### Run BeaconHunter Executable Source: https://context7.com/3lp4tr0n/beaconhunter/llms.txt Launch the BeaconHunter executable with administrator privileges to start monitoring for beacon activity. ```powershell # Open PowerShell or CMD as Administrator .\BeaconHunter.exe ``` -------------------------------- ### Monitor File System Activity Source: https://context7.com/3lp4tr0n/beaconhunter/llms.txt Track directory enumeration, file creation, file deletion, and directory changes from suspicious processes. Use 'q' to return to the main menu. ```plaintext > 7 ------------------------------ File History ------------------------------ ------------------------------ [!] FILE Process: notepad (1234) TID: 5432 [*] New File -> C:\Users\victim\Desktop\payload.exe ------------------------------ [!] FILE Process: notepad (1234) TID: 5432 [*] Change directory -> C:\Windows\System32 > q ``` -------------------------------- ### Monitor Shell Commands and PPID Spoofing Source: https://context7.com/3lp4tr0n/beaconhunter/llms.txt Track commands executed by beacon implants and detect parent process ID spoofing attacks. Use 'q' to return to the main menu. ```plaintext > 5 ------------------------------ Beacon Command History ------------------------------ ------------------------------ [!] COMMAND Parent Process: notepad 1234 -> Child Procces: 9876 Spoofable Process: 5678 Thread ID: 5432 Message: whoami.exe Time: 4/28/2021 10:35:22 AM [!] PPID SPOOFING DETECTED ! > q ``` -------------------------------- ### Monitor DNS Queries Source: https://context7.com/3lp4tr0n/beaconhunter/llms.txt Detect DNS beacon activity by monitoring all DNS queries from suspicious threads. Use 'q' to return to the main menu. ```plaintext > 3 ------------------------------ DNS Queries ------------------------------ ------------------------------ [!] DNS Process: notepad (1234) TID: 5432 [*] Query: malicious-c2.example.com [*] Result: 192.168.1.100 > q ``` -------------------------------- ### Configure Automatic Threat Response Source: https://context7.com/3lp4tr0n/beaconhunter/llms.txt Set a network score threshold to automatically suspend threads. Enter '0' to remove the threshold or 'q' to go back. ```text > 2 ------------------------------ SCORE THRESHOLD [*] Enter network score threshold for thread suspension ('0' to remove threshold || 'q' to go back) > 50 [***] SCORE THRESHOLD -> Suspended TID 5432 from notepad (1234) at threshold 50 [*] Enter network score threshold for thread suspension ('0' to remove threshold || 'q' to go back) > 0 [*] Removed threshold for thread suspension. [*] Enter network score threshold for thread suspension ('0' to remove threshold || 'q' to go back) > q [*] Quit. ``` -------------------------------- ### Monitor IP and Port Statistics Source: https://context7.com/3lp4tr0n/beaconhunter/llms.txt Track network connection statistics per suspicious thread, including remote host, port, and callback counts. Use 'q' to return to the main menu. ```plaintext > 2 ------------------------------ IP Stats ------------------------------ ----------------------------------------------------------- | Process | PID | TID | RHOST | RPORT | Count | ----------------------------------------------------------- | notepad | 1234 | 5432 | 192.168.1.100 | 443 | 15 | | svchost | 5678 | 9012 | 10.0.0.50 | 80 | 8 | ----------------------------------------------------------- > q ``` -------------------------------- ### Enable ETW Providers for Monitoring Source: https://context7.com/3lp4tr0n/beaconhunter/llms.txt Enable specific Windows ETW providers for network, process, file, API call, and DNS monitoring. Ensure the correct TraceEventLevel and optional flags are set. ```csharp // Network traffic monitoring (HTTP/HTTPS callbacks) session.EnableProvider("Microsoft-Windows-WinINet", TraceEventLevel.Informational); // Process creation and command execution session.EnableProvider("Microsoft-Windows-Kernel-Process", TraceEventLevel.Informational, 