
Summary
The 'Statistical Model Detected C2 Beaconing Activity' rule identifies command-and-control (C2) beaconing activities through statistical analysis of network traffic patterns. Such beaconing allows attackers to maintain covert communication with their C2 servers, facilitating instructions, data exfiltration, and persistence within a compromised network. The detection mechanism utilizes real-time data from 'ml_beaconing.all' indices and is configured to scrutinize traffic patterns for suspicious behavior while excluding known benign applications that could generate similar network activity. By doing so, it aims to minimize false positives while highlighting potential threats. Investigations guided by this rule involve analyzing flagged network logs, cross-referencing threat intelligence on IP addresses, assessing communication frequency patterns, and reviewing running processes on suspected systems. Appropriate responses include isolating affected systems, terminating suspicious processes, scanning for malware, and engaging with the SOC for further analysis.
Categories
- Network
- Cloud
- On-Premise
Data Sources
- Network Traffic
- Application Log
- Cloud Service
ATT&CK Techniques
- T1102
- T1102.002
Created: 2023-09-22