this rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected.

t1071
t1568
network
elastic

Techniques

T1071
T1568

Sample rules

Halfbaked Command and Control Beacon

source: elastic
technicques:
- T1071
- T1568

Description

Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.

Detection logic

(event.dataset: (network_traffic.tls OR network_traffic.http) OR
  (event.category: (network OR network_traffic) AND network.protocol: http)) AND
  network.transport:tcp AND url.full:/http:\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\/cd/ AND
  destination.port:(53 OR 80 OR 8080 OR 443)