[metadata] creation_date = "2023/09/22" integration = ["beaconing", "endpoint", "network_traffic"] maturity = "production" min_stack_comments = "Beaconing package updates and support" min_stack_version = "8.10.1" updated_date = "2024/06/10" [rule] author = ["Elastic"] description = """ A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network. """ from = "now-1h" index = ["ml_beaconing.all"] language = "kuery" license = "Elastic License v2" name = "Statistical Model Detected C2 Beaconing Activity" setup = """## Setup The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations. ### Network Beaconing Identification Setup The Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs. #### Prerequisite Requirements: - Fleet is required for Network Beaconing Identification. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). - Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration. - To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. #### The following steps should be executed to install assets associated with the Network Beaconing Identification integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Network Beaconing Identification and select the integration to see more details about it. - Follow the instructions under the **Installation** section. """ references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/beaconing", "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic", ] risk_score = 21 rule_id = "5397080f-34e5-449b-8e9c-4c8083d7ccc6" severity = "low" tags = ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"] type = "query" timestamp_override = "event.ingested" query = ''' beacon_stats.is_beaconing: true and not process.name: ("WaAppAgent.exe" or "metricbeat.exe" or "packetbeat.exe" or "WindowsAzureGuestAgent.exe" or "HealthService.exe" or "Widgets.exe" or "lsass.exe" or "msedgewebview2.exe" or "MsMpEng.exe" or "OUTLOOK.EXE" or "msteams.exe" or "FileSyncHelper.exe" or "SearchProtocolHost.exe" or "Creative Cloud.exe" or "ms-teams.exe" or "ms-teamsupdate.exe" or "curl.exe" or "rundll32.exe" or "MsSense.exe" or "wermgr.exe" or "java" or "olk.exe" or "iexplore.exe" or "NetworkManager" or "packetbeat" or "Ssms.exe" or "NisSrv.exe" or "gamingservices.exe" or "appidcertstorecheck.exe" or "POWERPNT.EXE" or "miiserver.exe" or "Grammarly.Desktop.exe" or "SnagitEditor.exe" or "CRWindowsClientService.exe" or "agentbeat" or "dnf" or "yum" or "apt" ) ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" [[rule.threat.technique.subtechnique]] id = "T1102.002" name = "Bidirectional Communication" reference = "https://attack.mitre.org/techniques/T1102/002/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/"