Darktrace Alert Details
Alert ID: DARKTRACE-TRAFFIC-SIG-1205-7842 Alert Time: 2024-02-19 09:30:22 EST Severity: HIGH (85/100) Source: Darktrace Enterprise Immune System Rule: “Unusual Beaconing Pattern – Potential C2 Signaling” MITRE ATT&CK: T1205 – Traffic Signaling
Alert Details:
Detection: Anomalous network traffic pattern consistent with C2 signaling
Host: DEV-WS-078 (Development Workstation) User: alexchen (Alex Chen, Developer) Time: 09:15-09:30 EST
Traffic Pattern Analysis:
Destination: 185.143.221[.]89:8443 (Bulgaria)
Protocol: HTTPS with custom certificate
Pattern: 12 connections at precise 60-second intervals
Packet sizes: Exactly 512 bytes each (consistent)
Timing: Jitter-free (not human)
Darktrace Anomaly Scoring:
Unusual External Destination: 85/100
Beaconing Behavior: 92/100
Packet Size Consistency: 88/100
Overall Threat Score: 88/100
Additional Context:
Host normally connects to US/EU only
No business need for Bulgaria connection
Connection started at 09:15, continues
Destination IP known for Cobalt Strike C2
Threat Intelligence:
IP 185.143.221[.]89 associated with TA577
Port 8443 commonly used for C2 bypass
Pattern matches “Malleable C2” profiles
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Darktrace anomaly
Darktrace Console
Confirmed beaconing pattern to suspicious IP
2. Process Investigation
Identify process making connections
CrowdStrike Falcon
svchost.exe with injected code (PID: 3421)
3. Memory Analysis
Extract and analyze injected code
CrowdStrike Sandbox
Cobalt Strike beacon with custom sleep pattern
4. Immediate Action
Isolate host
CrowdStrike
Host quarantined
5. C2 Blocking
Block destination IP
Palo Alto Firewall
IP 185.143.221[.]89 blocked
6. Threat Hunting
Check for same beacon pattern
Darktrace, Splunk
No other hosts with same pattern
Jira Incident Report
Ticket: SOC-2024-096 Summary: T1205 – Cobalt Strike Beaconing Detected via Traffic Signaling Status: RESOLVED Resolution: MALICIOUS – C2 Communication Blocked Priority: P2 – MEDIUM Labels: T1205, traffic-signaling, beaconing, cobalt-strike, darktrace Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Darktrace Enterprise Immune System.
Alert: “Unusual Beaconing Pattern – Potential C2 Signaling”.
Host: DEV-WS-078 (Development Department, user alexchen).
Time: 2024-02-19 09:30 EST.
Technique: MITRE ATT&CK T1205 – Traffic Signaling.
2. Technical Analysis:
Attack Chain:
08:45 – User clicked phishing link in email
08:46 – Malware downloaded and executed
08:47 – Malware injected into svchost.exe
09:15 – First C2 beacon after sleep interval
09:15-09:30 – 12 beacons at 60-second intervals
09:30 – Darktrace detects anomalous pattern
Beacon Analysis:
C2 IP: 185.143.221[.]89:8443
Protocol: HTTPS with custom certificate
Beacon Interval: Exactly 60 seconds (no jitter)
Packet Size: Exactly 512 bytes each
Pattern: Consistent, machine-generated (not human)
Malware Analysis:
Type: Cobalt Strike beacon
Process: Injected into svchost.exe (living off the land)
Sleep Pattern: Customizable in Malleable C2 profile
Capabilities: Keylogging, screenshot capture, file exfiltration
User Activity:
User clicked link in email about “code repository access”
Believed it was legitimate
No immediate signs of compromise
3. Investigation Findings:
Timeline:
08:45 – User clicks phishing link
08:46-08:47 – Malware installation
09:15 – Beaconing begins
09:30 – Darktrace alert
09:32 – SOC investigates
09:35 – Host isolated
09:36 – C2 IP blocked
Indicators of Compromise (IoCs):
Network:
– C2 IP: 185.143.221[.]89:8443
– Beacon Pattern: 60-second intervals, 512-byte packets
Process:
– svchost.exe (injected) – PID 3421
File:
– Initial dropper (SHA256: a1b2c3d4…)
4. Containment Actions:
Immediate Actions:
Isolated host via CrowdStrike.
Blocked C2 IP at firewall.
Terminated malicious svchost.exe process.
Scanned for persistence (none found).
Malware Removal:
Removed injected code from svchost.exe.
Deleted initial dropper.
Full scan (clean).
User Remediation:
Password reset.
Phishing training assigned.
Reported email to security team.
5. Root Cause Analysis:
Primary Cause: User clicked phishing link.
Contributing Factors:
No ASR rule blocking Office child processes.
PowerShell allowed to download and execute.
User lacked recent training.
6. Business Impact:
Operational Impact: Developer workstation offline for 2 hours.
Data Exposure: None (C2 contained before data exfil).
7. Remediation & Prevention:
Completed Actions:
Malware removed.
User educated.
C2 blocked.
Technical Controls Enhanced:
Enabled ASR rule blocking script execution.
Enhanced Darktrace monitoring for beacon patterns.
Deployed additional EDR detection for process injection.
8. Conclusion:
A developer clicked a phishing link, leading to Cobalt Strike infection. The malware established C2 beaconing with precise 60-second intervals. Darktrace detected the anomalous traffic pattern, enabling rapid containment before data exfiltration.
Closure Rationale: Malware removed; C2 blocked; user educated.
Analyst: [Walter White], SOC Analyst Date: 2024-02-19 10:30 EST