Statistical Model Detected C2 Beaconing Activity with High Confidence
A statistical model has identified command-and-control (C2) beaconing activity with high confidence. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/22"
3integration = ["beaconing", "endpoint", "network_traffic"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10A statistical model has identified command-and-control (C2) beaconing activity with high confidence. Beaconing can help
11attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and
12maintain persistence in a network.
13"""
14from = "now-1h"
15index = ["ml_beaconing.all"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Statistical Model Detected C2 Beaconing Activity with High Confidence"
19references = [
20 "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
21 "https://docs.elastic.co/en/integrations/beaconing",
22 "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic",
23]
24risk_score = 21
25rule_id = "0ab319ef-92b8-4c7f-989b-5de93c852e93"
26setup = """## Setup
27
28The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations.
29
30### Network Beaconing Identification Setup
31The Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs.
32
33#### Prerequisite Requirements:
34- Fleet is required for Network Beaconing Identification.
35- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
36- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.
37- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
38- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
39
40#### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:
41- Go to the Kibana homepage. Under Management, click Integrations.
42- In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.
43- Follow the instructions under the **Installation** section.
44"""
45severity = "low"
46tags = ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control", "Resources: Investigation Guide"]
47timestamp_override = "event.ingested"
48type = "query"
49
50query = '''
51beacon_stats.beaconing_score: 3
52'''
53note = """## Triage and analysis
54
55> **Disclaimer**:
56> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
57
58### Investigating Statistical Model Detected C2 Beaconing Activity with High Confidence
59
60Statistical models analyze network traffic patterns to identify anomalies indicative of C2 beaconing, a tactic where attackers maintain covert communication with compromised systems. Adversaries exploit this to issue commands, exfiltrate data, and sustain network presence. The detection rule leverages a high beaconing score to flag potential threats, aiding analysts in pinpointing suspicious activities linked to C2 operations.
61
62### Possible investigation steps
63
64- Review the network traffic logs to identify the source and destination IP addresses associated with the beaconing activity flagged by the beacon_stats.beaconing_score of 3.
65- Correlate the identified IP addresses with known malicious IP databases or threat intelligence feeds to determine if they are associated with known C2 servers.
66- Analyze the frequency and pattern of the beaconing activity to assess whether it aligns with typical C2 communication patterns, such as regular intervals or specific time frames.
67- Investigate the domain names involved in the communication to check for any associations with malicious activities or suspicious registrations.
68- Examine the payloads or data transferred during the flagged communication sessions to identify any potential exfiltration of sensitive information or receipt of malicious instructions.
69- Cross-reference the involved systems with internal asset inventories to determine if they are critical assets or have been previously flagged for suspicious activities.
70- Consult with the incident response team to decide on containment or remediation actions if the investigation confirms malicious C2 activity.
71
72### False positive analysis
73
74- Regularly scheduled software updates or patch management systems may generate network traffic patterns similar to C2 beaconing. Users can create exceptions for known update servers to reduce false positives.
75- Automated backup systems that frequently communicate with cloud storage services might be flagged. Identifying and excluding these backup services from the analysis can help mitigate this issue.
76- Network monitoring tools that periodically check connectivity or system health can mimic beaconing activity. Whitelisting these monitoring tools can prevent them from being incorrectly flagged.
77- Internal applications that use polling mechanisms to check for updates or status changes may trigger alerts. Documenting and excluding these applications from the rule can minimize false positives.
78- Frequent communication with trusted third-party services, such as content delivery networks, may appear as beaconing. Establishing a list of trusted domains and excluding them from the analysis can help manage this.
79
80### Response and remediation
81
82- Isolate the affected systems from the network to prevent further communication with the C2 server and contain the threat.
83- Conduct a thorough analysis of the network traffic logs to identify any additional compromised systems or lateral movement within the network.
84- Remove any malicious software or scripts identified on the compromised systems, ensuring all traces of the C2 communication channels are eradicated.
85- Apply security patches and updates to all affected systems to close any vulnerabilities exploited by the attackers.
