C2 beaconing: regular connections at constant volume
An implant that "beats" toward its command server produces many connections to the same destination with near-identical sizes: STD_DEV of bytes close to zero over a long period.
Prerequisites
Elasticsearch 8.14+, logs de flux (NetFlow/firewall)
SQL
FROM "logs-network-*"
| WHERE @timestamp >= NOW() - 24 hours
AND network.direction == "outbound"
| STATS
connexions = COUNT(*),
octets_moy = ROUND(AVG(network.bytes)),
ecart_type = ROUND(STD_DEV(network.bytes), 1),
premiere = MIN(@timestamp),
derniere = MAX(@timestamp)
BY source.ip, destination.ip, destination.port
| EVAL duree_h = DATE_DIFF("hour", premiere, derniere)
| WHERE connexions > 200 AND ecart_type < 50 AND duree_h >= 12
| KEEP source.ip, destination.ip, destination.port,
connexions, octets_moy, ecart_type, duree_h
| SORT connexions DESC
| LIMIT 25Result
source.ip | destination.ip | destination.port | connexions | octets_moy | ecart_type | duree_h -----------+----------------+------------------+------------+------------+------------+-------- 10.2.14.88 | 198.51.100.23 | 443 | 2871 | 1124 | 3.2 | 23 10.2.31.17 | 203.0.113.99 | 8443 | 1439 | 890 | 12.7 | 23 10.2.7.204 | 192.0.2.55 | 53 | 941 | 312 | 0.0 | 19 10.2.18.40 | 198.51.100.81 | 443 | 288 | 2048 | 41.9 | 14
SOCBeaconingC2STD_DEVRéseau