Hunting Beacon Activity with Fourier Transforms

Defending your enterprise in 2021 means defending against adversary tools that establish periodic callbacks to the adversary’s infrastructure. For example, Cobalt Strike Beacon. But as any threat hunter can tell you, finding unknown beaconing activity is not an easy task. An interesting approach to this problem is to think like an electrical engineer and use a Fourier Transform to identify periodic signals in your network. By switching analysis to the frequency domain, periodic activity becomes the signal that you’re looking for in all the noise. This talk will show a working implementation of a Fourier analysis, that can be used to find periodic beaconing activity.

Joe Petroske, Cyber Threat Hunter, Target

View upcoming Summits: http://www.sans.org/u/DuS
Download the presentation slides (SANS account required) at https://www.sans.org/u/1iaE
#ThreatHuntingSummit