Detects C2 beaconing patterns in network traffic using frequency analysis, jitter calculation, and coefficient of variation scoring. Useful for threat hunting periodic callbacks from compromised endpoints.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 主动搜索回调 C2 基础设施的被攻陷终端时
Detects C2 beaconing patterns in network traffic via frequency analysis, jitter calculation, and coefficient of variation scoring. For threat hunting with Zeek logs or SIEMs like Splunk.
Detects C2 beaconing patterns in network traffic using frequency analysis, jitter calculation, and coefficient of variation scoring. For threat hunting compromised endpoints.
Detects C2 beaconing patterns in network traffic via frequency analysis, jitter detection, and domain reputation checks. Useful for threat hunting compromised endpoints communicating with attackers.
Share bugs, ideas, or general feedback.
| 概念 | 描述 |
|---|---|
| T1071.001 | 应用层协议:Web 协议——HTTP/HTTPS 信标 |
| T1071.004 | 应用层协议:DNS——基于 DNS 的 C2 隧道 |
| T1573 | 加密通道——TLS/SSL 加密的 C2 通信 |
| T1568.002 | 动态解析:域名生成算法(DGA) |
| 变异系数(CV) | 标准差除以均值;低于 0.20 表示周期性 |
| 抖动(Jitter) | 向信标间隔添加的随机变化,用于规避检测 |
| RITA 信标评分 | 综合连接规律性、数据量一致性和连接数的评分 |
| JA3/JA4 指纹 | TLS 客户端指纹,用于识别 C2 框架签名 |
| Fast-Flux DNS | 快速变化的 DNS 解析,用于保护 C2 基础设施 |
| 工具 | 用途 |
|---|---|
| RITA(Real Intelligence Threat Analytics) | 基于 Zeek 日志的自动化信标评分 |
| AC-Hunter | 带信标检测的商业威胁狩猎平台 |
| Splunk | 使用 streamstats 进行基于 SPL 的统计信标分析 |
| Elastic Security | 周期性网络行为的 ML 异常检测 |
| Zeek | 网络元数据收集(conn.log、dns.log、ssl.log) |
| Suricata | 带 JA3/JA4 TLS 指纹提取的网络 IDS |
| FLARE | C2 配置文件和信标模式检测 |
| VirusTotal | 域名和 IP 信誉丰富化 |
index=proxy OR index=firewall
| where NOT match(dest, "(?i)(microsoft|google|amazonaws|cloudflare|akamai)")
| bin _time span=1s
| stats count by src_ip dest _time
| streamstats current=f last(_time) as prev_time by src_ip dest
| eval interval=_time-prev_time
| stats count avg(interval) as avg_interval stdev(interval) as stdev_interval
min(interval) as min_interval max(interval) as max_interval by src_ip dest
| where count > 50
| eval cv=stdev_interval/avg_interval
| where cv < 0.20 AND avg_interval > 30 AND avg_interval < 86400
| sort cv
| table src_ip dest count avg_interval stdev_interval cv
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteIPType == "Public"
| summarize ConnectionTimes=make_list(Timestamp), Count=count() by DeviceName, RemoteIP, RemoteUrl
| where Count > 50
| extend Intervals = array_sort_asc(ConnectionTimes)
| mv-apply Intervals on (
extend NextTime = next(Intervals)
| where isnotempty(NextTime)
| extend IntervalSec = datetime_diff('second', NextTime, Intervals)
| summarize AvgInterval=avg(IntervalSec), StdDev=stdev(IntervalSec)
)
| extend CV = StdDev / AvgInterval
| where CV < 0.2 and AvgInterval > 30
| sort by CV asc
title: Potential C2 Beaconing Pattern Detected
status: experimental
logsource:
category: proxy
detection:
selection:
dst_ip|cidr: '!10.0.0.0/8'
timeframe: 24h
condition: selection | count(dst) by src_ip > 50
level: medium
tags:
- attack.command_and_control
- attack.t1071.001
Hunt ID: TH-BEACON-[DATE]-[SEQ]
Source IP: [内部 IP]
Source Host: [来自 DHCP/DNS 的主机名]
Destination: [域名/IP]
Protocol: [HTTP/HTTPS/DNS]
Beacon Interval: [平均秒数]
Jitter Estimate: [百分比]
Coefficient of Variation: [变异系数值]
Connection Count: [时间窗口内的总连接数]
Data Size CV: [Payload 一致性指标]
Domain Age: [注册以来的天数]
TI Match: [是/否——来源]
Risk Score: [0-100]
Risk Level: [Critical/High/Medium/Low]
Indicators: [触发的风险因素列表]