2

If a phishing email came through with a link to a website hosting BeEF (or another such framework) what would be the Indicators of Compromise for such an attack.

Additionally, if systems were compromised what would be the best strategy to mitigate it.

pzirkind
  • 707
  • 6
  • 12
  • 1
    Repeat of this question -- https://security.stackexchange.com/q/122231/140 -- which gives Yara IOC rules as well as Snort IDS signatures for BeEF – atdre Mar 23 '17 at 21:16

1 Answers1

2

I'd first like to make sure you fully understand what Beef is and what it's used for. Beef is a tool for performing exploitation in Man-In-The-Browser scenarios. The gist of it is a user's browser executes the beef hook script (either via xss, or in your scenario, a phishing site), the script then calls out to the Beef server, and the server is then able to push arbitrary javascript commands down to the browser. The end result is that the attacker controls the user's browser window, and can do almost anything the user can do. Beef is not so much a specific attack as much as a vehicle for performing other attacks.

IoCs would depend on what the attacker did with it. Minimally you would likely find some JavaScript artifacts, and maybe some packet captures would find calls to the Beef server. If the attackers used Beef to install malware, there would be IoCs for that particular malware.

Mitigating an active Beef session is easy. Just close the browser. If the attacker has used Beef to install malware, that will require mitigation specific to that malware.

Dan Landberg
  • 3,312
  • 12
  • 17