Best Practices for Detecting C2 Beaconing in Your Network

Cybercriminals are becoming more sophisticated, and one of their key tools is command-and-control (C2) beaconing, a stealthy method of maintaining access to compromised systems.

Reports show a troubling rise in activity: back in 2022, Recorded Future's The Record indicated that the number of unique C2 servers jumped by 30% compared to the previous year, and analysts of Sekoia observed over 85,000 C2-related IP addresses in 2023. This surge underscores the growing threat posed by C2 infrastructure.

Understanding how C2 beaconing works is essential to defending against it, so in this article, we will break it down and share practical steps that you can take to better defend against these persistent threats.

What is C2 Beaconing?

C2 beaconing involves malware sending short, regular messages from an infected host to a command-and-control (C2) server. Extrahop states that "the infected host will periodically check in with the C&C server on a regular schedule, hence the term beaconing."

This is the lifeblood of malware, as it allows the attacker to send further instructions to the compromised host, to let it know it's active and ready for more commands by talking to an external host. Essentially, a beacon is a signal to the C2 server to keep the connection open to control the infected system.

Beaconing can manifest in different forms, including DNS, SSH, or HTTP, and often uses techniques to blend in with legitimate traffic to avoid detection. Knowing beaconing behavior allows you to detect and mitigate threats before damage is done.

Now that we understand what C2 beaconing is and why it matters, let's take a closer look at how this communication takes place between infected systems and C2 servers.

How C2 Beaconing Works

At the heart of a beaconing attack are the data packets called beacons. These packets are sent from the infected host to the C2 server at regular intervals, known as the beacon interval, which can be down to the second to avoid suspicion. For example, a Cobalt Strike beacon might have an average sleep of 787.5 seconds with jitter added to disrupt the pattern.

Jitter (random variations in timing) makes it harder to detect as it makes the beaconing activity less predictable. Knowing the sleep duration and associated jitter is key to detecting beacons in network traffic analysis. By calculating the average beacon sleep and its standard deviation, it's possible to better identify these patterns.

C2 beaconing uses protocols like HTTP/S, DNS, SSH, and SMTP to communicate between compromised hosts and the C2 server.

With a clearer view of how beaconing operates, we can now break down the specific characteristics that make this behavior detectable, if you know what to look for.

C2 Beaconing Characteristics

C2 beaconing has several characteristics that can be used to detect and identify it. These characteristics include:

• Regular communication intervals

• Consistent packet sizes

• Specific destination IP addresses

• Encryption

• Obfuscation

• Jitter

• Use of legitimate services and protocols like HTTP and HTTPS

By analyzing these characteristics, threat hunters can detect and block C2 beaconing. Knowing these patterns and behaviors is key to developing detection strategies and network security.

C2 beaconing often shows anomalous network activity, unusual timing, or sporadic patterns, which can indicate threats. For example, Emotet beaconing is irregular, with a lot of variability in timing, making it hard to detect.

Attackers evade detection by generating traffic that looks like legitimate web traffic, using common ports and protocols like HTTP and HTTPS to blend in. Knowing these characteristics, including timing and packet size, is key to telling the difference between regular traffic and beaconing activity.

Additionally, the standard deviation plays a crucial role in detecting variations in beaconing traffic. Analyzing the dispersion of data points around the mean helps identify anomalies that may indicate malicious activities.

Even with well-known characteristics, detecting C2 beaconing in real-world environments isn't easy. Attackers are constantly evolving their tactics to evade detection, which introduces several challenges.

Challenges in Detecting C2 Beaconing

Detecting C2 beaconing is challenging because of the high degree of sophisticated evasion techniques used by attackers. Malware can easily adjust its communication patterns to mimic legitimate web traffic, change timing, frequency, and volume to avoid detection. Jitter makes it even harder to detect.

Current detection approaches are static and can be easily evaded by dynamic, configurable C2 frameworks. This results in high false positive rates that can overwhelm security teams and make detection efforts ineffective.

Evasion Techniques

Attackers use multiple ways to evade detection, often using ephemeral services within legitimate platforms. For example, Emotet mimics legitimate traffic patterns to avoid network defenses. Configuring beacons to look like normal application traffic allows malware to hide communications and make it hard for security systems to detect malicious activity.

