Describe the bug
Okay yes, the Sandcat agent does beacon however, due to the way Golang HTTP client works, it will not close a session till running something like resp.body.close().
TL;DR - A Sandcat payload that only beacons will show up as large sessions in a PCAP file due to the lack of closing out the session on each callback. A Sandcat payload that needs to read bytes from a command executed will have broken up sessions due to the GetPayloadBytes implementation having proper closing of sessions.
Funnily enough, this actually causes beacon detection tools such as RITA to completely miss the beaconing however, if one was to identify anomalous connections based on session length or connection time, this beacon would be easy to notice.
To Reproduce
Steps to reproduce the behavior:
Use Sandcat beacon in caldera
Infect Linux host
Monitor traffic with Wireshark
Expected behavior
I expect the PCAP to be multiple sessions per callback.
Desktop (please complete the following information):
Target OS: Linux
Attacker OS: Linux
Version: Latest
Additional context
I am attempting to do beacon analysis and making use of caldera to help with doing some preliminary analysis. The Sandcat beacon was the only one I noticed this issue with.
Describe the bug Okay yes, the Sandcat agent does beacon however, due to the way Golang HTTP client works, it will not close a session till running something like
resp.body.close()
.If you look at this function
GetPayloadBytes
https://github.com/mitre/sandcat/blob/de3405f41ce1ff991eda059b53d0b8060b12845e/gocat/contact/api.go#L48 It usesdefer resp.Body.Close()
to close out the response from the request made by the HTTP.client. This will close out that session. If you look at https://github.com/mitre/sandcat/blob/de3405f41ce1ff991eda059b53d0b8060b12845e/gocat/agent/agent.go#L206 the response is never closed. Checking the implementation ofGetBeaconBytes
shows us the implementation does not close the response either.TL;DR - A Sandcat payload that only beacons will show up as large sessions in a PCAP file due to the lack of closing out the session on each callback. A Sandcat payload that needs to read bytes from a command executed will have broken up sessions due to the
GetPayloadBytes
implementation having proper closing of sessions.Funnily enough, this actually causes beacon detection tools such as RITA to completely miss the beaconing however, if one was to identify anomalous connections based on session length or connection time, this beacon would be easy to notice.
To Reproduce Steps to reproduce the behavior:
Expected behavior I expect the PCAP to be multiple sessions per callback.
Desktop (please complete the following information):
Additional context I am attempting to do beacon analysis and making use of caldera to help with doing some preliminary analysis. The Sandcat beacon was the only one I noticed this issue with.