Detecting beaconing malware

zerojin63 · February 8, 2022, 8:24am

Hello,
I saw this post (link) and wanted to try on my network log,
so i followed the github manual (link), uploaded all the required scripts and changed only the transform script, just to apply it to my already existing index, like below.

PUT _transform/ml_beaconing_pivot_transform
{
  "dest": {
    "index": "my_dst_index",
    "pipeline": "ml_beaconing_ingest_pipeline"
  },
  "frequency": "1h",
  "pivot": {
    "aggregations": {
      "@timestamp": {
        "max": {
          "field": "@timestamp"
        }
      },
      "beacon_stats": {
        "scripted_metric": {
          "combine_script": "return state",
          "init_script": {
            "id": "ml_beaconing_init_script"
          },
          "map_script": {
            "id": "ml_beaconing_map_script"
          },
          "params": {
            "destination_bytes": "dst_bytes",
            "destination_ip": "destination.ip",
            "max_beaconing_bytes_cov": 0.05,
            "max_beaconing_count_rv": 0.1,
            "max_jitter": 0,
            "min_beaconing_count_autocovariance": 0.7,
            "min_not_empty": 0.5,
            "min_number_periods": 6,
            "number_buckets_in_range": 360,
            "number_destination_ips": 10,
            "source_bytes": "src_bytes",
            "time_bucket_length": 60,
            "time_field": "@timestamp",
            "truncate_at": [
              0.1,
              0.8
            ]
          },
          "reduce_script": {
            "id": "ml_beaconing_reduce_script"
          }
        }
      }
    },
    "group_by": {
      "host.name": {
        "terms": {
          "field": "host.hostname"
        }
      }
    }
  },
  "source": {
    "index": [
      "my_src_index"
    ]
  },
  "sync": {
    "time": {
      "delay": "120s",
      "field": "@timestamp"
    }
  }
}

i changed 'group_by', 'destination_bytes', 'source_bytes' value to match my index format.
But it didn't work out, instead caused error like below

{
  "error" : {
    "root_cause" : [
      {
        "type" : "parse_exception",
        "reason" : "request body is required"
      }
    ],
    "type" : "parse_exception",
    "reason" : "request body is required"
  },
  "status" : 400
}

I'd like to know what's the problem and if there's any way to apply this beaconing detection script to my already existing index.

Thanks in advance

Hendrik_Muhs · February 8, 2022, 1:48pm

This looks like a usage or browser problem of dev console. Elasticsearch does not retrieve the body of the request according to the error message. Can you check that there is no white-space between PUT _transform/ml_beaconing_pivot_transform and the opening curly bracket? Do you have a "shadow" over the full request when you click into it?

Another option might be a different browser and if that doesn't help a different way to send the request (curl, python, ...).

Other commands in dev console work ok for you?

zerojin63 · February 9, 2022, 8:33am

Thanks for reply.
I've checked that there is no white-space and also checked the shadow over my full request.
Also other commands work fine in dev console.
Is there any other option/solution that i can try?

Hendrik_Muhs · February 10, 2022, 8:29am

We have tried to reproduce the problem but were not able to. Your pasted command works for us.

The error message indicates a problem when sending the request. The Elasticsearch side does not receive a body. This happens before it even reaches transform.

For further investigation some suggestions/questions:

what's you version of Elasticsearch and kibana?
can you try to create other transforms as documented e.g. here and here. You only need to install some kibana sample data sets for this. Are these transforms or transform previews fail, too? Does it fail in the UI, too?
Expert: If you are a Linux or Mac user: you could try to send the request using curl. The dev console lets you copy the command for it by clicking on the wrench icon and copying the command. This command has to be executed in a console.
Expert: if you are familiar with inner workings of your browser you could open a network view. In Chrome and Firefox you can open these developer tools using the shortcut: CTRL-SHIFT-I. It allows you to see what gets send. We are interested if the requests kibana sends is complete, the POST calls should have a body.

zerojin63 · February 11, 2022, 5:03am

Thanks for suggestions.
I've tried most of them and here's the result.

I'm using v 7.16.3
I've tried creating other transforms and they worked just fine.
I checked the developer tool in my browser right after i made the request and found this error log. But I'm still not sure why such error occurs & how to solve this error. How can i enable inline execution?

Hendrik_Muhs · February 14, 2022, 9:41am

The error happens on the start of kibana. According to the developers it is benign. I am getting the same error, so it does not seem related to the transform problem.

If you want to further investigate using developer tools, it would be nice to have it open before you send the request. After you executed a request you can check in the network tab what has been send. A comparison between the one that works and the one that does not would be helpful.

I am sorry that this is all a bit vague, a support case - if you eligible for support - might work better.

zerojin63 · February 15, 2022, 1:55am

I used "HTTP Toolkit" to investigate request packet, and checked that the POST packet have a body.

I also compared between the one that works and the one that does not, and I couldn't find any difference between POST calls.

However, I re-adjusted the transform script, by adding some query, and it worked.

Below is the edited version, which worked.

