Once an attacker has a foothold, they need to communicate with the compromised system to issue commands and receive results. C2 beacons are the heartbeat of a persistent compromise -- periodic check-ins designed to look like normal traffic.
A C2 beacon is code running on a compromised host that regularly phones home to an attacker-controlled server. The beacon might check in every 60 seconds, receive instructions (run a command, move a file, scan the network), execute them, and send back results.
The defining characteristic is the periodic timing: regular intervals create a timing signature that can be detected in network logs. Attackers use jitter -- random variation in the interval -- to make the pattern look less mechanical.
Most modern C2 frameworks (Cobalt Strike, Sliver, Havoc) have configurable sleep times and jitter percentages. The IRON CHIMNEY compromise used a beacon configured to simulate normal web browsing by varying request patterns and using HTTPS to a domain-fronted or lookalike domain.
This domain was used as the C2 server for the IRON CHIMNEY compromise of RESEARCH-STATION-01 (192.168.3.45). Several detection signals make this domain suspicious on inspection:
Subdomain pattern: The subdomain d3adbeef123456789 is a long hex-like string -- no legitimate CDN uses this naming convention. Defenders can hunt for long or high-entropy subdomains in DNS logs.
Domain mimicry: microsoft-cdn-verify.net mimics Microsoft infrastructure but is not a Microsoft-owned domain. Anything claiming to be a Microsoft CDN that is not under microsoft.com or akadns.net warrants inspection.
Domain age: Attacker domains are typically freshly registered. A TIP or NGFW check on this domain would show low reputation and a registration date within days of the initial compromise.
Beacon interval detection: Write a query over NetFlow or proxy logs that calculates the standard deviation of connection intervals per destination. A host connecting to the same external IP with very low time variance is likely beaconing. Most SIEM platforms can run this as a scheduled search.
DNS anomalies: Flag DNS queries with subdomains longer than 50 characters, entropy above a threshold, or query rates to newly-registered domains (domain age less than 30 days). DNS tunneling also tends to produce unusually high query counts to a single second-level domain.
TLS certificate inspection: HTTPS C2 uses TLS but the certificate metadata can be unusual -- self-signed certs, short validity windows (under 30 days), or certificates issued by uncommon CAs. A next-gen firewall can log JA3 hashes for TLS fingerprinting to identify known C2 tools by their TLS client behavior.
Size and timing patterns: C2 beacons often produce very consistent packet sizes in check-in requests even with jitter on the interval. A destination where every GET request is exactly 342 bytes is suspicious.
| Tool | What to hunt |
|---|---|
| SIEM | Beacon interval query: stddev of connection times per host per destination over 24h |
| NGFW | DNS queries with subdomains >40 chars; TLS to domains registered <30 days ago; JA3 matching known C2 |
| EDR | Process making periodic outbound connections; svchost.exe or other system processes with unexpected network activity |
| TIP | Lookup C2 domain age, WHOIS, passive DNS -- flag if domain is < 30 days old or has no historical resolution |