Changing the way agent handles consecutive beacon failures#29
Draft
Changing the way agent handles consecutive beacon failures#29
Conversation
scottctaylor12
requested review from
christophert
and removed request for
scottctaylor12
christophert
suggested changes
Oct 7, 2020
christophert
left a comment
christophert
left a comment
There was a problem hiding this comment.
Small semantic changes, functionality was verified.
agent/agent.go
Outdated
| return err | ||
| } | ||
| a.server = server | ||
| a.firstSuccessFulServer = "" |
There was a problem hiding this comment.
Refer to comment on variable declaration
agent/agent.go
Outdated
| profile := a.GetFullProfile() | ||
| response := a.beaconContact.GetBeaconBytes(profile) | ||
| if response != nil { | ||
| if len(a.firstSuccessFulServer) == 0 { |
There was a problem hiding this comment.
Refer to comment on variable declaration
…l keep track of first successful server address and comms method. Upon 3 consecutive beacon failures, agent will switch to a proxy receiver it hasn't tried before. If there are no proxy receivers, then the agent will terminate (if it hasn't made a successful connection to the C2 before), or it will sleep twice its normal sleep amount and then try the first successful server address & comms method (will cycle back through all the proxy receivers upon repeated failure). Cleaned up new fallback logic and comments
uruwhy
force-pushed
the
failed-comms-fallback
branch
from
a6cd1a4 to
75b77eb
Compare
christophert
approved these changes
Oct 7, 2020
Contributor
|
I think we can simplify this further and still achieve your objective here. As is, it's a long explanation to convey the behavior and requires lots of decision points. Let's set a time to discuss. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Agent will keep track of first successful server address and comms method. The agent will also keep track of its normal sleep time as determined by successful beacon responses from the C2.
When handling a failed beacon:
Case 1: the consecutive failure counter has not been reached
The agent will sleep for the last sleep time that the C2 server gave it (15 seconds default) before retrying with the current C2 communication methods
Case 2: the consecutive failure counter has been reached (currently set to 3 fails)
The agent will reset the failure counter and perform the following protocol: