heroui logo

C2 Beaconing

Anvilogic Forge

View Source
Summary
This threat detection rule targets the identification of command and control (C2) beaconing activity indicative of compromised hosts within a network. Attackers set up C2 servers to maintain communication with installed malware, which sends periodic beacons to these servers to check for commands. This interaction usually results in predictable outbound traffic patterns that can be monitored. The rule utilizes network data, excluding local traffic IP ranges, to analyze the frequency and characteristics of outbound connections. By examining the time intervals and the volume of bytes sent, the detection mechanism can identify unusual patterns suggesting beaconing, which can serve as a sign of malicious compromise. Notably, the rule includes specific threat actors associated with C2 activities, including the Gorgon Group and others using various malware such as Trickbot and Bazar.
Categories
  • Network
  • Endpoint
Data Sources
  • Network Traffic
  • Process
ATT&CK Techniques
  • T1095
Created: 2024-02-09