0x00); // File and directory operations session.EnableProvider("Microsoft-Windows-Kernel-File", TraceEventLevel.Informational, 0x00); // Remote process termination detection session.EnableProvider("Microsoft-Windows-Kernel-Audit-API-Calls", TraceEventLevel.Informational, 0x00); // DNS query monitoring session.EnableProvider("Microsoft-Windows-DNS-Client", TraceEventLevel.Informational, 0x00); ``` -------------------------------- ### Ignore Benign Threads Source: https://context7.com/3lp4tr0n/beaconhunter/llms.txt Exclude known benign threads from monitoring by entering their TID. Enter 'q' to go back. ```text > 8 ------------------------------ Ignore TID ------------------------------ [*] Enter TID to ignore from monitoring ('q' to go back) > 1111 [*] Ignoring TID 1111 [*] Enter TID to ignore from monitoring ('q' to go back) > q ``` -------------------------------- ### Beacon Score Calculation Algorithm Source: https://context7.com/3lp4tr0n/beaconhunter/llms.txt Calculate a beacon score based on the time difference (delta) between callbacks. A derivative close to zero indicates regular timing, resulting in a higher score. ```csharp // Calculate time difference between beacon callbacks (delta) delta = currentTime - previousCallbackTime; // Calculate 1st derivative of delta (change in timing) derivative = previousDelta - delta; // Score calculation: closer derivative to zero = higher score // Regular beacons have consistent timing, derivative approaches 0 if (derivative == 0) { score += 3; // Fixed points for perfect regularity } else { score += Math.Abs(100.0 / derivative); // Inverse function } ``` -------------------------------- ### Monitor Beacon Network Score Source: https://context7.com/3lp4tr0n/beaconhunter/llms.txt View the real-time beacon scoring for suspicious processes. The score is calculated based on the time delta between network callbacks and its first derivative. Use 'q' to return to the main menu. ```plaintext ------------------------------ MONITOR [1] Beacon network score [2] IP stats [3] DNS queries [4] Suspicious PID/TID history [5] Beacon shell/command history [6] Process terminate history [7] File system history [8] Ignore TID [9] Main menu > 1 ------------------------------ Network Beacon Score ------------------------------ Process: notepad ({1}) -> Thread 5432 Destination: 192.168.1.100:443 Callback delta: 5000 ms 1st derivative of delta: 12 ms Date/Time: 4/28/2021 10:30:45 AM ----------------------------------------- | Process | PID | TID | Count | SCORE | ----------------------------------------- | notepad | 1234 | 5432 | 15 | 45.2 | | svchost | 5678 | 9012 | 8 | 12.1 | ----------------------------------------- > q ``` -------------------------------- ### Manually Suspend Malicious Thread Source: https://context7.com/3lp4tr0n/beaconhunter/llms.txt Manually suspend a specific thread ID to neutralize a beacon implant. Enter the TID to suspend, or 'q' to quit. The action menu also allows automatic suspension based on a score threshold. ```plaintext ------------------------------ ACTION [1] Manually suspend TID [2] Automatically suspend TID above score threshold [3] View manually suspended TID history [4] View automatically suspended TIDs from score threshold [5] Main menu > 1 ------------------------------ TERMINATE TID [*] Enter TID to suspend ('q' to quit) > 5432 [*] Suspended TID: 5432 [*] Enter TID to suspend ('q' to quit) > q [*] Quit. ``` -------------------------------- ### BeaconHunter Main Menu Navigation Source: https://context7.com/3lp4tr0n/beaconhunter/llms.txt Interact with the main menu to access monitoring, actions, and configuration settings. System and Network Verbose modes are enabled by default, as is Sysmon protection. ```plaintext ------------------------------ MAIN MENU [1] Monitor [2] Action [3] System Verbose (default ON) [4] Network Verbose (default ON) [5] Protect Sysmon (default ON) > 1 ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.