mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 13:15:16 +03:00
efca3ec611
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions) based on subdomain and content analysis. Restores 11 skills corrupted during prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields. All 754 skills now carry structured mappings for all 5 security frameworks: - MITRE ATT&CK (in tags) - MITRE ATLAS v5.5 (atlas_techniques) - MITRE D3FEND v1.3 (d3fend_techniques) - NIST AI RMF 1.0 (nist_ai_rmf) - NIST CSF 2.0 (nist_csf)
79 lines
2.5 KiB
Markdown
79 lines
2.5 KiB
Markdown
---
|
|
name: detecting-beaconing-patterns-with-zeek
|
|
description: 'Performs statistical analysis of Zeek conn.log connection intervals to detect C2 beaconing patterns. Uses the
|
|
ZAT library to load Zeek logs into Pandas DataFrames, calculates inter-arrival time standard deviation, and flags periodic
|
|
connections with low jitter. Use when hunting for command-and-control callbacks in network data.
|
|
|
|
'
|
|
domain: cybersecurity
|
|
subdomain: security-operations
|
|
tags:
|
|
- detecting
|
|
- beaconing
|
|
- patterns
|
|
- with
|
|
version: '1.0'
|
|
author: mahipal
|
|
license: Apache-2.0
|
|
nist_csf:
|
|
- DE.CM-01
|
|
- RS.MA-01
|
|
- GV.OV-01
|
|
- DE.AE-02
|
|
---
|
|
|
|
# Detecting Beaconing Patterns with Zeek
|
|
|
|
|
|
## When to Use
|
|
|
|
- When investigating security incidents that require detecting beaconing patterns with zeek
|
|
- When building detection rules or threat hunting queries for this domain
|
|
- When SOC analysts need structured procedures for this analysis type
|
|
- When validating security monitoring coverage for related attack techniques
|
|
|
|
## Prerequisites
|
|
|
|
- Familiarity with security operations concepts and tools
|
|
- Access to a test or lab environment for safe execution
|
|
- Python 3.8+ with required dependencies installed
|
|
- Appropriate authorization for any testing activities
|
|
|
|
## Instructions
|
|
|
|
Load Zeek conn.log data using ZAT (Zeek Analysis Tools), group connections by
|
|
source/destination pairs, and compute timing statistics to identify beaconing.
|
|
|
|
```python
|
|
from zat.log_to_dataframe import LogToDataFrame
|
|
import numpy as np
|
|
|
|
log_to_df = LogToDataFrame()
|
|
conn_df = log_to_df.create_dataframe('/path/to/conn.log')
|
|
|
|
# Group by src/dst pair and calculate inter-arrival time
|
|
for (src, dst), group in conn_df.groupby(['id.orig_h', 'id.resp_h']):
|
|
times = group['ts'].sort_values()
|
|
intervals = times.diff().dt.total_seconds().dropna()
|
|
if len(intervals) > 10:
|
|
std_dev = np.std(intervals)
|
|
mean_interval = np.mean(intervals)
|
|
# Low std_dev relative to mean = likely beaconing
|
|
```
|
|
|
|
Key analysis steps:
|
|
1. Parse Zeek conn.log into DataFrame with ZAT LogToDataFrame
|
|
2. Group connections by source IP and destination IP pairs
|
|
3. Calculate inter-arrival time intervals between consecutive connections
|
|
4. Compute standard deviation and coefficient of variation
|
|
5. Flag pairs with low coefficient of variation as potential beacons
|
|
|
|
## Examples
|
|
|
|
```python
|
|
from zat.log_to_dataframe import LogToDataFrame
|
|
log_to_df = LogToDataFrame()
|
|
df = log_to_df.create_dataframe('conn.log')
|
|
print(df[['id.orig_h', 'id.resp_h', 'ts', 'duration']].head())
|
|
```
|