Statistical Model Detected C2 Beaconing Activity
A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/22"
3integration = ["beaconing"]
4maturity = "production"
5min_stack_comments = "Beaconing package updates and support"
6min_stack_version = "8.10.1"
7updated_date = "2023/10/26"
8
9[rule]
10author = ["Elastic"]
11description = """
12A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain
13stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain
14persistence in a network.
15"""
16from = "now-1h"
17index = ["ml_beaconing.all"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Statistical Model Detected C2 Beaconing Activity"
21note = """## Setup
22
23The Beaconing integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
24"""
25references = [
26 "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
27 "https://docs.elastic.co/en/integrations/beaconing",
28 "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic"
29]
30risk_score = 21
31rule_id = "5397080f-34e5-449b-8e9c-4c8083d7ccc6"
32severity = "low"
33tags = ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"]
34timestamp_override = "event.ingested"
35type = "query"
36
37query = '''
38beacon_stats.is_beaconing: true
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1102"
46name = "Web Service"
47reference = "https://attack.mitre.org/techniques/T1102/"
48[[rule.threat.technique.subtechnique]]
49id = "T1102.002"
50name = "Bidirectional Communication"
51reference = "https://attack.mitre.org/techniques/T1102/002/"
52
53
54
55[rule.threat.tactic]
56id = "TA0011"
57name = "Command and Control"
58reference = "https://attack.mitre.org/tactics/TA0011/"
Setup
The Beaconing integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
References
-
Prebuilt job referenceedit These anomaly detection jobs automatically detect file system and network anomalies on your hosts. They appear in the Anomaly Detection interface of the Elastic Security ...
Read More -
-
In this blog, we walk users through identifying beaconing malware in their environment using our beaconing identification framework.
Read More
Related rules
- Statistical Model Detected C2 Beaconing Activity with High Confidence
- Machine Learning Detected DGA activity using a known SUNBURST DNS domain
- Machine Learning Detected a DNS Request Predicted to be a DGA Domain
- Machine Learning Detected a DNS Request With a High DGA Probability Score
- Connection to Commonly Abused Free SSL Certificate Providers