Statistical Model Detected C2 Beaconing Activity with High Confidence
A statistical model has identified command-and-control (C2) beaconing activity with high confidence. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/22"
3integration = ["beaconing", "endpoint", "network_traffic"]
4maturity = "production"
5updated_date = "2024/11/07"
6
7[rule]
8author = ["Elastic"]
9description = """
10A statistical model has identified command-and-control (C2) beaconing activity with high confidence. Beaconing can help
11attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and
12maintain persistence in a network.
13"""
14from = "now-1h"
15index = ["ml_beaconing.all"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Statistical Model Detected C2 Beaconing Activity with High Confidence"
19references = [
20 "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
21 "https://docs.elastic.co/en/integrations/beaconing",
22 "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic",
23]
24risk_score = 21
25rule_id = "0ab319ef-92b8-4c7f-989b-5de93c852e93"
26setup = """## Setup
27
28The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations.
29
30### Network Beaconing Identification Setup
31The Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs.
32
33#### Prerequisite Requirements:
34- Fleet is required for Network Beaconing Identification.
35- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
36- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.
37- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
38- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
39
40#### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:
41- Go to the Kibana homepage. Under Management, click Integrations.
42- In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.
43- Follow the instructions under the **Installation** section.
44"""
45severity = "low"
46tags = ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"]
47timestamp_override = "event.ingested"
48type = "query"
49
50query = '''
51beacon_stats.beaconing_score: 3
52'''
53
54
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1102"
59name = "Web Service"
60reference = "https://attack.mitre.org/techniques/T1102/"
61[[rule.threat.technique.subtechnique]]
62id = "T1102.002"
63name = "Bidirectional Communication"
64reference = "https://attack.mitre.org/techniques/T1102/002/"
65
66
67
68[rule.threat.tactic]
69id = "TA0011"
70name = "Command and Control"
71reference = "https://attack.mitre.org/tactics/TA0011/"
References
Related rules
- Statistical Model Detected C2 Beaconing Activity
- Machine Learning Detected DGA activity using a known SUNBURST DNS domain
- Machine Learning Detected a DNS Request Predicted to be a DGA Domain
- Machine Learning Detected a DNS Request With a High DGA Probability Score
- Root Network Connection via GDB CAP_SYS_PTRACE