Detecting Malware Beacons With Zeek and RITA

Hello and welcome, my name is John Strand and in this video, we’re going to be talking a little bit about beaconing using RITA. Now, for this particular video, I’m not using the security onion, instead we’re going to be using ADHD. If you want to find ADHD, go to the website. Go to our projects, you’ll see RITA and Passer and a bunch of tools there, and one of the tools is the Active Defense Harbinger Distribution and that’s what I’m going to be using today.

Now, the reason why are we using ADHD is a couple of reasons. One, we have step by step instructions on how to use ADHD for this particular video and we have a pcap that’s already been imported so we could talk about beaconing so you can actually follow along.

Once you’re inside of ADHD, the first thing that you’re going to be doing is jumping into attribution. Go all the way down to RITA. Now RITA stands for Real Intelligence Threat Analytics. If you’re looking at what RITA is compared to AI Hunter, our commercial tool, RITA is basically all of the logic, all of the math, all of the horsepower, all for free. Active Countermeasure’s AI Hunter, or Actual Intelligence Hunter, is actually the GUI platform, notifications, all of the stuff you’d expect to see in an enterprise environment.

Now within Rita, we’re going to follow these basic instructions and in fact, I already have run this. To actually get RITA to work, you just cd into home/ADHD/tools and go into the enterprise lab. Then normally what you would do with a bro logs setup, is you would go into bro and you would then load in that data, let bro parse it, and then you would use RITA. You would do RITA import and you would give it the path to the bro logs and then a destination database and then it will parse everything. Then you do RITA analyze and then it does its analytics and it’s ready to go.

You don’t have to do that inside of ADHD it’s already been done for you.

Also, in this particular video, I’ve already got the Mongo database started and I have the HTML report generated. So I’m going to show you what that looks like. This is the HTML output. It has a number of different output features, it can do text, it can do JSON connect directly into Mongo. I’m looking at the HTML because it lends itself better to videos, like this one.

So, if we jump into VSagent, this is actually a packet capture for a specific time frame that has been imported by bro. Then RITA has analyzed it and we have a number of things we’re going to look at. I’ll talk about these in separate videos.

The first one I’m going to talk about is beacons. We’ll talk a little bit about what it means to be a beacon for these things.

Here, you can see that we have a source IP address of and a destination IP address of You can also see that there was 4,532 connections.

Now, about those connections, what exactly does it mean to be a beacon?

Whenever you’re looking at it from a mathematics perspective, you can use a number of algorithms such as K-means Clustering, to basically do some basic analysis as far as what is consistent about these connections. We actually don’t use K-means Clustering. K-means is something that’s available in Splunk, it’s a fantastic utility, but it’s all about finding the right algorithms for the right problem.

In this scenario, RITA uses MADMOM, median average distribution of the mean.

What exactly does that mean?

Whenever you’re looking for a beacon, let’s get some philosophy here for a second. Here we have a chair. How do you know that that’s a chair? Now this goes back to the earlier days of philosophy when you’re talking about Plato, and I know this sounds weird, trust me, it’s technical, stick with me. Plato basically said that everything that we have in the world is basically an imitation or a shadow of a true form. So somewhere in the universe was a perfect chair and every other chair was just a variation on that chair.

Well, it turns out in computer science, whenever you’re doing things like K-means Clustering, using artificial intelligence, and machine learning, you’re doing something very similar. What you’re doing is saying these are the characteristics of a perfect chair. Or, in this situation, a perfect beacon.

If we were going to say what a perfect beacon was, what are all the things we would say to make it perfect? Well, interval.

Interval is like a heartbeat. Some heart beats are slow and some heart beats are much faster. If there’s a consistency in these different connections, then you have a consistent heartbeat. That may be one aspect of a beacon.

Another thing you can look at can be data size. If all the packets are the exact same size as what’s being sent and what’s being received, that can be a sign of that beaconing activity of saying, “Is there a command? No. Is there a command? No. Is there a command? No. Is there a command? No.” And we can look for those consistencies in those packets.

We can even look for inconsistencies to find consistencies.

Let me explain.

Whenever you’re looking for inconsistencies to find consistencies, you may have jitter or dispersion in your packet connections.

So what that would mean, is let’s imagine that we have a 10-second interval with 20% jitter on either side. That means that all of your packets would be between a range of 8 seconds and 12 seconds, 2 seconds on either side of 10 seconds, and you would see a distribution where that would be 50% from 10 to 12, and 50% from 8 to 10. We can actually look for that as well. RITA does all of this and it does it fairly quickly and it does it for free across every single connection in a packet capture.

That’s RITA, when we’re talking about beacons. So ideally what you would do is you would sort this, you can export it to an Excel spreadsheet if you’d like, and you look at the score. Now there are a bunch of different systems that have high scores in here but a couple of things that are interesting.

First, you’re going to see a lot of Google and Microsoft data within these connections. This particular system is a DigitalOcean IP address. Basic research can tell us one of these is not like the other.

The other thing is the shear number of connections. A lot of these other ones you have a small number of connections going to known good IP addresses. In our evil backdoor we have a high number of connections that is running at a very consistent interval.

Now does this mean that every single thing that beacons at a high interval connection is evil? No, but it does mean that you want to look into it. It means it’s not human behavior and yes RITA does have the capability of actually importing a whitelist and then filtering those things out.

Once again, that’s why we do AI Hunter.

So that is our little video talking about beaconing. I hope you enjoyed it and I hope you get a chance to play with RITA in the Active Defense Harbinger Distribution.

Now once again, once you get into the Active Defense Harbinger Distribution, the user ID and password is ADHD and ADHD, you’ll go to attribution, you will drop down and you’re going to see RITA. Once you open up and follow the instructions, you open up a packet capture then select beacons and below the beacon data for that packet capture.

Want to level up your skills and learn more straight from John himself?
You can check out his classes below!

SOC Core Skills

Active Defense & Cyber Deception

Getting Started in Security with BHIS and MITRE ATT&CK

Introduction to Pentesting

Available live/virtual and on-demand