detecting-beaconing-patterns-with-zeek
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/detecting-beaconing-patterns-with-zeekAnalyze Zeek logs to detect C2 beaconing patterns via timing statistics.
- Identifies command-and-control callbacks by measuring connection interval jitter.
- Integrates with ZAT library and Pandas for Zeek log data processing.
- Flags suspicious activity when inter-arrival time standard deviation is low.
- Outputs structured analysis results for security operations teams.
SKILL.md
.github/skills/detecting-beaconing-patterns-with-zeekView on GitHub ↗
---
name: detecting-beaconing-patterns-with-zeek
description: >
Performs statistical analysis of Zeek conn.log connection intervals to detect C2
beaconing patterns. Uses the ZAT library to load Zeek logs into Pandas DataFrames,
calculates inter-arrival time standard deviation, and flags periodic connections
with low jitter. Use when hunting for command-and-control callbacks in network data.
domain: cybersecurity
subdomain: security-operations
tags: [detecting, beaconing, patterns, with]
version: "1.0"
author: mahipal
license: Apache-2.0
---
# Detecting Beaconing Patterns with Zeek
## When to Use
- When investigating security incidents that require detecting beaconing patterns with zeek
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
## Instructions
Load Zeek conn.log data using ZAT (Zeek Analysis Tools), group connections by
source/destination pairs, and compute timing statistics to identify beaconing.
```python
from zat.log_to_dataframe import LogToDataFrame
import numpy as np
log_to_df = LogToDataFrame()
conn_df = log_to_df.create_dataframe('/path/to/conn.log')
# Group by src/dst pair and calculate inter-arrival time
for (src, dst), group in conn_df.groupby(['id.orig_h', 'id.resp_h']):
times = group['ts'].sort_values()
intervals = times.diff().dt.total_seconds().dropna()
if len(intervals) > 10:
std_dev = np.std(intervals)
mean_interval = np.mean(intervals)
# Low std_dev relative to mean = likely beaconing
```
Key analysis steps:
1. Parse Zeek conn.log into DataFrame with ZAT LogToDataFrame
2. Group connections by source IP and destination IP pairs
3. Calculate inter-arrival time intervals between consecutive connections
4. Compute standard deviation and coefficient of variation
5. Flag pairs with low coefficient of variation as potential beacons
## Examples
```python
from zat.log_to_dataframe import LogToDataFrame
log_to_df = LogToDataFrame()
df = log_to_df.create_dataframe('conn.log')
print(df[['id.orig_h', 'id.resp_h', 'ts', 'duration']].head())
```