Statistical Model Detected C2 Beaconing Activity

A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/09/22"
 3integration = ["beaconing"]
 4maturity = "production"
 5min_stack_comments = "Beaconing package updates and support"
 6min_stack_version = "8.10.1"
 7updated_date = "2023/10/26"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain
13stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain
14persistence in a network.
15"""
16from = "now-1h"
17index = ["ml_beaconing.all"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Statistical Model Detected C2 Beaconing Activity"
21note = """## Setup
22
23The Beaconing integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
24"""
25references = [
26    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
27    "https://docs.elastic.co/en/integrations/beaconing",
28    "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic"
29]
30risk_score = 21
31rule_id = "5397080f-34e5-449b-8e9c-4c8083d7ccc6"
32severity = "low"
33tags = ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"]
34timestamp_override = "event.ingested"
35type = "query"
36
37query = '''
38beacon_stats.is_beaconing: true
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1102"
46name = "Web Service"
47reference = "https://attack.mitre.org/techniques/T1102/"
48[[rule.threat.technique.subtechnique]]
49id = "T1102.002"
50name = "Bidirectional Communication"
51reference = "https://attack.mitre.org/techniques/T1102/002/"
52
53
54
55[rule.threat.tactic]
56id = "TA0011"
57name = "Command and Control"
58reference = "https://attack.mitre.org/tactics/TA0011/"

Setup

The Beaconing integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.

References

Related rules

to-top