IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Statistical Model Detected C2 Beaconing Activity
editStatistical Model Detected C2 Beaconing Activity
editA statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network.
Rule type: query
Rule indices:
- ml_beaconing.all
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-1h (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Network
- Use Case: C2 Beaconing Detection
- Tactic: Command and Control
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editbeacon_stats.is_beaconing: true
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Web Service
- ID: T1102
- Reference URL: https://attack.mitre.org/techniques/T1102/
-
Sub-technique:
- Name: Bidirectional Communication
- ID: T1102.002
- Reference URL: https://attack.mitre.org/techniques/T1102/002/