ReddRadar
Agent skill
hunting-for-command-and-control-beaconing
Detect C2 beaconing patterns in network traffic using frequency analysis, jitter detection, and domain reputation to identify compromised endpoints communicating with adversary infrastructure.
Install this agent skill to your Project
npx add-skill https://github.com/autohandai/community-skills/tree/main/hunting-for-command-and-control-beaconing
SKILL.md
Hunting for Command and Control Beaconing
When to Use
- When proactively hunting for compromised systems in the network
- After threat intel indicates C2 frameworks targeting your industry
- When investigating periodic outbound connections to suspicious domains
- During incident response to identify active C2 channels
- When DNS query logs show unusual patterns to specific domains
Prerequisites
- Network proxy/firewall logs with full URL and timing data
- DNS query logs (passive DNS, DNS server logs, or Sysmon Event ID 22)
- Zeek/Bro network connection logs or NetFlow data
- SIEM with statistical analysis capabilities (Splunk, Elastic)
- Threat intelligence feeds for domain/IP reputation
Workflow
- Identify Beaconing Characteristics: Define what constitutes beaconing (regular intervals, small payload sizes, consistent destinations, jitter patterns).
- Collect Network Telemetry: Aggregate proxy logs, DNS queries, and connection metadata for analysis.
- Apply Frequency Analysis: Identify connections with regular intervals using statistical methods (standard deviation, coefficient of variation).
- Filter Known-Good Traffic: Exclude legitimate periodic traffic (Windows Update, AV updates, heartbeat services, NTP).
- Analyze Domain/IP Reputation: Check identified beaconing destinations against threat intel, WHOIS data, and certificate transparency logs.
- Investigate Endpoint Context: Correlate beaconing activity with process creation, user context, and file system changes on source endpoints.
- Confirm and Respond: Validate C2 activity, block communication, and initiate incident response.
Key Concepts
| Concept | Description |
|---|---|
| T1071 | Application Layer Protocol (HTTP/HTTPS/DNS C2) |
| T1071.001 | Web Protocols (HTTP/S beaconing) |
| T1071.004 | DNS (DNS tunneling C2) |
| T1573 | Encrypted Channel |
| T1572 | Protocol Tunneling |
| T1568 | Dynamic Resolution (DGA, fast-flux) |
| T1132 | Data Encoding in C2 |
| T1095 | Non-Application Layer Protocol |
| Beacon Interval | Time between C2 check-ins |
| Jitter | Random variation in beacon interval |
| DGA | Domain Generation Algorithm |
| Fast-Flux | Rapidly changing DNS resolution |
Tools & Systems
| Tool | Purpose |
|---|---|
| RITA (Real Intelligence Threat Analytics) | Automated beacon detection in Zeek logs |
| Splunk | Statistical beacon analysis with SPL |
| Elastic Security | ML-based anomaly detection for beaconing |
| Zeek/Bro | Network connection metadata collection |
| Suricata | Network IDS with JA3/JA4 fingerprinting |
| VirusTotal | Domain and IP reputation checking |
| PassiveDNS | Historical DNS resolution data |
| Flare | C2 profile detection |
Common Scenarios
- Cobalt Strike Beacon: HTTP/HTTPS beaconing with configurable sleep time and jitter to malleable C2 profiles.
- DNS Tunneling C2: Data exfiltration and command receipt via encoded DNS TXT/CNAME queries to attacker-controlled domains.
- Sliver C2 over HTTPS: Modern C2 framework using HTTPS with configurable beacon intervals and domain fronting.
- DGA-based C2: Malware generating random domains daily, with adversary registering upcoming domains for C2.
- Legitimate Service Abuse: C2 over legitimate cloud services (Azure, AWS, Slack, Discord, Telegram).
Output Format
Hunt ID: TH-C2-[DATE]-[SEQ]
Source IP: [Internal IP]
Source Host: [Hostname]
Destination: [Domain/IP]
Protocol: [HTTP/HTTPS/DNS/Custom]
Beacon Interval: [Average seconds]
Jitter: [Percentage]
Connection Count: [Total connections]
Data Volume: [Bytes sent/received]
First Seen: [Timestamp]
Last Seen: [Timestamp]
Domain Age: [Days]
TI Match: [Yes/No - source]
Risk Level: [Critical/High/Medium/Low]
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
autohandai/community-skills
mapping-mitre-attack-techniques
Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.
autohandai/community-skills
hunting-for-spearphishing-indicators
Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.
autohandai/community-skills
analyzing-malicious-url-with-urlscan
URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
autohandai/community-skills
implementing-zero-standing-privilege-with-cyberark
Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.
autohandai/community-skills
implementing-pam-for-database-access
Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia
autohandai/community-skills
detecting-t1003-credential-dumping-with-edr
Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
Didn't find tool you were looking for?