detecting-beaconing-patterns-with-zeek

Solid

Performs statistical analysis of Zeek conn.log connection intervals to detect C2 beaconing patterns. Uses the ZAT library to load Zeek logs into Pandas DataFrames, calculates inter-arrival time standard deviation, and flags periodic connections with low jitter. Use when hunting for command-and-control callbacks in network data.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
95
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Beaconing Patterns with Zeek ## When to Use - When investigating security incidents that require detecting beaconing patterns with zeek - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Familiarity with security operations concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## Instructions Load Zeek conn.log data using ZAT (Zeek Analysis Tools), group connections by source/destination pairs, and compute timing statistics to identify beaconing. ```python from zat.log_to_dataframe import LogToDataFrame import numpy as np log_to_df = LogToDataFrame() conn_df = log_to_df.create_dataframe('/path/to/conn.log') # Group by src/dst pair and calculate inter-arrival time for (src, dst), group in conn_df.groupby(['id.orig_h', 'id.resp_h']): times = group['ts'].sort_values() intervals = times.diff().dt.total_seconds().dropna() if len(intervals) > 10: std_dev = np.std(intervals) mean_interval = np.mean(intervals) # Low std_dev relative to mean = likely beaconing ``` Key analysis steps: 1. Parse Zeek conn.log into DataFrame with ZAT LogToDataFrame 2. Group connections by source IP and destination IP pairs 3. Calculate ...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

hunting-for-beaconing-with-frequency-analysis

Identify command-and-control beaconing patterns in network traffic by applying statistical frequency analysis, jitter calculation, and coefficient of variation scoring to detect periodic callbacks from compromised endpoints.

12,642 Updated today
mukul975
AI & Automation Featured

hunting-for-command-and-control-beaconing

Detect C2 beaconing patterns in network traffic using frequency analysis, jitter detection, and domain reputation to identify compromised endpoints communicating with adversary infrastructure.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-network-anomalies-with-zeek

Deploys and configures Zeek (formerly Bro) network security monitor to passively analyze network traffic, generate structured logs, detect anomalous behavior, and create custom detection scripts for threat hunting and incident response.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-lateral-movement-with-zeek

Detect lateral movement in network traffic using Zeek (formerly Bro) log analysis. Parses conn.log, smb_mapping.log, smb_files.log, dce_rpc.log, kerberos.log, and ntlm.log to identify SMB file transfers, NTLM account spray activity, remote service execution, and anomalous internal connections.

12,642 Updated today
mukul975
AI & Automation Featured

hunting-for-cobalt-strike-beacons

Detect Cobalt Strike beacon network activity using default TLS certificate signatures (serial 8BB00EE), JA3/JA3S/JARM fingerprints, HTTP C2 profile pattern matching, beacon jitter analysis, and named pipe detection via Zeek, Suricata, and Python PCAP analysis.

12,642 Updated today
mukul975