FalconFriday — Recognizing Beaconing Traffic — 0xFF0D

Post-Image

FalconFriday — Recognizing Beaconing Traffic — 0xFF0D

In today’s edition, we’ll share a method of detecting beaconing C&C traffic from large data sets of proxy traffic.

TL;DR for blue teams: By making certain assumptions, it is possible to find a beaconing needle in a very large haystack of web requests.

TL;DR for red teams: Do not just randomly use a genuine browser’s User Agent in your beaconing. Perfectly matching the targeted user’s actual browser’s User Agent for your beacons may be needed to not have them detected.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/falconfriday-recognizing-beaconing-traffic-0xff0d-f0fab038c22f

Direct link to our Github page:

https://github.com/FalconForceTeam/FalconFriday