{
	"id": "cc13367a-315e-4d21-9ebf-184092d35371",
	"created_at": "2026-04-06T00:22:27.563372Z",
	"updated_at": "2026-04-10T13:11:24.97658Z",
	"deleted_at": null,
	"sha1_hash": "82f72b618974fd0bc5e9cb24a19d6f4b47f6c2ab",
	"title": "Enterprise Scale Threat Hunting: C2 Beacon Detection with Unsupervised ML and KQL — Part 1",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 406211,
	"plain_text": "Enterprise Scale Threat Hunting: C2 Beacon Detection with\r\nUnsupervised ML and KQL — Part 1\r\nBy Mehmet Ergene\r\nPublished: 2021-05-23 · Archived: 2026-04-05 17:04:07 UTC\r\nThis blog is part one of a two-part series focused on C2 beacon detection.\r\nPress enter or click to view image in full size\r\nBeacons or beaconing is the practice of sending short and regular communications from one host to\r\nanother. As used in malware, this is mostly used to communicate to an external host that a compromised\r\ninternal host is active, functioning and ready for further instructions. Not all beacons are malicious in\r\nnature. There are many benign use cases of beaconing behaviour, such as system time services,\r\nsoftware update services, etc.[1]\r\nIn the world of malware, a beacon doesn’t have to use regular intervals. As seen in many C2 frameworks, it is\r\npossible to use jitter for communication. Using jitter makes it difficult to detect beacons, and hence the C2 traffic.\r\nJitter Usage in C2 Beacons\r\nFor example, 60 seconds of sleep with 10% jitter results in a uniformly random sleep between 54 and 66 seconds\r\nfor PoshC2 and Empire, or a uniformly random sleep between 54 and 60 seconds for Cobalt Strike.[2]\r\nhttps://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f\r\nPage 1 of 3\n\nI’ve come across few good methods for detecting network beacons(including the ones having jitter) by using\r\nstatistical analysis with KQL. Unfortunately, none of them worked for me because my data was a little bit huge.\r\nAlso, I wasn’t able to detect some beacons explained below. So, I decided to develop a high-performing query that\r\ncan analyze a large amount of data within timeout thresholds and detect almost all kinds of beacons with high\r\nprecision.\r\nIn this blog series, I’ll explore the approaches and problems in beacon detection, how we can solve them, and\r\ndevelop a beacon detection mechanism with KQL in Azure Sentinel and Microsoft 365 Defender by using\r\nSysmon, Process network and Firewall/Proxy events.\r\nStatistics 101: Standard Deviation\r\nIn statistics, the standard deviation is a measure of the amount of variation or dispersion of a set of\r\nvalues. A low standard deviation indicates that the values tend to be close to the mean (also called the\r\nexpected value) of the set, while a high standard deviation indicates that the values are spread out over a\r\nwider range.\r\nA useful property of the standard deviation is that unlike the variance, it is expressed in the same unit\r\nas the data.\r\nRelation Between Beacon Jitter and Standard Deviation\r\nLet’s say we have a Cobalt Strike beacon with a 15 minutes sleep and 25% jitter. It will have a random sleep\r\nbetween 675s and 900s. This means:\r\nAverage beacon sleep = 787.5s\r\nMax standard deviation = 112.5s (not percentage)\r\nGet Mehmet Ergene’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nBy analyzing the time deltas between each consecutive connection of a source-destination pair, we can detect\r\nbeacons with the help of standard deviation. Depending on the data source we have, we can also use sent bytes\r\ninformation to perform the same calculation. However, the standard deviation is not enough for proper detection.\r\nFor example, if you set a threshold for standard deviation like 100, you will miss the beacon that has 15 minutes\r\nof sleep with 25% jitter if the standard deviation of the time deltas exceeds 100 seconds(Since the sleep duration\r\ncalculated randomly, the standard deviation of the time deltas can be anything between 0–112.5s). The same\r\napplies to the sent bytes.\r\nOutliers and False Negatives\r\nBeacon detection assumes that the computer or the beacon is up and running for the duration of the data you\r\nanalyze. Let's have a look at an example:\r\nhttps://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f\r\nPage 2 of 3\n\nYou analyze 24h of data to detect beacons. If a computer is turned off for 3 hours during this 24h period, you will\r\nhave a spike in your time delta calculation which may result in false negatives. When using the sent bytes for the\r\nanalysis, the beacon can send a fairly large amount of data occasionally and this may result in false negatives as\r\nwell.\r\nIn order to detect beacons properly, we need to use other statistical values or calculations. We also need to\r\neliminate situations that can cause false negatives.\r\nIn part two, I’ll explain how we can solve these problems and apply an optimal method in Azure Sentinel and\r\nMicrosoft 365 Defender by leveraging the KQL functions. I hope the result will be quite close(or maybe better) to\r\nthe open-source project RITA. Stay tuned and follow me on Twitter | LinkedIn to get more updates! Finally, If you\r\nsee something wrong, please let me know (I’m not expert at statistics).\r\nReferences\r\n1. https://www.activecountermeasures.com/threat-hunting-simplifying-the-beacon-analysis-process/\r\n2. https://blog.fox-it.com/2020/01/15/hunting-for-beacons/\r\n3. https://en.wikipedia.org/wiki/Standard_deviation\r\nSource: https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c\r\n4c30304f\r\nhttps://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f"
	],
	"report_names": [
		"enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f"
	],
	"threat_actors": [],
	"ts_created_at": 1775434947,
	"ts_updated_at": 1775826684,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/82f72b618974fd0bc5e9cb24a19d6f4b47f6c2ab.pdf",
		"text": "https://archive.orkl.eu/82f72b618974fd0bc5e9cb24a19d6f4b47f6c2ab.txt",
		"img": "https://archive.orkl.eu/82f72b618974fd0bc5e9cb24a19d6f4b47f6c2ab.jpg"
	}
}