hunting-for-beaconing-with-frequency-analysis

# Hunting for Beaconing with Frequency Analysis ## When to Use - When proactively searching for compromised endpoints calling back to C2 infrastructure - After threat intelligence reports indicate active C2 frameworks targeting your sector - When network logs show periodic outbound connections to unfamiliar destinations - During purple team exercises validating C2 detection capabilities - When investigating a potential breach and need to identify active C2 channels ## Prerequisites - Network proxy/firewall logs with timestamps and destination data (minimum 24 hours) - Zeek conn.log, dns.log, and ssl.log or equivalent NetFlow/IPFIX data - SIEM platform with statistical analysis capability (Splunk, Elastic, Microsoft Sentinel) - RITA (Real Intelligence Threat Analytics) or AC-Hunter for automated beacon analysis - Threat intelligence feeds for domain/IP reputation enrichment ## Workflow 1. **Define Beacon Parameters**: Establish detection thresholds -- coefficient of variation (CV) below 0.20 indicates strong periodicity, minimum 50 connections over 24 hours, average interval between 30 seconds and 24 hours. 2. **Collect Network Telemetry**: Aggregate proxy logs, DNS queries, firewall connection logs, and Zeek metadata into the analysis platform. 3. **Calculate Connection Intervals**: For each source-destination pair, compute the time delta between consecutive connections and derive mean interval, standard deviation, and CV. 4. **Apply Jitter Analysis**: Sophisticated C2 ...