Beacon-fronting - A simple command line program to help defender test their detections for network beacon patterns and domain fronting

Overview

beacon-fronting

A simple command line program to help network defenders test their detections for network beacon patterns and domain fronting

Command-line arguments

Usage of beacon-fronting.exe:
  -backdomain string
        the origin or backend domain (your real server hostname) (default "vs-update-server.azureedge.net")
  -blanksni
        include -blanksni to use a blank string as the TLS SNI field
  -frontdomain string
        the domain you want to front (default "natick.research.microsoft.com")
  -frontsni
        include -frontsni to use the fronted domain as the TLS SNI field
  -jitter int
        percent (0-99) of variation to randomize poll interval (default 10)
  -poll int
        number of seconds between beacons (default 42)
  -request string
        the request including any query string you want to send (default "/?poll=true")
  -showresponse
        include -showresponse if you want the HTTP response from the server to be printed in the output
  -usefronting
        include -usefronting if you want to use domain fronting, omit if not
  -usehttps
        include -usehttps if you want to use TLS/HTTPS, or omit for unencrypted HTTP

Example usage:

Simple 60 second polling, no jitter, no domain fronting, use https

./BeaconFrontTest -backdomain httpstat.us -request /200 -usehttps -poll 60 -jitter 0

30 second polling with 50% jitter, using domain fronting through azureedge CDN

./BeaconFrontTest -backdomain your-cdn-hostname.azureedge.net -frontdomain natick.research.microsoft.com -usefronting -usehttps -poll 30 -jitter 50 -request /test-page.html?using-query-string=for-no-caching

Detection Queries

KQL Query to Detect TLS Domain Fronting for Suricata and Sysmon Events

// TLS Domain Fronting Query
Suricata
| where event_type == "dns" and type == "answer" // Look for DNS answers
| mv-expand answers // Split multiple answers into individual rows
| where answers.rrtype in ("A", "AAAA") // Take just the domain to IPv4 or IPv6 answers
| extend rrtype = tostring(answers.rrtype), rdata = tostring(answers.rdata)
| project TimeGenerated, rrname, rrtype, rdata // Output simple passive DNS records: (date,query,type,answer)
// Now take the passive DNS output and join it to TLS connection events
| join kind=inner (Suricata | where event_type=="tls" | project TLSTimeGenerated=TimeGenerated, dst_ip, tls_sni) on $left.rdata == $right.dst_ip
| where rrname != tls_sni // Only examine the records where DNS name is different from SNI name
| where abs(datetime_diff("second", TimeGenerated, TLSTimeGenerated)) < 10 // Only look at DNS and TLS close to the same time
// Optional - remove any results where the DNS name queried was the CNAME answer for the TLS SNI field
//| join kind=leftanti CNAMEs on $left.tls_sni == $right.rrname and $left.rrname == $right.rdata
// Join the Suricata network event data with Sysmon process data to link processes with network traffic
| join kind=inner (Sysmon | where EventID==3 | project ProcessPath, DestinationIp, DestinationPort) on $left.dst_ip == $right.DestinationIp
//| where ProcessPath !endswith @"AppData\Local\Microsoft\Teams\current\Teams.exe"
| summarize make_set(tls_sni, 50), make_set(dst_ip, 50), make_set(ProcessPath, 50) by rrname

CNAMEs Custom Function

// CNAMEs custom function (save as function in Sentinel)
Suricata
| where event_type == "dns" and type == "answer" // Look for DNS answers
| mv-expand answers // Split multiple answers into individual rows
| where answers.rrtype == "CNAME" // Take just the CNAME answers
| extend rrtype = tostring(answers.rrtype), rdata = tostring(answers.rdata)
| distinct rrname, rrtype, rdata // Output simple passive DNS records: (query,type,answer)

KQL Query to Detect HTTP (Non-Encrypted) Domain Fronting for Suricata (or if you inspect TLS traffic)

// Unencrypted HTTP Domain Fronting Query
Suricata
| where event_type == "dns" and type == "answer"
| mv-expand answers
| where answers.rrtype in ("A", "AAAA")
| extend rrtype = tostring(answers.rrtype), rdata = tostring(answers.rdata)
| project TimeGenerated, rrname, rrtype, rdata
| join kind=inner (Suricata | where event_type=="http" | project HTTPTimeGenerated=TimeGenerated, dst_ip, http_hostname) on $left.rdata == $right.dst_ip
| where rrname != http_hostname
| where abs(datetime_diff("second", TimeGenerated, HTTPTimeGenerated)) < 60
| join kind=inner (Sysmon | where EventID==3 | project ProcessPath, DestinationIp, DestinationPort) on $left.dst_ip == $right.DestinationIp
| summarize make_set(http_hostname,50), make_set(dst_ip,50), make_set(ProcessPath,50) by rrname
Owner
Binary Defense
Binary Defense is a leading information security company that specializes in endpoint detection, response, and protection and a MSSP services.
Binary Defense
A command line tool that builds and (re)starts your web application everytime you save a Go or template fileA command line tool that builds and (re)starts your web application everytime you save a Go or template file