Another common technique is to randomize the timing of beacon communications, using jitter to introduce variability and evade detection mechanisms that rely on regular patterns. Trickbot and NOBELIUM have adaptive beaconing behaviour, they can remain undetected while executing commands and performing malicious activities.

False Positives and Negatives

One of the biggest challenges in C2 beaconing detection is to distinguish between benign application behavior and actual beaconing activity. The dynamic nature of C2 communications can result in high false negatives, where malicious traffic goes undetected. This is bad because malware can stay in the network longer and cause more damage.

On the other hand, static detection methods can result in high false positives, overwhelming security teams with alerts for benign traffic. More dynamic and adaptive detection methods to differentiate between normal and malicious traffic are required to reduce false detections and improve overall security.

The effectiveness of detection frameworks is measured by quantifying various metrics, such as the number of network event log messages, processes, and hosts that analysts need to analyze before and after implementing their solution. Comprehensive testing is key to validating these results.

So, how can security teams overcome these challenges? The key lies in adopting smarter, more dynamic detection strategies that go beyond traditional methods.

Effective Detection Strategies

Detecting beaconing requires security teams to use multiple approaches beyond static detection methods. Heuristic analysis of network traffic, focusing on irregularities in communication patterns, can enhance beaconing detection. These dynamic approaches are key to adapting to the evolving tactics of C2 communications.

Effective detection strategies should determine the effectiveness of machine learning models and advanced security tools by analyzing network traffic. These combined can provide a robust defense mechanism to identify and mitigate C2 beaconing threats.

Additionally, it is key to develop effective strategies for responding to detected threats to prevent security breaches and improve the overall robustness of threat detection methodologies.

Analyzing Network Traffic

Ongoing analysis of network traffic patterns is key to detecting anomalous behavior associated with beaconing. By monitoring communication patterns, such as GET and POST requests, security tools can detect beaconing activity based on timing and frequency. Consistent intervals for beacons and regular outbound communication patterns are classic indicators of C2 traffic.

Security tools and techniques, firewalls, and intrusion detection systems play a big role in identifying and blocking unauthorized outbound traffic. Blocking suspicious traffic at the network perimeter can significantly mitigate C2 activity. Monitoring traffic patterns over time, volume, and network layers is a must for beaconing detection.

Machine Learning Models

Machine learning models can enhance C2 beaconing detection by identifying patterns even when randomized. These models analyze timing, volume, TCP/IP communications, SSL/TLS fingerprinting, and application protocol payloads to create a robust mechanism for detection.

It is key to measure the effectiveness of these machine learning models by evaluating various metrics such as variance, periodicity, and detection accuracy. Machine learning powered anomaly detection is robust as threat tactics evolve, so detection results are high confidence. Using machine learning models helps security teams detect C2 beaconing in production environments.

Leveraging Security Tools

Security tools are key to dealing with C2 beaconing, providing frameworks and resources for detection. For instance, Zeek is a network analysis framework that can be customized to detect beaconing behavior by analyzing network flows and timing patterns.

These tools are used to identify sophisticated configurations of C2 beacons, which often incorporate jitter to obscure malicious traffic. The beaconing identification framework helps analysts to monitor network traffic for suspicious activity and provides indicators of compromise (IOCs).

Using Hunt.io's C2 Feeds for Proactive Detection

Hunt.io doesn't monitor live network traffic or detect timing-based beaconing on the endpoint, but it plays a key role in uncovering the infrastructure behind those beacons. Our C2 infrastructure feeds offer real-time visibility into IPs, domains, JA4+ hashes, and TLS fingerprints tied to active threat actor campaigns.

Security teams use Hunt.io to enrich indicators, validate outbound connections, and pivot into clusters of related infrastructure. This helps confirm if a suspected beacon is part of a broader command-and-control operation.

By integrating Hunt.io, you can:

• Uncover reused infrastructure across campaigns

• Attribute domains and IPs to known C2 behaviours

• Reduce false positives by linking traffic to verified attacker infrastructure

Our platform has been instrumental in recent investigations involving Cobalt Strike beacons and creative C2 setups:

• South Korean Organizations Targeted by Cobalt Strike 'Cat' Delivered by a Rust Beacon: where beacon logs, open directory tooling, and Rust loaders were tied to government-targeted attacks.

