US 12,107,826 B2
Cobalt Strike Beacon HTTP C2 heuristic detection
Yanhui Jia, San Jose, CA (US); Christian Elihu Navarrete Discua, San Jose, CA (US); Durgesh Madhavrao Sangvikar, Sunnyvale, CA (US); Ajaya Neupane, San Jose, CA (US); Yu Fu, Campbell, CA (US); and Shengming Xu, San Jose, CA (US)
Assigned to Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed by Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed on Aug. 7, 2023, as Appl. No. 18/231,139.
Application 18/231,139 is a continuation of application No. 17/877,813, filed on Jul. 29, 2022, granted, now 11,770,361.
Prior Publication US 2024/0039889 A1, Feb. 1, 2024
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 9/00 (2018.01); G06F 15/16 (2006.01); G06F 17/00 (2019.01); H04L 9/40 (2022.01)
CPC H04L 63/0218 (2013.01) 20 Claims
OG exemplary drawing
 
1. A system, comprising:
a processor configured to:
monitor HyperText Transfer Protocol (HTTP) network traffic at a firewall;
prefilter the monitored HTTP network traffic at the firewall to select a subset of the HTTP network traffic to forward to a cloud security service, wherein prefiltering the monitored HTTP network traffic at the firewall to select the subset of the HTTP network traffic to forward to the cloud security service includes performing a heuristic analysis of the HTTP network traffic to select the subset of HTTP traffic to forward to the cloud security service for further analysis to detect potential Cobalt Strike Beacon HTTP C2 traffic, wherein the heuristic analysis of the HTTP network traffic includes determining the following at the firewall to select the subset of HTTP traffic to forward to the cloud security service for further analysis to detect potential Cobalt Strike Beacon HTTP C2 traffic:
(1) whether the network traffic includes a predetermined header value or a predetermined URI length check that matches a range of 171 bytes to 256 bytes; and
(2) whether the network traffic includes a header value or a URI length field with encoding that matches predetermined types of encodings comprising one or more of the following types of encodings: base64, base64url, netbios, netbiosu, or mask;
determine whether the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity based on a plurality of heuristics performed at the cloud security service, wherein the cloud security service automatically determines whether the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity based on a plurality of heuristics that includes performing data statistics checks for performing a behavior-based detection of Cobalt Strike Beacon HTTP C2 traffic activity that includes checking a first at least a twelve sessions' timestamps to determine whether such is a Gaussian or normal distribution; and
perform an action at the firewall in response to detecting the Cobalt Strike Beacon HTTP C2 traffic activity; and
a memory coupled to the processor and configured to provide the processor with instructions.