sigma-rules/rules/integrations/beaconing/command_and_control_beaconing.toml

[metadata]
creation_date = "2023/09/22"
integration = ["beaconing", "endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "Beaconing package updates and support"
min_stack_version = "8.10.1"
updated_date = "2024/06/10"

[rule]
author = ["Elastic"]
description = """
A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain
stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain
persistence in a network.
"""
from = "now-1h"
index = ["ml_beaconing.all"]
language = "kuery"
license = "Elastic License v2"
name = "Statistical Model Detected C2 Beaconing Activity"
setup = """## Setup

The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations.

### Network Beaconing Identification Setup
The Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs.

#### Prerequisite Requirements:
- Fleet is required for Network Beaconing Identification.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.
- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.

#### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:
- Go to the Kibana homepage. Under Management, click Integrations.
- In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.
- Follow the instructions under the **Installation** section.
"""
references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
    "https://docs.elastic.co/en/integrations/beaconing",
    "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic",
]
risk_score = 21
rule_id = "5397080f-34e5-449b-8e9c-4c8083d7ccc6"
severity = "low"
tags = ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"]
type = "query"
timestamp_override = "event.ingested"

query = '''
beacon_stats.is_beaconing: true and
not process.name: ("WaAppAgent.exe" or "metricbeat.exe" or "packetbeat.exe" or "WindowsAzureGuestAgent.exe" or "HealthService.exe" or "Widgets.exe" or "lsass.exe" or "msedgewebview2.exe" or 
                   "MsMpEng.exe" or "OUTLOOK.EXE" or "msteams.exe" or "FileSyncHelper.exe" or "SearchProtocolHost.exe" or "Creative Cloud.exe" or "ms-teams.exe" or "ms-teamsupdate.exe" or 
                   "curl.exe" or "rundll32.exe" or "MsSense.exe" or "wermgr.exe" or "java" or "olk.exe" or "iexplore.exe" or "NetworkManager" or "packetbeat" or "Ssms.exe" or "NisSrv.exe" or 
                   "gamingservices.exe" or "appidcertstorecheck.exe" or "POWERPNT.EXE" or "miiserver.exe" or "Grammarly.Desktop.exe" or "SnagitEditor.exe" or "CRWindowsClientService.exe" or
                   "agentbeat" or "dnf" or "yum" or "apt"
                  )
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1102"
name = "Web Service"
reference = "https://attack.mitre.org/techniques/T1102/"
[[rule.threat.technique.subtechnique]]
id = "T1102.002"
name = "Bidirectional Communication"
reference = "https://attack.mitre.org/techniques/T1102/002/"



[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"