Detects C2 beaconing patterns in network traffic via frequency analysis, jitter detection, and domain reputation checks. Useful for threat hunting compromised endpoints communicating with attackers.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 主动狩猎网络中的失陷系统时
Detects C2 beaconing in network traffic using frequency analysis, jitter detection, and domain reputation to identify compromised endpoints during threat hunting or incident response.
Detects C2 beaconing patterns in network traffic using frequency analysis, jitter detection, and domain reputation to identify compromised endpoints. Useful for threat hunting and incident response on suspicious connections.
Detects C2 beaconing patterns in network traffic using frequency analysis, jitter calculation, and coefficient of variation scoring. Useful for threat hunting periodic callbacks from compromised endpoints.
Share bugs, ideas, or general feedback.
| 概念 | 描述 |
|---|---|
| T1071 | 应用层协议(HTTP/HTTPS/DNS C2) |
| T1071.001 | Web 协议(HTTP/S 信标) |
| T1071.004 | DNS(DNS 隧道 C2) |
| T1573 | 加密通道 |
| T1572 | 协议隧道 |
| T1568 | 动态解析(DGA、fast-flux) |
| T1132 | C2 数据编码 |
| T1095 | 非应用层协议 |
| 信标间隔 | C2 回连之间的时间间隔 |
| 抖动 | 信标间隔中的随机变化量 |
| DGA | 域名生成算法(Domain Generation Algorithm) |
| Fast-Flux | 快速变化的 DNS 解析记录 |
| 工具 | 用途 |
|---|---|
| RITA(Real Intelligence Threat Analytics) | 自动检测 Zeek 日志中的信标 |
| Splunk | 使用 SPL 进行统计信标分析 |
| Elastic Security | 基于机器学习的信标异常检测 |
| Zeek/Bro | 网络连接元数据采集 |
| Suricata | 支持 JA3/JA4 指纹的网络 IDS |
| VirusTotal | 域名和 IP 信誉查询 |
| PassiveDNS | 历史 DNS 解析数据 |
| Flare | C2 配置文件检测 |
狩猎 ID:TH-C2-[日期]-[序号]
源 IP:[内网 IP]
源主机:[主机名]
目标:[域名/IP]
协议:[HTTP/HTTPS/DNS/自定义]
信标间隔:[平均秒数]
抖动:[百分比]
连接次数:[总连接数]
数据量:[发送/接收字节数]
首次发现:[时间戳]
最后发现:[时间戳]
域名存在时间:[天数]
威胁情报匹配:[是/否 - 来源]
风险等级:[严重/高/中/低]