Asi hunting-for-command-and-control-beaconing
Detect C2 beaconing patterns in network traffic using frequency analysis, jitter detection, and domain reputation to identify compromised endpoints communicating with adversary infrastructure.
install
source · Clone the upstream repo
git clone https://github.com/plurigrid/asi
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/plurigrid/asi "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/asi/skills/hunting-for-command-and-control-beaconing" ~/.claude/skills/plurigrid-asi-hunting-for-command-and-control-beaconing && rm -rf "$T"
manifest:
plugins/asi/skills/hunting-for-command-and-control-beaconing/SKILL.mdsource content
Hunting for Command and Control Beaconing
When to Use
- When proactively hunting for compromised systems in the network
- After threat intel indicates C2 frameworks targeting your industry
- When investigating periodic outbound connections to suspicious domains
- During incident response to identify active C2 channels
- When DNS query logs show unusual patterns to specific domains
Prerequisites
- Network proxy/firewall logs with full URL and timing data
- DNS query logs (passive DNS, DNS server logs, or Sysmon Event ID 22)
- Zeek/Bro network connection logs or NetFlow data
- SIEM with statistical analysis capabilities (Splunk, Elastic)
- Threat intelligence feeds for domain/IP reputation
Workflow
- Identify Beaconing Characteristics: Define what constitutes beaconing (regular intervals, small payload sizes, consistent destinations, jitter patterns).
- Collect Network Telemetry: Aggregate proxy logs, DNS queries, and connection metadata for analysis.
- Apply Frequency Analysis: Identify connections with regular intervals using statistical methods (standard deviation, coefficient of variation).
- Filter Known-Good Traffic: Exclude legitimate periodic traffic (Windows Update, AV updates, heartbeat services, NTP).
- Analyze Domain/IP Reputation: Check identified beaconing destinations against threat intel, WHOIS data, and certificate transparency logs.
- Investigate Endpoint Context: Correlate beaconing activity with process creation, user context, and file system changes on source endpoints.
- Confirm and Respond: Validate C2 activity, block communication, and initiate incident response.
Key Concepts
| Concept | Description |
|---|---|
| T1071 | Application Layer Protocol (HTTP/HTTPS/DNS C2) |
| T1071.001 | Web Protocols (HTTP/S beaconing) |
| T1071.004 | DNS (DNS tunneling C2) |
| T1573 | Encrypted Channel |
| T1572 | Protocol Tunneling |
| T1568 | Dynamic Resolution (DGA, fast-flux) |
| T1132 | Data Encoding in C2 |
| T1095 | Non-Application Layer Protocol |
| Beacon Interval | Time between C2 check-ins |
| Jitter | Random variation in beacon interval |
| DGA | Domain Generation Algorithm |
| Fast-Flux | Rapidly changing DNS resolution |
Tools & Systems
| Tool | Purpose |
|---|---|
| RITA (Real Intelligence Threat Analytics) | Automated beacon detection in Zeek logs |
| Splunk | Statistical beacon analysis with SPL |
| Elastic Security | ML-based anomaly detection for beaconing |
| Zeek/Bro | Network connection metadata collection |
| Suricata | Network IDS with JA3/JA4 fingerprinting |
| VirusTotal | Domain and IP reputation checking |
| PassiveDNS | Historical DNS resolution data |
| Flare | C2 profile detection |
Common Scenarios
- Cobalt Strike Beacon: HTTP/HTTPS beaconing with configurable sleep time and jitter to malleable C2 profiles.
- DNS Tunneling C2: Data exfiltration and command receipt via encoded DNS TXT/CNAME queries to attacker-controlled domains.
- Sliver C2 over HTTPS: Modern C2 framework using HTTPS with configurable beacon intervals and domain fronting.
- DGA-based C2: Malware generating random domains daily, with adversary registering upcoming domains for C2.
- Legitimate Service Abuse: C2 over legitimate cloud services (Azure, AWS, Slack, Discord, Telegram).
Output Format
Hunt ID: TH-C2-[DATE]-[SEQ] Source IP: [Internal IP] Source Host: [Hostname] Destination: [Domain/IP] Protocol: [HTTP/HTTPS/DNS/Custom] Beacon Interval: [Average seconds] Jitter: [Percentage] Connection Count: [Total connections] Data Volume: [Bytes sent/received] First Seen: [Timestamp] Last Seen: [Timestamp] Domain Age: [Days] TI Match: [Yes/No - source] Risk Level: [Critical/High/Medium/Low]