Statistical Model Detected C2 Beaconing Activity

  1[metadata]
  2creation_date = "2023/09/22"
  3integration = ["beaconing", "endpoint", "network_traffic"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain
 11stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain
 12persistence in a network.
 13"""
 14from = "now-1h"
 15index = ["ml_beaconing.all"]
 16language = "kuery"
 17license = "Elastic License v2"
 18name = "Statistical Model Detected C2 Beaconing Activity"
 19references = [
 20    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 21    "https://docs.elastic.co/en/integrations/beaconing",
 22    "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic",
 23]
 24risk_score = 21
 25rule_id = "5397080f-34e5-449b-8e9c-4c8083d7ccc6"
 26setup = """## Setup
 27
 28The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations.
 29
 30### Network Beaconing Identification Setup
 31The Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs.
 32
 33#### Prerequisite Requirements:
 34- Fleet is required for Network Beaconing Identification.
 35- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 36- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.
 37- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 38- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
 39
 40#### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:
 41- Go to the Kibana homepage. Under Management, click Integrations.
 42- In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.
 43- Follow the instructions under the **Installation** section.
 44"""
 45severity = "low"
 46tags = ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control", "Resources: Investigation Guide"]
 47timestamp_override = "event.ingested"
 48type = "query"
 49
 50query = '''
 51beacon_stats.is_beaconing: true and
 52not process.name: ("WaAppAgent.exe" or "metricbeat.exe" or "packetbeat.exe" or "WindowsAzureGuestAgent.exe" or "HealthService.exe" or "Widgets.exe" or "lsass.exe" or "msedgewebview2.exe" or
 53                   "MsMpEng.exe" or "OUTLOOK.EXE" or "msteams.exe" or "FileSyncHelper.exe" or "SearchProtocolHost.exe" or "Creative Cloud.exe" or "ms-teams.exe" or "ms-teamsupdate.exe" or
 54                   "curl.exe" or "rundll32.exe" or "MsSense.exe" or "wermgr.exe" or "java" or "olk.exe" or "iexplore.exe" or "NetworkManager" or "packetbeat" or "Ssms.exe" or "NisSrv.exe" or
 55                   "gamingservices.exe" or "appidcertstorecheck.exe" or "POWERPNT.EXE" or "miiserver.exe" or "Grammarly.Desktop.exe" or "SnagitEditor.exe" or "CRWindowsClientService.exe" or
 56                   "agentbeat" or "dnf" or "yum" or "apt"
 57                  )
 58'''
 59note = """## Triage and analysis
 60
 61> **Disclaimer**:
 62> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 63
 64### Investigating Statistical Model Detected C2 Beaconing Activity
 65
 66Statistical models analyze network traffic patterns to identify anomalies indicative of C2 beaconing, a tactic used by attackers to maintain covert communication with compromised systems. Adversaries exploit this by sending periodic signals to C2 servers, often mimicking legitimate traffic. The detection rule leverages statistical analysis to flag unusual beaconing while excluding known benign processes, thus highlighting potential threats without overwhelming analysts with false positives.
 67
 68### Possible investigation steps
 69
 70- Review the network traffic logs to identify the source and destination IP addresses associated with the beaconing activity flagged by the statistical model.
 71- Cross-reference the identified IP addresses with threat intelligence databases to determine if they are associated with known malicious C2 servers.
 72- Analyze the frequency and pattern of the beaconing signals to assess whether they mimic legitimate traffic or exhibit characteristics typical of C2 communication.
 73- Investigate the processes running on the source system to identify any suspicious or unauthorized applications that may be responsible for the beaconing activity.
 74- Check for any recent changes or anomalies in the system's configuration or installed software that could indicate a compromise.
 75- Examine the historical network activity of the source system to identify any other unusual patterns or connections that may suggest a broader compromise.
 76
 77### False positive analysis
 78
 79- The rule may flag legitimate processes that exhibit periodic network communication patterns similar to C2 beaconing. Processes like "metricbeat.exe" and "packetbeat.exe" are known to generate regular network traffic for monitoring purposes.
 80- Users can manage these false positives by adding exceptions for these known benign processes in the detection rule, ensuring they are not flagged as threats.
 81- Regularly review and update the list of excluded processes to include any new legitimate applications that may mimic beaconing behavior, reducing unnecessary alerts.
 82- Consider implementing a whitelist approach for processes that are verified as non-threatening, allowing the statistical model to focus on truly anomalous activities.
 83- Engage with network and security teams to understand the normal traffic patterns of your environment, which can help in refining the detection rule and minimizing false positives.
 84
 85### Response and remediation
 86
 87- Isolate the affected system from the network to prevent further communication with the C2 server and limit potential data exfiltration.
 88- Terminate any suspicious processes identified by the alert that are not part of the known benign list, ensuring that any malicious activity is halted.
 89- Conduct a thorough scan of the isolated system using updated antivirus and anti-malware tools to identify and remove any malicious software or files.
 90- Review and analyze network logs to identify any other systems that may have communicated with the same C2 server, and apply similar containment measures to those systems.
 91- Restore the affected system from a known good backup to ensure that any persistent threats are removed, and verify the integrity of the restored system.
 92- Implement network segmentation to limit the ability of compromised systems to communicate with critical infrastructure and sensitive data.
 93- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional measures are needed to prevent recurrence."""
 94
 95
 96[[rule.threat]]
 97framework = "MITRE ATT&CK"
 98[[rule.threat.technique]]
 99id = "T1102"
100name = "Web Service"
101reference = "https://attack.mitre.org/techniques/T1102/"
102[[rule.threat.technique.subtechnique]]
103id = "T1102.002"
104name = "Bidirectional Communication"
105reference = "https://attack.mitre.org/techniques/T1102/002/"
106
107
108
109[rule.threat.tactic]
110id = "TA0011"
111name = "Command and Control"
112reference = "https://attack.mitre.org/tactics/TA0011/"