Can this skill identify C2 traffic that uses randomization (jitter)?

Yes, the skill includes logic for jitter analysis, which calculates the deviation from expected intervals to catch sophisticated C2 frameworks like Cobalt Strike.

How does frequency analysis detect hidden malware?

Most malware is programmed to call home at specific intervals. Frequency analysis calculates the variance between these connections to identify unnaturally consistent patterns.

Which log types are best for beaconing analysis?

The most effective logs are Zeek conn.log/dns.log, network proxy logs, and firewall connection logs that include high-resolution timestamps and destination data.

Does this skill work with Splunk and Microsoft Sentinel?

Yes, it provides specific, copy-pasteable detection queries for both Splunk (SPL) and Microsoft Sentinel (KQL) to find beacons in your environment.

What is C2 beaconing and why should I hunt for it?

C2 beaconing is when compromised systems periodically check in with an attacker's server. Hunting for it is crucial because it is often the only sign of a persistent compromise.

C2 Beaconing Frequency Analysis

Name: C2 Beaconing Frequency Analysis
Author: micsapp

bymicsapp

0•

Security & Testing

Identifies command-and-control beaconing patterns in network traffic using statistical frequency analysis and jitter calculation.

This skill enables security analysts and threat hunters to detect stealthy command-and-control (C2) communication by analyzing the periodicity of outbound network connections. By applying mathematical models such as Coefficient of Variation (CV) scoring and jitter analysis, the skill helps distinguish automated malware callbacks from legitimate network noise. It provides structured workflows for investigating compromised endpoints, identifies patterns used by frameworks like Cobalt Strike and Sunburst, and includes pre-built detection queries for Splunk and Microsoft Sentinel to accelerate incident response and proactive hunting.

Key Features

01Integration with Zeek metadata and RITA scoring methods

02Pre-built Splunk and Microsoft Sentinel (KQL) detection queries

03Jitter and Coefficient of Variation (CV) scoring for C2 frameworks

04Statistical frequency analysis for periodic connection detection

05MITRE ATT&CK mapping for T1071, T1573, and T1568 techniques

060 GitHub stars

Use Cases

01Proactively hunting for stealthy compromised endpoints in large network logs

02Validating C2 detection rules during purple team or breach simulation exercises

03Investigating suspicious outbound traffic flagged by automated alerts

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills hunting-for-beaconing-with-frequency-analysis

For use in Claude.ai and ChatGPT

Key Features

01Integration with Zeek metadata and RITA scoring methods

02Pre-built Splunk and Microsoft Sentinel (KQL) detection queries

03Jitter and Coefficient of Variation (CV) scoring for C2 frameworks

04Statistical frequency analysis for periodic connection detection

05MITRE ATT&CK mapping for T1071, T1573, and T1568 techniques

060 GitHub stars

Use Cases

01Proactively hunting for stealthy compromised endpoints in large network logs

02Validating C2 detection rules during purple team or breach simulation exercises

03Investigating suspicious outbound traffic flagged by automated alerts

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills hunting-for-beaconing-with-frequency-analysis

For use in Claude.ai and ChatGPT