Statistical Model Detected C2 Beaconing Activity | Elastic Security Solution [8.13]

› › ›

« Startup/Logon Script added to Group Policy Object Statistical Model Detected C2 Beaconing Activity with High Confidence »

Statistical Model Detected C2 Beaconing Activityedit

A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network.

Rule type: query

Rule indices:

ml_beaconing.all

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-1h (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Network
Use Case: C2 Beaconing Detection
Tactic: Command and Control

Version: 4

Rule authors:

Elastic

Rule license: Elastic License v2

Setupedit

Setup

The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations.

Network Beaconing Identification Setup

The Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs.

Prerequisite Requirements:

Fleet is required for Network Beaconing Identification.
To configure Fleet Server refer to the documentation.
Network events collected by the Elastic Defend or Network Packet Capture integration.
To install Elastic Defend, refer to the documentation.
To add the Network Packet Capture integration to an Elastic Agent policy, refer to this guide.

The following steps should be executed to install assets associated with the Network Beaconing Identification integration:

Go to the Kibana homepage. Under Management, click Integrations.
In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.
Under Settings, click "Install Network Beaconing Identification assets" and follow the prompts to install the assets.

Rule queryedit

beacon_stats.is_beaconing: true and
not process.name: ("WaAppAgent.exe" or "metricbeat.exe" or "packetbeat.exe" or "WindowsAzureGuestAgent.exe" or "HealthService.exe" or "Widgets.exe" or "lsass.exe" or "msedgewebview2.exe" or "MsMpEng.exe" or "OUTLOOK.EXE" or "msteams.exe" or "FileSyncHelper.exe" or "SearchProtocolHost.exe" or "Creative Cloud.exe" or "ms-teams.exe" or "ms-teamsupdate.exe" or "curl.exe" or "rundll32.exe" or "MsSense.exe" or "wermgr.exe" or "java" or "olk.exe" or "iexplore.exe" or "NetworkManager" or "packetbeat" or "Ssms.exe" or "NisSrv.exe" or "gamingservices.exe" or "appidcertstorecheck.exe" or "POWERPNT.EXE" or "miiserver.exe" or "Grammarly.Desktop.exe" or "SnagitEditor.exe" or "CRWindowsClientService.exe")

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Web Service
- ID: T1102
- Reference URL: https://attack.mitre.org/techniques/T1102/
Sub-technique:
- Name: Bidirectional Communication
- ID: T1102.002
- Reference URL: https://attack.mitre.org/techniques/T1102/002/

« Startup/Logon Script added to Group Policy Object Statistical Model Detected C2 Beaconing Activity with High Confidence »