Skip to main content

Detection Strategies for AskCreds Beacon Object File Credential Harvesting Across Multiple C2 Frameworks

Defenders relying on default Windows logging have no visibility into credential-harvesting techniques that operate within an established beacon process via legitimate Windows APIs. The AskCreds Beacon Object File exemplifies this class by invoking CredUIPromptForWindowsCredentials() entirely in memory, spawning no child process, writing nothing to disk, and producing no file-based artifact for signature engines. Because harvested credentials drive lateral movement that can persist undetected for months, the gap carries significant operational risk. Prior research has addressed BOF evasion broadly and C2 network detection independently, but no study has empirically measured detection efficacy for CredUIPromptForWindowsCredentials abuse delivered via Beacon Object File execution across multiple C2 frameworks under active ETW suppression.

This study evaluates layered detection strategies against AskCreds BOF execution in an isolated Azure lab using Cobalt Strike 4.12 and Outflank C2 v2.11.1, with Velociraptor as the primary DFIR platform. A Sysmon Event ID 7 ImageLoad rule scoped to credui.dll loaded by any process outside the established legitimate baseline, supported by ETW kernel telemetry and C2 network analysis, identified AskCreds execution in all six beacon sessions tested, with zero false positives against a 267-event legitimate baseline. T

he detection's durability derives from architectural independence: Sysmon's kernel driver observes image loads below the user-mode ETW subsystem that the tested C2 frameworks actively patch (Sysmon-only 100%, ETW-only 0% under AskCreds BOF Detection Strategies 2 identical execution conditions with Blind ETW active). Claims are scoped to what the experiment measured. Licensed commercial EDR platforms were not tested; coverage extends to AskCreds via the credui.dll code path rather than the full T1056.002 technique class; and rates are point estimates from a six-session cohort that practitioners should re-baseline against their own environment. Deliverables include a freely deployable Velociraptor artifact pack, a custom Sysmon configuration, and VQL hunting queries actionable by enterprise defenders.

Download file

SANS-Detection-Strategies-AskCreds-Beacon-Object-File-Credential-Harvesting-Across-Multiple-C2-Frameworks-062226 (PDF, 0.54MB)

22 Jun 2026
ByEric Fletcher
Share
All papers are copyrighted

No re-posting of papers is permitted

Related Content

Capturing the Click: Process-Based Detection of Malicious Link Interactions

Research Paper

This research validates the browser command-line flags used by Chrome, Edge, and Firefox as parameters in process-creation events, capturing both the clicked URL and the parent application, document, or script that delivered it.

  • 22 Jun 2026
  • Daniel Gott

Know Your Blind Spots: Better Visibility Through EDR Policy Hardening

Research Paper

Endpoint Detection and Response (EDR) tools identify, detect, and respond to anomalous behavior.

  • 9 Jun 2026
  • Joshuah Williams

Applying CIS Controls to AI Workflows

Research Paper

This research provides guidance on using the CIS Controls in conjunction with AI-specific frameworks to build a robust information security program.

  • 12 May 2026
  • Brian Ventura

A Forensic Study of Artifact Persistence in Containerd-Based Kubernetes Workloads

Research Paper

A container is a standard unit of software that packages code, including its dependencies, so the application runs quickly and reliably across computing environments.

  • 12 May 2026
  • Ahmed Alharbi

Implementing Micro-Segmentation in a Legacy Enterprise Lab Network: A Zero Trust Approach to Reducing Lateral Movement, Improving Containment, and Controlling Operational Overhead

Research Paper

This study evaluates micro-segmentation as a practical Zero Trust control in a Windows Active Directory lab that models common legacy dependencies (directory services, file services, a web tier, and a database tier).

  • 24 Mar 2026
  • Dennis Ankrah

Assessing the Impact of Memory Acquisition on Key Windows Artifacts

Research Paper

This research evaluates the impact of memory capture tools on data at rest, aiming to understand the degree of change that occurs to artifacts, measure differences based on tool selection, and inform best practices for live responders.

  • 20 Mar 2026
  • Russell Devine

From Ambiguity to Action: A Forensic Framework for Differentiating ClickFix Payloads

Research Paper

The "ClickFix" social engineering technique, which leverages fake CAPTCHA or browser update lures to trick users into executing a malicious PowerShell script, presents a critical challenge for incident responders.

