IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Statistical Model Detected C2 Beaconing Activity with High Confidence
editStatistical Model Detected C2 Beaconing Activity with High Confidence
editA statistical model has identified command-and-control (C2) beaconing activity with high confidence. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network.
Rule type: query
Rule indices:
- ml_beaconing.all
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-1h (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Network
- Use Case: C2 Beaconing Detection
- Tactic: Command and Control
Version: 3
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editbeacon_stats.beaconing_score: 3
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Web Service
- ID: T1102
- Reference URL: https://attack.mitre.org/techniques/T1102/
-
Sub-technique:
- Name: Bidirectional Communication
- ID: T1102.002
- Reference URL: https://attack.mitre.org/techniques/T1102/002/