Detects C2 beaconing patterns in Zeek conn.log by analyzing connection intervals for low jitter using ZAT, Pandas, and NumPy. Useful for network threat hunting.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
使用 ZAT(Zeek 分析工具)加载 Zeek conn.log 数据,按源/目标对分组连接,并计算时序统计信息以识别信标行为。
Analyzes Zeek conn.log connection intervals for C2 beaconing patterns using ZAT to load data into Pandas, computes inter-arrival time std dev, flags low-jitter beacons for threat hunting.
Detects C2 beaconing patterns in Zeek conn.log by analyzing connection inter-arrival times with ZAT, Pandas, and low jitter thresholds. For threat hunting callbacks.
Detects C2 beaconing patterns in network traffic using frequency analysis, jitter calculation, and coefficient of variation scoring. Useful for threat hunting periodic callbacks from compromised endpoints.
Share bugs, ideas, or general feedback.
使用 ZAT(Zeek 分析工具)加载 Zeek conn.log 数据,按源/目标对分组连接,并计算时序统计信息以识别信标行为。
from zat.log_to_dataframe import LogToDataFrame
import numpy as np
log_to_df = LogToDataFrame()
conn_df = log_to_df.create_dataframe('/path/to/conn.log')
# 按源/目标对分组并计算到达时间间隔
for (src, dst), group in conn_df.groupby(['id.orig_h', 'id.resp_h']):
times = group['ts'].sort_values()
intervals = times.diff().dt.total_seconds().dropna()
if len(intervals) > 10:
std_dev = np.std(intervals)
mean_interval = np.mean(intervals)
# 相对于均值标准差低 = 可能是信标行为
关键分析步骤:
from zat.log_to_dataframe import LogToDataFrame
log_to_df = LogToDataFrame()
df = log_to_df.create_dataframe('conn.log')
print(df[['id.orig_h', 'id.resp_h', 'ts', 'duration']].head())