🛰️ Beaconing Detection with Splunk

Category: Threat Detection
Tags: beaconing, Splunk, command and control, network security, SIEM, data exfiltration, MITRE T1071

🧭 What is Beaconing?

Beaconing is the repeated, often periodic communication from an infected machine to a Command and Control (C2) server. This activity is used by malware to check in, receive commands, or exfiltrate data.

While the traffic may look harmless (e.g. HTTP, DNS, or SSL), its timing patterns or destination behaviour can give it away.

🔍 Why Detect Beaconing?

Detecting beaconing is critical because:

• It’s an early indicator of compromise
• It often precedes data exfiltration or ransomware deployment
• It’s a common tactic used by APTs and commodity malware

Splunk, when paired with good data sources (DNS, firewall, proxy, NetFlow), becomes a powerful tool to detect beaconing patterns.

🛠️ Required Data Sources

📈 Example Splunk Query – DNS Beaconing

index=dns_logs sourcetype="dns"
| stats count min(_time) as first max(_time) as last by src_ip, query
| eval duration=last - first<br>| where count > 10 AND duration > 300
| sort - count

index=dns_logs sourcetype="dns"
| stats count min(_time) as first max(_time) as last by src_ip, query
| eval duration=last - first<br>| where count > 10 AND duration > 300
| sort - count

This basic query looks for repeated DNS queries over a period (more than 10 queries across 5+ minutes). Tuning depends on your environment.

🧠 Tips for Tuning Beacon Detection

• Use timechart to visualise regular intervals: index=proxy_logs url="*" | timechart span=5m count by dest_ip
• Look for entropy in domain names (eval entropy=len(domain))
• Filter known-good traffic (e.g. Windows Update, antivirus servers)
• Leverage threat intelligence to enrich destination IP/domain

🧰 Detection Enhancements

🧬 MITRE ATT&CK Reference

• Tactic: Command and Control
• Technique: T1071 – Application Layer Protocol
• Use Case: Identifying HTTP/HTTPS beaconing to remote C2 servers.