PUT _transform/ml_beaconing_pivot_transform
{
    "dest": {
        "index": "my_dst_index",
        "pipeline": "ml_beaconing_ingest_pipeline"
    },
    "frequency": "1h",
    "pivot": {
        "aggregations": {
            "@timestamp": {
                "max": {
                    "field": "@timestamp"
                }
            },
            "beacon_stats": {
                "scripted_metric": {
                    "combine_script": "return state",
                    "init_script": {
                        "id": "ml_beaconing_init_script"
                    },
                    "map_script": {
                        "id": "ml_beaconing_map_script"
                    },
                    "params": {
                        "destination_bytes": "destination.bytes",
                        "destination_ip": "destination.ip",
                        "max_beaconing_bytes_cov": 0.05,
                        "max_beaconing_count_rv": 0.1,
                        "max_jitter": 0.0,
                        "min_beaconing_count_autocovariance": 0.7,
                        "min_not_empty": 0.5,
                        "min_number_periods": 6,
                        "number_buckets_in_range": 360,
                        "number_destination_ips": 10,
                        "source_bytes": "source.bytes",
                        "time_bucket_length": 60,
                        "time_field": "@timestamp",
                        "truncate_at": [
                            0.1,
                            0.8
                        ]
                    },
                    "reduce_script": {
                        "id": "ml_beaconing_reduce_script"
                    }
                }
            }
        },
        "group_by": {
            "host.name": {
                "terms": {
                    "field": "host.name"
                }
            }
        }
    },
    "source": {
        "index": [
            "my_src_index"
        ]
        ,
        "query": {
             "bool": {
                "filter": [
                    {
                        "range": {
                            "@timestamp": {
                                "gte": "now-6h"
                            }
                        }
                    },
                    {
                        "term": {
                            "event.category": "network"
                        }
                    }
                ],
                "minimum_should_match": 1,
                "should": [
                    {
                        "bool": {
                            "filter": [
                                {
                                    "terms": {
                                        "src_ip": [
                                            "10.0.0.0/8",
                                            "172.16.0.0/12",
                                            "192.168.0.0/16"
                                        ]
                                    }
                                }
                            ],
                            "must_not": [
                                {
                                    "terms": {
                                        "dst_ip": [
                                            "10.0.0.0/8",
                                            "169.254.0.0/16",
                                            "172.16.0.0/12",
                                            "127.0.0.0/8",
                                            "192.0.0.0/24",
                                            "192.0.0.0/29",
                                            "192.0.0.8/32",
                                            "192.0.0.9/32",
                                            "192.0.0.10/32",
                                            "192.0.0.170/32",
                                            "192.0.0.171/32",
                                            "192.0.2.0/24",
                                            "192.31.196.0/24",
                                            "192.52.193.0/24",
                                            "192.168.0.0/16",
                                            "192.88.99.0/24",
                                            "224.0.0.0/4",
                                            "100.64.0.0/10",
                                            "192.175.48.0/24",
                                            "198.18.0.0/15",
                                            "198.51.100.0/24",
                                            "203.0.113.0/24",
                                            "240.0.0.0/4",
                                            "::1",
                                            "FE80::/10",
                                            "FF00::/8"
                                        ]
                                    }
                                }
                            ]
                        }
                    },
                    {
                        "bool": {
                            "must_not": [
                                {
                                    "terms": {
                                        "dst_ip": [
                                            "10.0.0.0/8",
                                            "169.254.0.0/16",
                                            "172.16.0.0/12",
                                            "127.0.0.0/8",
                                            "192.0.0.0/24",
                                            "192.0.0.0/29",
                                            "192.0.0.8/32",
                                            "192.0.0.9/32",
                                            "192.0.0.10/32",
                                            "192.0.0.170/32",
                                            "192.0.0.171/32",
                                            "192.0.2.0/24",
                                            "192.31.196.0/24",
                                            "192.52.193.0/24",
                                            "192.168.0.0/16",
                                            "192.88.99.0/24",
                                            "224.0.0.0/4",
                                            "100.64.0.0/10",
                                            "192.175.48.0/24",
                                            "198.18.0.0/15",
                                            "198.51.100.0/24",
                                            "203.0.113.0/24",
                                            "240.0.0.0/4",
                                            "::1",
                                            "FE80::/10",
                                            "FF00::/8",
                                            "13.64.0.0/11",
                                            "13.104.0.0/14",
                                            "13.96.0.0/13",
                                            "18.209.113.128/26",
                                            "20.33.0.0/16",
                                            "20.34.0.0/15",
                                            "20.36.0.0/14",
                                            "20.40.0.0/13",
                                            "20.48.0.0/12",
                                            "20.64.0.0/10",
                                            "20.128.0.0/16",
                                            "20.36.0.0/14",
                                            "20.34.0.0/15",
                                            "20.40.0.0/13",
                                            "20.128.0.0/16",
                                            "20.48.0.0/12",
                                            "20.33.0.0/16",
                                            "20.180.0.0/14",
                                            "20.184.0.0/13",
                                            "23.64.0.0/14",
                                            "23.32.0.0/11",
                                            "40.74.0.0/15",
                                            "40.76.0.0/14",
                                            "40.80.0.0/12",
                                            "40.96.0.0/12",
                                            "40.112.0.0/13",
                                            "40.120.0.0/14",
                                            "40.124.0.0/16",
                                            "40.126.0.0/18",
                                            "40.125.0.0/17",
                                            "52.132.0.0/14",
                                            "52.136.0.0/13",
                                            "52.148.0.0/14",
                                            "52.145.0.0/16",
                                            "52.146.0.0/15",
                                            "52.160.0.0/11",
                                            "52.152.0.0/13",
                                            "52.224.0.0/11"
                                        ]
                                    }
                                }
                            ]
                        }
                    }
                ]
            }
        }
    },
    "sync": {
        "time": {
            "delay": "120s",
            "field": "@timestamp"
        }
    }
}

I still cannot understand exactly why such error occured in the first place, but thank you very much for your help

FYI, I found out that "timestamp" filtering script is the main cause occuring "no response body" error.

Hendrik_Muhs · February 15, 2022, 9:35pm

Thanks for the info!

I will look into it later this week. It puzzles me.

system · March 15, 2022, 9:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.