|
| 1 | +--- |
| 2 | +import Layout from '../../layouts/Layout.astro' |
| 3 | +
|
| 4 | +const post = { |
| 5 | + title: 'C2 Beacon Analysis — Recognising Command-and-Control Traffic in Packet Captures', |
| 6 | + date: '2026-06-29', |
| 7 | + category: 'DEEP DIVE', |
| 8 | + readTime: '7 min', |
| 9 | + author: 'Nikola Pavlović', |
| 10 | +} |
| 11 | +const description = 'After initial compromise, malware phones home on a schedule. This post explains beaconing patterns, how to measure jitter and interval consistency, and how to find a beacon hiding in normal HTTP traffic.' |
| 12 | +--- |
| 13 | +<Layout title={post.title} description={description}> |
| 14 | + <main class="shell post-page"> |
| 15 | + <div class="breadcrumb mono"><a href="/blog">blog</a> / {post.category.toLowerCase()}</div> |
| 16 | + |
| 17 | + <article> |
| 18 | + <header class="post-header"> |
| 19 | + <div class="post-meta mono"> |
| 20 | + <span class="post-cat">{post.category}</span> |
| 21 | + <span>{post.date}</span> |
| 22 | + <span>{post.readTime} read</span> |
| 23 | + <span>by {post.author}</span> |
| 24 | + </div> |
| 25 | + <h1>{post.title}</h1> |
| 26 | + </header> |
| 27 | + |
| 28 | + <div class="post-body"> |
| 29 | + <p class="lead-para">{description}</p> |
| 30 | + |
| 31 | + <h2>What is a beacon?</h2> |
| 32 | + <p>Once malware establishes a foothold on a host, it needs a way to receive instructions and return results to the attacker. Rather than maintaining a persistent connection — which would be immediately obvious — it sleeps for a fixed interval, then wakes, sends a short HTTP or HTTPS request to a command-and-control (C2) server, collects any queued commands, executes them, and sleeps again.</p> |
| 33 | + <p>This pattern is called <strong>beaconing</strong>. It is the communication heartbeat of nearly every modern piece of malware, from commodity RATs to nation-state implants. The beacon might fire every 60 seconds, every 5 minutes, or once a day depending on the operator's preference for speed versus stealth.</p> |
| 34 | + |
| 35 | + <h2>The anatomy of a beacon request</h2> |
| 36 | + <p>A basic beacon HTTP request has recognisable characteristics:</p> |
| 37 | + <ul> |
| 38 | + <li><strong>Fixed destination:</strong> always the same IP or domain.</li> |
| 39 | + <li><strong>Small, consistent payload:</strong> check-in data is small (host ID, task queue). Response is small unless a command is waiting.</li> |
| 40 | + <li><strong>Consistent User-Agent:</strong> the implant sends the same UA string every time, often a static default from the C2 framework (Cobalt Strike's default UA was <code>Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)</code> — IE 9, on a modern host).</li> |
| 41 | + <li><strong>Regular timing:</strong> the interval between requests is consistent, possibly with added jitter to avoid exact-second matching.</li> |
| 42 | + </ul> |
| 43 | + |
| 44 | + <h2>Jitter and why it matters for detection</h2> |
| 45 | + <p>Sophisticated implants add randomness (jitter) to their sleep intervals. Instead of sleeping exactly 300 seconds, they sleep between 240–360 seconds. This breaks naive detection rules that look for exact-interval repetition.</p> |
| 46 | + <p>However, jitter does not break statistical analysis. If you collect 50 intervals between requests, the <strong>standard deviation</strong> and <strong>coefficient of variation</strong> (CV = σ/μ) will still be much lower than legitimate browsing traffic, which is highly irregular. Legitimate user traffic has a CV close to 1.0 or higher. Beacons typically have a CV below 0.3 even with 20% jitter applied.</p> |
| 47 | + <pre class="code-block"><code># Python: compute interval statistics from timestamps |
| 48 | +import statistics |
| 49 | +intervals = [301, 298, 304, 299, 303, 297, 302, 300] # seconds |
| 50 | +mean = statistics.mean(intervals) |
| 51 | +stdev = statistics.stdev(intervals) |
| 52 | +cv = stdev / mean |
| 53 | +print(f'mean={mean:.1f}s stdev={stdev:.2f} CV={cv:.3f}') |
| 54 | +# → mean=300.5s stdev=2.39 CV=0.008 ← unmistakably a beacon</code></pre> |
| 55 | + |
| 56 | + <h2>Finding beacons in network logs</h2> |
| 57 | + <p>In a pcap, the workflow is:</p> |
| 58 | + <ul> |
| 59 | + <li><strong>Group by destination:</strong> collect all connections to each external IP. Sort by connection count descending. High-frequency connections to unfamiliar IPs are candidates.</li> |
| 60 | + <li><strong>Extract timestamps:</strong> for each candidate, list the time of every request and compute inter-arrival intervals.</li> |
| 61 | + <li><strong>Apply statistics:</strong> low CV, consistent payload size, unusual hours (beacons don't take lunch breaks) are high-confidence signals.</li> |
| 62 | + <li><strong>Inspect headers:</strong> stale or inconsistent User-Agent, missing Accept-Language, Accept-Encoding in a specific order — these are signs of a programmatic HTTP client, not a browser.</li> |
| 63 | + </ul> |
| 64 | + |
| 65 | + <h2>Common C2 frameworks and their tells</h2> |
| 66 | + <ul> |
| 67 | + <li><strong>Cobalt Strike:</strong> default URI patterns (<code>/jquery-3.3.1.min.js</code>, <code>/pixel.gif</code>), Malleable C2 profiles change this — but many operators use defaults.</li> |
| 68 | + <li><strong>Metasploit Meterpreter:</strong> default port 4444, binary over TCP — easy to spot if not tunnelled.</li> |
| 69 | + <li><strong>Sliver:</strong> HTTPS with default self-signed certificates. JA3 fingerprint is distinctive.</li> |
| 70 | + <li><strong>PoshC2:</strong> often PowerShell User-Agent strings in the request headers.</li> |
| 71 | + </ul> |
| 72 | + |
| 73 | + <h2>Practice it</h2> |
| 74 | + <p>The <a href="/lab/challenges/beacon">Phantom Heartbeat</a> challenge in FoilLab puts you in front of a packet capture where a beacon is hiding among normal web traffic. You need to identify the host, measure the interval, decode the callback, and extract the flag.</p> |
| 75 | + |
| 76 | + <div class="post-footer"> |
| 77 | + <a href="/blog">← all posts</a> |
| 78 | + <a href="/lab/challenges/beacon" class="cta-link">Try the challenge →</a> |
| 79 | + </div> |
| 80 | + </div> |
| 81 | + </article> |
| 82 | + </main> |
| 83 | +</Layout> |
0 commit comments