[metadata] creation_date = "2023/09/22" integration = ["beaconing", "endpoint", "network_traffic"] maturity = "production" min_stack_comments = "Beaconing package updates and support" min_stack_version = "8.10.1" updated_date = "2023/12/12" [rule] author = ["Elastic"] description = """ A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network. """ from = "now-1h" index = ["ml_beaconing.all"] language = "kuery" license = "Elastic License v2" name = "Statistical Model Detected C2 Beaconing Activity" setup = """ The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations. ### Network Beaconing Identification Setup The Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs. #### Prerequisite Requirements: - Fleet is required for Network Beaconing Identification. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). - Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration. - To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. #### The following steps should be executed to install assets associated with the Network Beaconing Identification integration: - Go to the Kibana homepage. Under Management, click Integrations. - In the query bar, search for Network Beaconing Identification and select the integration to see more details about it. - Under Settings, click "Install Network Beaconing Identification assets" and follow the prompts to install the assets. """ references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/beaconing", "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic", ] risk_score = 21 rule_id = "5397080f-34e5-449b-8e9c-4c8083d7ccc6" severity = "low" tags = ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"] type = "query" query = ''' beacon_stats.is_beaconing: true ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" [[rule.threat.technique.subtechnique]] id = "T1102.002" name = "Bidirectional Communication" reference = "https://attack.mitre.org/techniques/T1102/002/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/"