# Fresh Fresh is a command line tool that builds and (re)starts your web application everytime you save a Go or template file. If the web framework yo

null 0 Nov 22, 2021
go-editor is the clean go module that refractors from Kubernetes to help you edit resources in a command-line way.

go-editor The source code of go-editor comes from Kubernetes and refractor as the clean Go module. You can embed go-editor in your command-line tool l

Yong 0 Dec 5, 2021
An open-source GitLab command line tool bringing GitLab's cool features to your command line

GLab is an open source GitLab CLI tool bringing GitLab to your terminal next to where you are already working with git and your code without switching

Clement Sam 2k Jul 27, 2022
A command line tool to prompt for a value to be included in another command line.

readval is a command line tool which is designed for one specific purpose—to prompt for a value to be included in another command line. readval prints

Venky 0 Dec 22, 2021
Rclone ("rsync for cloud storage") is a command line program to sync files and directories to and from different cloud storage providers.

Rclone ("rsync for cloud storage") is a command line program to sync files and directories to and from different cloud storage providers.

rclone 34k Aug 5, 2022
Rclone ("rsync for cloud storage") is a command-line program to sync files and directories to and from different cloud storage providers.

Website | Documentation | Download | Contributing | Changelog | Installation | Forum Rclone Rclone ("rsync for cloud storage") is a command-line progr

null 0 Nov 5, 2021
Command-line program to download videos from YouTube.com and other video sites

youtube-dl - download videos from youtube.com or other video platforms INSTALLATION DESCRIPTION OPTIONS CONFIGURATION OUTPUT TEMPLATE FORMAT SELECTION

youtube-dl 112.1k Aug 7, 2022
A command-line tool and library for generating regular expressions from user-provided test cases

Table of Contents What does this tool do? Do I still need to learn to write regexes then? Current features How to install? 4.1 The command-line tool 4

Peter M. Stahl 5.5k Aug 9, 2022
A command line http test tool. Maintain the case via git and pure text

httptest A command line http test tool Maintain the api test cases via git and pure text We want to test the APIs via http requests and assert the res

wklken 11 Jan 6, 2022
The sntr command-line program gives you convenient access to Sentry directly from your terminal.

sntr: all of Sentry at your fingertips The sntr command-line program gives you convenient access to Sentry directly from your terminal. Disclaimer: th

Rodolfo Carvalho 0 Jan 31, 2022
wy : a set of command-line tools to test your container-based platform

wy wy (Abbreviation of Would You) is a set of command-line tools to test your container-based platform. ToC: Commands Deployment Monitoring Contributi

Yusuke Kuoka 2 Apr 30, 2022
Go test command line interface for dlv(delve)

What does it do? Delver makes the command line interface for starting dlv the same as the one used in go test Example Say you're using this when devel

Johan Håkansson 0 Jan 7, 2022
Go cmd util that prints cmd-line args with their index

echoidx This is an exercise of the book The Go Programming Language, by Alan A.

Santiago Rodriguez 0 Dec 18, 2021
Watcher - A simple command line app to watch files in a directory for changes and run a command when files change!

Watcher - Develop your programs easily Watcher watches all the files present in the directory it is run from of the directory that is specified while

Geet Sethi 1 Mar 27, 2022
A command-line tool that uses a fake AI neural network to tell whether or not Ben is sus

Is ben sus? Let's use an AI neural network, trained by his own tweets to figure out. A command-line tool that uses a fake AI neural network to tell wh

Levi Richardson 2 Jan 7, 2022
Free5GC Network Function (NF) Command Line Interface (CLI)

NFCLI free5GC Network Function (NF) Command Line Interface (CLI) based on Thrift Thrift Installation Steps Donwload Thrift 0.15.0 ./bootstrap.sh ./con

Muthuraman Elangovan 0 Jan 11, 2022
Package command provide simple API to create modern command-line interface

Package command Package command provide simple API to create modern command-line interface, mainly for lightweight usage, inspired by cobra Usage pack

chenen 0 Jan 16, 2022
tfacon is a CLI tool for connecting Test Management Platforms and Test Failure Analysis Classifier.

Test Failure Classifier Connector Description tfacon is a CLI tool for connecting Test Management Platforms and Test Failure Analysis Classifier. Test

Red Hat Quality Engineering 3 Jun 23, 2022
Go-test-app - Test application to verify environment deployment and reachability over HTTP

Test app Test application to verify environment deployment and reachability over

Universal Development 2 May 23, 2022