creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-26 11:44:37 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/hunting-for-command-and-control-beaconing/SKILL.md
T
mukul975 efca3ec611 feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills 
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.

All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
2026-04-06 11:17:40 +02:00

4.4 KiB
Raw Blame History

name, description, domain, subdomain, tags, version, author, license, d3fend_techniques, nist_csf
name description domain subdomain tags version author license d3fend_techniques nist_csf
hunting-for-command-and-control-beaconing Detect C2 beaconing patterns in network traffic using frequency analysis, jitter detection, and domain reputation to identify compromised endpoints communicating with adversary infrastructure. cybersecurity threat-hunting
threat-hunting
mitre-attack
c2
beaconing
network-analysis
proactive-detection
1.0 mahipal Apache-2.0
File Metadata Consistency Validation
Certificate Analysis
Application Protocol Command Analysis
Content Format Conversion
File Content Analysis
DE.CM-01
DE.AE-02
DE.AE-07
ID.RA-05

Hunting for Command and Control Beaconing

When to Use

  • When proactively hunting for compromised systems in the network
  • After threat intel indicates C2 frameworks targeting your industry
  • When investigating periodic outbound connections to suspicious domains
  • During incident response to identify active C2 channels
  • When DNS query logs show unusual patterns to specific domains

Prerequisites

  • Network proxy/firewall logs with full URL and timing data
  • DNS query logs (passive DNS, DNS server logs, or Sysmon Event ID 22)
  • Zeek/Bro network connection logs or NetFlow data
  • SIEM with statistical analysis capabilities (Splunk, Elastic)
  • Threat intelligence feeds for domain/IP reputation

Workflow

  1. Identify Beaconing Characteristics: Define what constitutes beaconing (regular intervals, small payload sizes, consistent destinations, jitter patterns).
  2. Collect Network Telemetry: Aggregate proxy logs, DNS queries, and connection metadata for analysis.
  3. Apply Frequency Analysis: Identify connections with regular intervals using statistical methods (standard deviation, coefficient of variation).
  4. Filter Known-Good Traffic: Exclude legitimate periodic traffic (Windows Update, AV updates, heartbeat services, NTP).
  5. Analyze Domain/IP Reputation: Check identified beaconing destinations against threat intel, WHOIS data, and certificate transparency logs.
  6. Investigate Endpoint Context: Correlate beaconing activity with process creation, user context, and file system changes on source endpoints.
  7. Confirm and Respond: Validate C2 activity, block communication, and initiate incident response.

Key Concepts

Concept Description
T1071 Application Layer Protocol (HTTP/HTTPS/DNS C2)
T1071.001 Web Protocols (HTTP/S beaconing)
T1071.004 DNS (DNS tunneling C2)
T1573 Encrypted Channel
T1572 Protocol Tunneling
T1568 Dynamic Resolution (DGA, fast-flux)
T1132 Data Encoding in C2
T1095 Non-Application Layer Protocol
Beacon Interval Time between C2 check-ins
Jitter Random variation in beacon interval
DGA Domain Generation Algorithm
Fast-Flux Rapidly changing DNS resolution

Tools & Systems

Tool Purpose
RITA (Real Intelligence Threat Analytics) Automated beacon detection in Zeek logs
Splunk Statistical beacon analysis with SPL
Elastic Security ML-based anomaly detection for beaconing
Zeek/Bro Network connection metadata collection
Suricata Network IDS with JA3/JA4 fingerprinting
VirusTotal Domain and IP reputation checking
PassiveDNS Historical DNS resolution data
Flare C2 profile detection

Common Scenarios

  1. Cobalt Strike Beacon: HTTP/HTTPS beaconing with configurable sleep time and jitter to malleable C2 profiles.
  2. DNS Tunneling C2: Data exfiltration and command receipt via encoded DNS TXT/CNAME queries to attacker-controlled domains.
  3. Sliver C2 over HTTPS: Modern C2 framework using HTTPS with configurable beacon intervals and domain fronting.
  4. DGA-based C2: Malware generating random domains daily, with adversary registering upcoming domains for C2.
  5. Legitimate Service Abuse: C2 over legitimate cloud services (Azure, AWS, Slack, Discord, Telegram).

Output Format

Hunt ID: TH-C2-[DATE]-[SEQ]
Source IP: [Internal IP]
Source Host: [Hostname]
Destination: [Domain/IP]
Protocol: [HTTP/HTTPS/DNS/Custom]
Beacon Interval: [Average seconds]
Jitter: [Percentage]
Connection Count: [Total connections]
Data Volume: [Bytes sent/received]
First Seen: [Timestamp]
Last Seen: [Timestamp]
Domain Age: [Days]
TI Match: [Yes/No - source]
Risk Level: [Critical/High/Medium/Low]
Reference in New Issue View Git Blame Copy Permalink