• Golang Beacons and VS Code Tunnels: revealing the abuse of Visual Studio Code dev tunnels as C2 channels, evading traditional detection systems.

While Hunt.io doesn't inspect beacon intervals or jitter behavior directly, it gives you the infrastructure-level evidence to confirm and expand on signs of beaconing before it escalates.

With a solid strategy in place, it's also important to understand what C2 beaconing looks like in the wild. Here are some common ones that defenders frequently encounter.

Common C2 Beacons

Common C2 frameworks used by threat actors like Cobalt Strike, Metasploit, Mythic, and Brute Ratel modify C2 traffic to look like regular web traffic. Intrusion Prevention System (IPS) signatures can block many known network exploits, but have limitations in detecting all types of threats.

To better understand C2 beaconing in action, let's examine some well-known cyber threats. Trickbot, Emotet, and NOBELIUM each leverage this communication method for malicious purposes, showcasing its prevalence in modern attacks.

Trickbot

Trickbot was first reported in 2016 and has become a major threat in the cyber landscape. This malware communicates regularly with its C2 servers to receive updates and commands for further malicious activities, often involving one host within the compromised network.

Trickbot's ability to send information about the infected host at regular intervals makes it a classic example of C2 beaconing. By understanding Trickbot's attack chain, security teams can better detect and mitigate its impact on compromised hosts.

Emotet

Emotet started as a banking Trojan and can perform data exfiltration and lateral movement within networks. Its beaconing involves low frequency and high jitter, making it less detectable and harder to identify as malicious traffic.

Using common C2 tools repurposed into adversarial frameworks allows Emotet to blend its malicious traffic with legitimate traffic, making detection more complicated. Understanding how to execute commands related to Emotet's beaconing is key to developing countermeasures.

NOBELIUM

NOBELIUM is a threat actor that has a complex C2 infrastructure that enhances its operational security and ability to stay undetected. This sophisticated beaconing allows NOBELIUM to have high control over compromised hosts and often coordinates a large volume of malicious activities.

Analyzing the total number of beaconing events is crucial for identifying non-human efforts and understanding the complexity of the communication patterns being monitored. By understanding NOBELIUM's methods, you can prepare to detect and counter similar threats.

While knowing what to look for is critical, many teams fall into common traps when trying to detect C2 traffic. Let's explore these pitfalls to help you avoid them.

Common Mistakes

Organizations make several mistakes when trying to detect C2 beaconing. One of the most common mistakes is relying only on signature-based detection, which can be evaded by threat actors using custom malware and encryption.

Another mistake is not monitoring network traffic in real-time, which can allow C2 beaconing to go undetected. Organizations also fail to consider the broader threat landscape and the Tactics, Techniques, and Procedures (TTPs) used by threat actors, which makes it hard to identify and block C2 beaconing.

To avoid these mistakes, organizations must have a comprehensive detection strategy that includes multiple approaches such as behavioral analysis, machine learning, and network traffic analysis. By having a multi-faceted approach, organizations can improve their ability to detect and respond to C2 beaconing threats.

Avoiding these mistakes is a solid start, but advanced attackers require advanced mitigation strategies. Once beaconing activity is identified, effective mitigation strategies are essential to contain the threat and prevent further damage.

Mitigating C2 Beaconing

Mitigating C2 beaconing requires a multi-faceted approach including strong network defenses, continuous monitoring, and a well-defined incident response plan.

Considering more detection metrics is key in these mitigation strategies, as it helps in understanding the variability and dispersion of potential threats.

Network Perimeter Defense

Blocking inbound and outbound suspicious traffic at the network perimeter is the key to preventing C2 beaconing. Using network segmentation and the principle of least privilege can limit the impact of a compromised device, so even if one segment is breached, the threat can't spread easily.

Effective network perimeter defense also involves monitoring destination IPs and external hosts as attackers try to gain unauthorized access through various means. Any suspicious communication should be blocked immediately to prevent further malicious activities.

