raghava8/Network-Beconing-C2-Hunt

# 🛡️ Network Beaconing & C2 Detection — Threat Hunt     A hands-on threat hunting project focused on detecting **network beaconing behaviour** and **Command & Control (C2) communication** in enterprise network traffic logs. ## 📌 What This Project Covers | Hunt Technique | Description | |---|---| | **Jitter Analysis** | Detect regular interval callbacks with low timing variance | | **Beacon Periodicity** | Identify hosts calling home every N seconds/minutes | | **Long Connection Detection** | Flag persistent low-bandwidth sessions typical of C2 | | **Domain Generation Algorithm (DGA)** | Score domains by entropy and n-gram frequency | | **DNS Tunnelling** | Detect unusually long/frequent DNS queries | | **Rare Domain Analysis** | Identify newly-seen or low-prevalence external domains | | **User-Agent Anomalies** | Hunt for suspicious or fake browser user-agents | | **JA3/JA3S Fingerprinting** | Match TLS client fingerprints to known C2 frameworks | ## 🗂️ Project Structure network-beaconing-c2-hunt/ │ ├── README.md ├── requirements.txt │ ├── data/ │ └── sample_logs/ │ ├── zeek_conn.log # Sample Zeek/Bro connection logs │ ├── zeek_dns.log # Sample DNS logs │ ├── zeek_http.log # Sample HTTP logs │ └── zeek_ssl.log # Sample TLS/SSL logs │ ├── detectors/ │ ├── beacon_detector.py # Core beaconing algorithm (MAD / std-dev scoring) │ ├── dga_detector.py # DGA detection via entropy + bigram scoring │ ├── dns_tunnel_detector.py # DNS tunnelling heuristics │ ├── long_conn_detector.py # Long-duration connection detector │ └── useragent_analyzer.py # HTTP user-agent anomaly detection │ ├── hunters/ │ ├── hunt_runner.py # Orchestrates all detectors in a single run │ └── ioc_enrichment.py # Enrich findings with IOC feed lookups │ ├── ioc_feeds/ │ ├── known_c2_domains.txt # Sample known-bad C2 domains │ ├── known_ja3_hashes.txt # Known malicious JA3 fingerprints │ └── feed_updater.py # Script to pull fresh IOC feeds │ ├── reports/ │ ├── report_generator.py # Auto-generate HTML hunt report │ └── sample_report.html # Example output report │ ├── dashboards/ │ └── beacon_dashboard.py # Interactive terminal dashboard (rich) │ ├── notebooks/ │ └── beaconing_analysis.ipynb # Jupyter walkthrough with visualisations │ ├── docs/ │ ├── hunt_methodology.md # Step-by-step hunt methodology │ ├── MITRE_mapping.md # MITRE ATT&CK technique mapping │ └── setup_zeek.md # How to set up Zeek for log collection │ └── tests/ ├── test_beacon_detector.py └── test_dga_detector.py ## 🚀 Quick Start ### 1. Clone the repo git clone https://github.com/raghava8/network-beaconing-c2-hunt.git cd network-beaconing-c2-hunt ### 2. Install dependencies pip install -r requirements.txt ### 3. Run the full hunt against sample logs python hunters/hunt_runner.py --log-dir data/sample_logs/ --output reports/ ### 4. Run a single detector # Beacon detection only python detectors/beacon_detector.py --input data/sample_logs/zeek_conn.log # DGA detection only python detectors/dga_detector.py --input data/sample_logs/zeek_dns.log ### 5. Launch the dashboard python dashboards/beacon_dashboard.py --results reports/hunt_results.json ## 🔬 Detection Methodology ### Beaconing Detection Algorithm The core beacon detector uses **Median Absolute Deviation (MAD)** scoring on inter-connection intervals: For each src_ip → dst_ip pair: 1. Extract all connection timestamps 2. Calculate delta_t between consecutive connections 3. Compute: median(delta_t) and MAD(delta_t) 4. Beacon Score = 1 - (MAD / median) [0 = random, 1 = perfect beacon] 5. Flag if score > 0.7 AND connection_count > 10 A legitimate user browsing the web creates **highly variable** intervals. A beacon checking in every 60 seconds creates **very low variance** — that's what we're hunting. ### DGA Scoring Domain names are scored using: - **Shannon entropy** — legitimate domains have lower entropy than algorithmically generated ones - **Bigram frequency** — DGA domains deviate from expected English letter-pair distributions - **Length** — DGA domains tend to be longer than average ## 🎯 MITRE ATT&CK Coverage | Technique ID | Technique Name | Detector | |---|---|---| | T1071.001 | Application Layer Protocol: Web | `beacon_detector.py`, `useragent_analyzer.py` | | T1071.004 | Application Layer Protocol: DNS | `dns_tunnel_detector.py` | | T1090 | Proxy | `long_conn_detector.py` | | T1568.002 | Dynamic Resolution: DGA | `dga_detector.py` | | T1571 | Non-Standard Port | `beacon_detector.py` | | T1105 | Ingress Tool Transfer | `long_conn_detector.py` | ## 📊 Sample Hunt Output [*] Hunt Run: 2024-01-15 14:32:01 [*] Log Directory: data/sample_logs/ [*] Total connections analysed: 48,291 === BEACONING DETECTIONS === [!] HIGH 192.168.1.45 → 185.220.101.12:443 Score: 0.97 Count: 288 Interval: 300s [!] HIGH 192.168.1.72 → 45.33.32.156:8080 Score: 0.91 Count: 144 Interval: 600s [!] MEDIUM 192.168.1.12 → 104.26.10.234:443 Score: 0.74 Count: 67 Interval: 900s === DGA DETECTIONS === [!] HIGH 192.168.1.45 queried: xvq7mrkp2a.com Entropy: 4.21 [!] HIGH 192.168.1.45 queried: b3kzwqr91lpx.net Entropy: 4.18 === DNS TUNNELLING === [!] HIGH 192.168.1.99 → dns.suspiciousdomain.com Avg query len: 68 chars === LONG CONNECTIONS === [!] HIGH 192.168.1.45 → 185.220.101.12:443 Duration: 14400s Bytes: 12,480 Total Findings: 3 HIGH, 1 MEDIUM Report saved: reports/hunt_2024-01-15.html ## 🛠️ Requirements - Python 3.9+ - Zeek/Bro network logs (or use included sample logs) - See `requirements.txt` for Python dependencies ## 📚 Learning Resources - [MITRE ATT&CK — Command and Control](https://attack.mitre.org/tactics/TA0011/) - [Zeek Network Security Monitor](https://zeek.org/) - [Hunting for Beacons — ThreatHunter Playbook](https://threathunterplaybook.com/) - `docs/hunt_methodology.md` — full methodology walkthrough in this repo ## 📄 License MIT — see [LICENSE](LICENSE)