Active
with malleable profile detection option is active
|
`Most visited worldwide sites` |
Active
with malleable profile detection option is inactive
|
Active
with malleable profile detection option is inactive
|
Active
with malleable profile detection option is active
|
Inactive |
`Social media APIs` |
Active but
(option malleable profile detection option is inactive)
|
Inactive |
Inactive |
Inactive |
|
Active |
Active |
Active |
Inactive |
`Ignore commonly accessed domains` |
Active
with Max. 2 unique clients to consider as common.
Domains from last 24h are also ignored
|
Active
with Max. 5 unique clients to consider as common.
Domains from last 24h are also ignored
|
Active
with Max. 5 unique clients to consider as common.
Domains from last 24h will not be ignored
|
Inactive |
Note
The
`Low`setting increases the number of domain names ignored so there will be fewer alerts and less false positives.At the moment, the
`Very high`setting generates more alerts and therefore more false positives.
5.7.2.17.5. `Ignore list` area of the `Beacon detect` screen
`Ignore list` area enables to filter the domains and IP addresses considered healthy.The first days of engine activation to correct some possible false positives
Following the activation of an option to increase engine sensitivity
After an investigation leading to the identification of a false positive
After clicking on the `Ignore list` button, the following window is displayed.
Item |
Name |
Function |
|---|---|---|
1 |
|
The
`Ignore list` area enables to filter the domains and IP addresses considered healthy. |
`Ignore list is a set of exceptions, based on target IP or domains.``Beacon detect discards alerts that match these exceptions.``This can be used to discard false positive detections that occur regularly, for instance because a legitimate software is implemented with a beacon-like mechanism where clients poll servers periodically..` |
Short information about this screen.
The Learn more link opens the embedded documentation on the corresponding page.
|
|
2 |
|
Field displaying the most frequent domains detected
For each domain, the following information is displayed:
|
3 |
|
|
4 |
|
|
5 |
|
|
6 |
|
This area list the exception list of domain defined by its URL
For each domain, the following information is displayed:
|
7 |
|
|
8 |
|
|
9 |
|
|
|
|
|
|
|