  • 24 Feb 2026
  • James Chisolm-Williams

Digital Forensics and Incident Response in the Cloud: Addressing GCP Challenges

Research Paper

Many digital forensics and incident response (DFIR) practitioners, as well as aspiring cybersecurity analysts, often gravitate towards AWS and Azure as their first forays into cloud security.

  • 16 Jan 2026
  • Mark Nakamura

Measuring Malware Obfuscation: Evaluating CNN- Based Detection for Real-World Resilience

Research Paper

This study examined how layered obfuscation affects image-based convolutional neural network (CNN) detectors and introduces a novel, reproducible framework for measuring obfuscation itself.

  • 19 Nov 2025
  • Michael Reglein

Scrutinizing A Web-Based LLM in Private Browsing Mode: An Analysis of Memory Artifacts and Privacy Implications

Research Paper

Using web-based LLMs such as ChatGPT has changed the web browsing landscape to become part of the typical everyday experience.

  • 7 Nov 2025
  • Chris Kosmas

Adversary-Aware IOC Retention: Analyzing Time-to-Live Patterns by Threat Actor Attribution

Research Paper

After analyzing hundreds of IOCs across three unique Advanced Persistent Threats (APTs) from disparate regions, it can be confirmed that not only do threat actors cycle their IOCs at different rates, but those rates can be tracked. This paper introduces an enhanced decay model incorporating a threat actor variable that accounts for these differences in sophistication and hygiene.

  • 23 Oct 2025
  • Nathaniel Jakusz

Breaking Time: Methods, Artifacts, and Forensic Detection of Timestomping on FAT32, Ext3, and Ext4 File Systems

Research Paper

This paper explores the diverse methods used to timestomp files on FAT, Ext3, and Ext4 file systems, focusing on how adversaries adapt their approaches based on available system access and permissions.

  • 23 Oct 2025
  • Allan Kroll

Breaking Through Deception: Addressing Barriers in the Adoption of Cyber Deception Technologies

Research Paper

Despite the increasing sophistication of cyber threats and the need for organizations to employ innovative defense strategies, cyber deception technologies, tools designed to mislead attackers and gain a defensive advantage, remain significantly underutilized across organizational cybersecurity programs.

  • 23 Oct 2025
  • Dakota Campbell

Forensic Investigation of Bluetooth-Based Credit Card Skimmers

Research Paper

Hidden Bluetooth Low Energy (BLE) credit skimmers are a growing threat to credit card fraud. Criminals can set up practical and inexpensive systems built on top of modules, such as the HM-19, to collect and transmit stolen data covertly across wireless channels.

  • 3 Sep 2025
  • John Passaro

SANS 2025 CTI Survey Webcast & Forum: Navigating Uncertainty in Today’s Threat Landscape

Research Paper

This paper explores results from the SANS 2025 CTI Survey, with insights into how cybersecurity...

  • 20 May 2025
  • Rebekah Brown, Andreas Sfakianakis

Beneath the Mask: Can Contribution Data Unveil Malicious Personas in Open-Source Projects?

Research Paper

In February 2024, after building trust over two years with project maintainers by making a significant volume of legitimate contributions, GitHub user "JiaT75" self-merged a version of the XZ Utils project containing a highly sophisticated well-disguised backdoor targeting sshd processes running on systems with the backdoored package installed.

  • 13 May 2025
  • SANS Institute

Catching the Hand in the Cookie Jar: Canary Session Cookies

Research Paper

This project demonstrates how even applications secured with MFA are still vulnerable to hijacked session cookies. Given the persistent threats posed to organizations by stolen authentication cookies, this research proposes implementing Canary session cookies to detect the theft and malicious use of credentials.

  • 17 Apr 2025
  • Caleb Patten

A Pebble In the Ocean: Maximizing Log Fidelity In Container Environments

Research Paper

Log fidelity is crucial for Incident Response Teams to investigate and contain cyber incidents but can be difficult to optimize in containerized environments.

  • 17 Apr 2025
  • Zach Salva

SANS 2025 Threat Hunting Survey: Advancements in Threat Hunting Amid AI and Cloud Challenges

Research Paper

The 2025 SANS Threat Hunting Survey marks a decade of tracking how organizations evolve their threat hunting capabilities.

  • 13 Mar 2025
  • Josh Lemon

Empowering Responders with Automated Investigation

Research Paper

This white paper investigates how Binalyze’s AIR platform reduces the overhead of forensic investigations by automating the process of collecting artifacts, triaging the data, and identifying next steps.

  • 18 Feb 2025
  • Megan Roddie-Fonseca