Regular Monitoring and Analysis

Continuous monitoring of network traffic is required to identify anomalies in timing and packet sizes indicative of C2 beaconing. Using machine learning models can enhance detection by analyzing a wide range of signals in network traffic and can detect patterns over a defined time window to get a clearer picture of beaconing intervals and other suspicious activities.

Using security tools and threat hunting techniques can improve the detection of C2 beaconing, using standard statistical measures to address false positives and negatives. Stay tuned to the latest threat intelligence feeds and detection mechanisms to maintain a robust defense against emerging threats.

Incident Response Planning

Having a well-defined incident response plan enables organizations to respond and manage detected beaconing activities. This includes having predefined steps to block identified IPs, investigate related communications, and mitigate the threat.

Having a structured incident response plan is key to addressing the impact of detected beaconing activities and to recover quickly from an attack. After detecting suspicious C2 activity, block the identified IPs and investigate all related communications immediately. This proactive approach will contain the threat and prevent further damage, and keep the organization secure.

While every attack is different, real-world cases offer valuable insight into how C2 beaconing can manifest in actual environments.

The following examples shed light on how these threats have played out and what defenders can learn from them.

Real-World C2 Beaconing Cases Uncovered Through Infrastructure Analysis

The following case studies reveal attacker tactics, infrastructure, and beaconing patterns, offering practical insights into detection, evasion, and defensive response.

Golang Beacons and Visual Studio Code Tunnels: In November 2024, our researchers identified a Cobalt Strike server using a known watermark and a unique TLS certificate, both shared across dozens of other IP addresses. A few days later, a Golang-compiled beacon tied to this server surfaced on multiple malware sandboxes. The beacon's C2 communications stood out: it leveraged Visual Studio Code dev tunnels, an uncommon yet increasingly observed tactic.

These tunnels, typically used by developers, allow attackers to hide within trusted Azure infrastructure and bypass perimeter defenses. Additional indicators, such as host profiling behavior, a reference to Cobalt Strike 4.5, and links to a suspicious self-signed certificate, further connected the activity. While the final objective remains unclear, the infrastructure paints a picture of stealth and adaptation.

Uncovering SuperShell & Cobalt Strike from an Open Directory: Our research team uncovered an exposed server hosting multiple C2 payloads, including two SuperShell backdoors (also known as GOREVERSE) and a Cobalt Strike beacon. The SuperShell executables ('ps1' and 'ps2') were configured to beacon to IP 124.70.143[.]234 over port 3232, while the Cobalt Strike sample ('test') communicated with 8.219.177[.]40 on port 443 using a spoofed SSL certificate.

SuperShell is a lesser-known but powerful C2 framework with a web-based admin panel accessible via port 8888. Our platform detected related infrastructure, including open directories, login panels, and tools like ARL. This case highlights active C2 beaconing and shows how threat actors use open-source frameworks and exposed servers to maintain remote access and persistence. The evidence suggests the malicious infrastructure was still in use at the time.

South Korean Organizations Targeted by Cobalt Strike: Hunt researchers uncovered an exposed web server hosting tools linked to an intrusion campaign targeting South Korean entities. The attacker used open-source utilities like SQLMap and dirsearch to identify and exploit vulnerable systems, later deploying a modified Cobalt Strike variant dubbed "Cobalt Strike Cat."

Evidence pointed to successful breaches, with attacker logs confirming active beaconing from compromised hosts. The malware used jQuery malleable profiles and redirected traffic to the CIA website as an evasion tactic. Rust-based loaders decoded and ran shellcode in memory, indicating a sophisticated, multi-stage infection strategy. Beacon activity showed persistence, with operators reconnecting via different IPs.

Wrapping up

Detecting C2 beaconing in your network is challenging, but it's a critical part of maintaining strong cybersecurity. By understanding how beaconing works, recognizing its patterns, and applying modern detection techniques, organizations can stay one step ahead of evolving threats.

At Hunt.io, we make this process easier with high-confidence C2 feeds and advanced threat intelligence solutions designed to support your security operations. Want to see how it works? Book a demo today and start detecting threats before they do damage.