Identify command-and-control beaconing patterns in network traffic by applying statistical frequency analysis, jitter calculation, and coefficient of variation scoring to detect periodic callbacks from compromised endpoints.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionhunting-for-beaconing-with-frequency-analysisExecute the skills CLI command in your project's root directory to begin installation:
Fetches hunting-for-beaconing-with-frequency-analysis from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate hunting-for-beaconing-with-frequency-analysis. Access via /hunting-for-beaconing-with-frequency-analysis in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Quickly understand datasets, identify patterns, and generate insights
Example
Analyze CSV with 100K rows, identify outliers, visualize correlations, suggest hypotheses
Reduce EDA time from hours to minutes, uncover insights faster
Write scripts to clean messy data, handle missing values, normalize formats
Example
Generate Python/SQL to fix date formats, impute missing values, remove duplicates
Automate 80% of data preprocessing work
Perform hypothesis testing, regression, and statistical modeling
Example
Run A/B test analysis, calculate confidence intervals, interpret p-values
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | hunting-for-beaconing-with-frequency-analysis |
| description | Identify command-and-control beaconing patterns in network traffic by applying statistical frequency analysis, jitter calculation, and coefficient of variation scoring to detect periodic callbacks from compromised endpoints. |
| domain | cybersecurity |
| subdomain | threat-hunting |
| tags | - threat-hunting - beaconing - c2-detection - frequency-analysis - network-traffic - RITA - jitter-detection - mitre-t1071 |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| d3fend_techniques | - File Metadata Consistency Validation - Certificate Analysis - Application Protocol Command Analysis - Content Format Conversion - File Content Analysis |
| nist_csf | - DE.CM-01 - DE.AE-02 - DE.AE-07 - ID.RA-05 |
| Concept | Description |
|---|---|
| T1071.001 | Application Layer Protocol: Web Protocols -- HTTP/HTTPS beaconing |
| T1071.004 | Application Layer Protocol: DNS -- DNS-based C2 tunneling |
| T1573 | Encrypted Channel -- TLS/SSL encrypted C2 communication |
| T1568.002 | Dynamic Resolution: Domain Generation Algorithms |
| Coefficient of Variation | Standard deviation divided by mean; values below 0.20 indicate periodicity |
| Jitter | Random variation added to beacon interval to evade detection |
| RITA Beacon Score | Composite score from connection regularity, data size consistency, and connection count |
| JA3/JA4 Fingerprinting | TLS client fingerprinting to identify C2 framework signatures |
| Fast-Flux DNS | Rapidly changing DNS resolution used to protect C2 infrastructure |
| Tool | Purpose |
|---|---|
| RITA (Real Intelligence Threat Analytics) | Automated beacon scoring from Zeek logs |
| AC-Hunter | Commercial threat hunting platform with beacon detection |
| Splunk | SPL-based statistical beacon analysis with streamstats |
| Elastic Security | ML anomaly detection for periodic network behavior |
| Zeek | Network metadata collection (conn.log, dns.log, ssl.log) |
| Suricata | Network IDS with JA3/JA4 TLS fingerprint extraction |
| FLARE | C2 profile and beacon pattern detection |
| VirusTotal | Domain and IP reputation enrichment |
index=proxy OR index=firewall
| where NOT match(dest, "(?i)(microsoft|google|amazonaws|cloudflare|akamai)")
| bin _time span=1s
| stats count by src_ip dest _time
| streamstats current=f last(_time) as prev_time by src_ip dest
| eval interval=_time-prev_time
| stats count avg(interval) as avg_interval stdev(interval) as stdev_interval
min(interval) as min_interval max(interval) as max_interval by src_ip dest
| where count > 50
| eval cv=stdev_interval/avg_interval
| where cv < 0.20 AND avg_interval > 30 AND avg_interval < 86400
| sort cv
| table src_ip dest count avg_interval stdev_interval cv
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteIPType == "Public"
| summarize ConnectionTimes=make_list(Timestamp), Count=count() by DeviceName, RemoteIP, RemoteUrl
| where Count > 50
| extend Intervals = array_sort_asc(ConnectionTimes)
| mv-apply Intervals on (
extend NextTime = next(Intervals)
| where isnotempty(NextTime)
| extend IntervalSec = datetime_diff('second', NextTime, Intervals)
| summarize AvgInterval=avg(IntervalSec), StdDev=stdev(IntervalSec)
)
| extend CV = StdDev / AvgInterval
| where CV < 0.2 and AvgInterval > 30
| sort by CV asc
title: Potential C2 Beaconing Pattern Detected
status: experimental
logsource:
category: proxy
detection:
selection:
dst_ip|cidr: '!10.0.0.0/8'
timeframe: 24h
condition: selection | count(dst) by src_ip > 50
level: medium
tags:
- attack.command_and_control
- attack.t1071.001
Hunt ID: TH-BEACON-[DATE]-[SEQ]
Source IP: [Internal IP]
Source Host: [Hostname from DHCP/DNS]
Destination: [Domain/IP]
Protocol: [HTTP/HTTPS/DNS]
Beacon Interval: [Average seconds]
Jitter Estimate: [Percentage]
Coefficient of Variation: [CV value]
Connection Count: [Total connections in window]
Data Size CV: [Payload consistency metric]
Domain Age: [Days since registration]
TI Match: [Yes/No -- source]
Risk Score: [0-100]
Risk Level: [Critical/High/Medium/Low]
Indicators: [List of triggered risk factors]
Get statistically sound analysis without PhD in statistics
Create charts, dashboards, and visual reports
Example
Generate matplotlib/seaborn code for time series plots, distribution charts, heatmaps
Build presentation-ready visualizations 3x faster
Prerequisites
Time Estimate
20-40 minutes to set up and run first analysis
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use for exploratory data analysis, data cleaning, statistical testing, visualization prototyping, and learning new analysis techniques. Best for initial exploration and rapid insights.
✗ Avoid when
Avoid for mission-critical financial analysis, medical research requiring regulatory compliance, production ML models, or when deep statistical expertise is required for nuanced interpretation.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
I recommend hunting-for-beaconing-with-frequency-analysis for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Solid pick for teams standardizing on skills: hunting-for-beaconing-with-frequency-analysis is focused, and the summary matches what you get after install.
hunting-for-beaconing-with-frequency-analysis is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
hunting-for-beaconing-with-frequency-analysis fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Keeps context tight: hunting-for-beaconing-with-frequency-analysis is the kind of skill you can hand to a new teammate without a long onboarding doc.
Registry listing for hunting-for-beaconing-with-frequency-analysis matched our evaluation — installs cleanly and behaves as described in the markdown.
Useful defaults in hunting-for-beaconing-with-frequency-analysis — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
hunting-for-beaconing-with-frequency-analysis is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Solid pick for teams standardizing on skills: hunting-for-beaconing-with-frequency-analysis is focused, and the summary matches what you get after install.
We added hunting-for-beaconing-with-frequency-analysis from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
showing 1-10 of 63