Using statistical analysis to find beacon communication activity

I’ll cover the types of beacons out there in the wild, a little about some of the c2 frameworks and how beacons are configured and deployed. I’ll then talk about characteristics of beacon traffic - which elements we can use for hunting. Then I’ll talk about a toolset that exists for using machine learning and statistical analysis methods to identify likely beacon traffic. I’ll run through a not horrifying explanation of the statistical methods and generally how they work. I’ll finish with a description of how I have implemented similar logic into hunt queries in sentinel and splunk for netflow data sources.