86- Change all credentials and authentication tokens associated with the compromised systems to prevent unauthorized access.
87- Monitor the network for any signs of re-infection or continued C2 activity, using enhanced detection rules and updated threat intelligence.
88- Escalate the incident to the appropriate internal security team or external cybersecurity experts for further investigation and to assess the potential impact on the organization."""
89
90
91[[rule.threat]]
92framework = "MITRE ATT&CK"
93[[rule.threat.technique]]
94id = "T1102"
95name = "Web Service"
96reference = "https://attack.mitre.org/techniques/T1102/"
97[[rule.threat.technique.subtechnique]]
98id = "T1102.002"
99name = "Bidirectional Communication"
100reference = "https://attack.mitre.org/techniques/T1102/002/"
101
102
103
104[rule.threat.tactic]
105id = "TA0011"
106name = "Command and Control"
107reference = "https://attack.mitre.org/tactics/TA0011/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Statistical Model Detected C2 Beaconing Activity with High Confidence
Statistical models analyze network traffic patterns to identify anomalies indicative of C2 beaconing, a tactic where attackers maintain covert communication with compromised systems. Adversaries exploit this to issue commands, exfiltrate data, and sustain network presence. The detection rule leverages a high beaconing score to flag potential threats, aiding analysts in pinpointing suspicious activities linked to C2 operations.
Possible investigation steps
- Review the network traffic logs to identify the source and destination IP addresses associated with the beaconing activity flagged by the beacon_stats.beaconing_score of 3.
- Correlate the identified IP addresses with known malicious IP databases or threat intelligence feeds to determine if they are associated with known C2 servers.
- Analyze the frequency and pattern of the beaconing activity to assess whether it aligns with typical C2 communication patterns, such as regular intervals or specific time frames.
- Investigate the domain names involved in the communication to check for any associations with malicious activities or suspicious registrations.
- Examine the payloads or data transferred during the flagged communication sessions to identify any potential exfiltration of sensitive information or receipt of malicious instructions.
- Cross-reference the involved systems with internal asset inventories to determine if they are critical assets or have been previously flagged for suspicious activities.
- Consult with the incident response team to decide on containment or remediation actions if the investigation confirms malicious C2 activity.
False positive analysis
- Regularly scheduled software updates or patch management systems may generate network traffic patterns similar to C2 beaconing. Users can create exceptions for known update servers to reduce false positives.
- Automated backup systems that frequently communicate with cloud storage services might be flagged. Identifying and excluding these backup services from the analysis can help mitigate this issue.
- Network monitoring tools that periodically check connectivity or system health can mimic beaconing activity. Whitelisting these monitoring tools can prevent them from being incorrectly flagged.
- Internal applications that use polling mechanisms to check for updates or status changes may trigger alerts. Documenting and excluding these applications from the rule can minimize false positives.
- Frequent communication with trusted third-party services, such as content delivery networks, may appear as beaconing. Establishing a list of trusted domains and excluding them from the analysis can help manage this.
Response and remediation
- Isolate the affected systems from the network to prevent further communication with the C2 server and contain the threat.
- Conduct a thorough analysis of the network traffic logs to identify any additional compromised systems or lateral movement within the network.
- Remove any malicious software or scripts identified on the compromised systems, ensuring all traces of the C2 communication channels are eradicated.
- Apply security patches and updates to all affected systems to close any vulnerabilities exploited by the attackers.
- Change all credentials and authentication tokens associated with the compromised systems to prevent unauthorized access.
- Monitor the network for any signs of re-infection or continued C2 activity, using enhanced detection rules and updated threat intelligence.
- Escalate the incident to the appropriate internal security team or external cybersecurity experts for further investigation and to assess the potential impact on the organization.
References
Related rules
- Statistical Model Detected C2 Beaconing Activity
- Machine Learning Detected DGA activity using a known SUNBURST DNS domain
- Machine Learning Detected a DNS Request Predicted to be a DGA Domain
- Machine Learning Detected a DNS Request With a High DGA Probability Score
- AWS CLI Command with Custom Endpoint URL