Sandcat Beacon Does Not Actually Beacon

[Pascal-0x90]

Describe the bug Okay yes, the Sandcat agent does beacon however, due to the way Golang HTTP client works, it will not close a session till running something like resp.body.close().

If you look at this function GetPayloadBytes https://github.com/mitre/sandcat/blob/de3405f41ce1ff991eda059b53d0b8060b12845e/gocat/contact/api.go#L48 It uses defer resp.Body.Close() to close out the response from the request made by the HTTP.client. This will close out that session. If you look at https://github.com/mitre/sandcat/blob/de3405f41ce1ff991eda059b53d0b8060b12845e/gocat/agent/agent.go#L206 the response is never closed. Checking the implementation of GetBeaconBytes shows us the implementation does not close the response either.

TL;DR - A Sandcat payload that only beacons will show up as large sessions in a PCAP file due to the lack of closing out the session on each callback. A Sandcat payload that needs to read bytes from a command executed will have broken up sessions due to the GetPayloadBytes implementation having proper closing of sessions.

Funnily enough, this actually causes beacon detection tools such as RITA to completely miss the beaconing however, if one was to identify anomalous connections based on session length or connection time, this beacon would be easy to notice.

To Reproduce Steps to reproduce the behavior:

1. Use Sandcat beacon in caldera
2. Infect Linux host
3. Monitor traffic with Wireshark

Expected behavior I expect the PCAP to be multiple sessions per callback.

Desktop (please complete the following information):

• Target OS: Linux
• Attacker OS: Linux
• Version: Latest

Additional context I am attempting to do beacon analysis and making use of caldera to help with doing some preliminary analysis. The Sandcat beacon was the only one I noticed this issue with.