Halfbaked Command and Control Beacon

Last updated 7 months ago on 2025-01-15

Created 5 years ago on 2020-07-06

About

Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.

Tags

Use Case: Threat DetectionTactic: Command and ControlDomain: EndpointLanguage: lucene

Severity

high

Risk Score

MITRE ATT&CK™

Command and Control (TA0011)(opens in a new tab or window)

↳ Application Layer Protocol (T1071)(opens in a new tab or window)

↳ Dynamic Resolution (T1568)(opens in a new tab or window)

False Positive Examples

This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: packetbeat-*auditbeat-*filebeat-*logs-network_traffic.*
Related Integrations: network_traffic(opens in a new tab or window)
Query

(event.dataset: (network_traffic.tls OR network_traffic.http) OR
  (event.category: (network OR network_traffic) AND network.protocol: http)) AND
  network.transport:tcp AND url.full:/http:\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\/cd/ AND
  destination.port:(53 OR 80 OR 8080 OR 443)

Install detection rules in Elastic Security

Detect Halfbaked Command and Control Beacon in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).