Command and control beaconing is one of the most critical detection opportunities in the attack lifecycle. Once attackers establish initial access, they need persistent communication with compromised systems. This creates patterns defenders historically used for detection: regular intervals, connection volumes, external destinations.
Modern C2 frameworks changed this. Tools like Cobalt Strike, Brute Ratel, and Sliver provide turnkey evasion capabilities through simple configuration files. We tested these widely available techniques to evaluate traditional detection performance against sophisticated adversary tradecraft.
The accessibility of modern C2 frameworks
Cobalt Strike remains the dominant C2 framework. Over 30 APT groups documented by MITRE ATT&CK actively use it, including APT29, Lazarus, FIN7, and FIN12. The healthcare sector suffered 68+ ransomware attacks in 2024 where Cobalt Strike facilitated initial access. Operation Morpheus disrupted 593 malicious Cobalt Strike servers in 2024, yet 20% remain active on darknet markets, selling for $100-500.
As defenders improved at detecting Cobalt Strike, threat actors pivoted to alternatives. Sliver, an open-source framework, has been adopted by APT29, FIN12, and ransomware operators associated with Ryuk, Conti, and Hive. Brute Ratel C4, designed specifically to evade EDR, appeared in BlackCat (ALPHV) ransomware engagements.
Malleable C2 profiles: Evasion as configuration
Cobalt Strike introduced malleable C2 profiles, text-based configuration files that customize every aspect of beacon behavior. Attackers copy profiles from public repositories like this collection and adjust parameters:
set sleeptime "7200"; # 2 hour base interval
set jitter "45"; # ±45% randomization
set useragent "Mozilla/5.0"; # Legitimate browser stringThese three lines configure beaconing at random intervals between 79 minutes and 174 minutes, mimicking legitimate application polling. Traditional statistical beaconing detection looks for regular patterns. Jitter destroys these patterns completely.
The profiles go further: mimicking Windows Update, certificate validation (OCSP), and cloud service APIs through modified User-Agent strings, URIs, and data encoding. This is not custom malware development. This is copying a file from GitHub and changing parameters.
Our test configuration
We configured a test attack using techniques documented in real-world campaigns:
- Infrastructure: AWS Frankfurt (52.59.177.21)
- Timing: 2-6 hour sleep intervals with ±45 minute jitter
- Protocol: HTTPS on port 443
- Payload size: 200-2500 bytes per beacon
- Total traffic: ~100KB over 10 days (<0.01% of typical cloud traffic)
This mirrors documented incidents. LockBit ransomware deployed Cobalt Strike in a January 2024 intrusion, maintaining access for 11 days with custom jitter. APT29 uses both Cobalt Strike and Sliver targeting government agencies and critical infrastructure.
Traditional detection results
Three common detection rules were evaluated:
Rule 1: Threat intelligence / blocklist matching
Result: Zero detections. AWS IP addresses are not in threat intelligence feeds. Cloud provider IPs cannot be blocklisted without breaking SaaS applications, collaboration tools, and business operations. Iranian threat group Lemon Sandstorm and the 2023 Truist Bank breach both used cloud-hosted C2 infrastructure for this reason.
Rule 2: Fixed interval beaconing detection
Result: Zero detections. Jitter eliminated statistical patterns. The 2-6 hour intervals with ±45 minute variation created no consistent signature.
Rule 3: External data volume monitoring
Result: Zero detections. C2 traffic (200-2500 bytes per beacon, ~100KB total) was invisible in normal cloud/SaaS usage of multiple GB per day.
Why behavioral timeline structure succeeds
DeepTempo's LogLM detected 100% of the C2 beaconing flows (61 out of 61). This is not because LogLM looks for fixed intervals or analyzes timing patterns. The foundation model learns structural signatures of command and control behavioral timelines.
Consider what C2 beaconing looks like at this level. Individual beacons appear normal: HTTPS traffic on port 443, small payloads, random timing. But the behavioral timeline structure reveals intent. The pattern of repeated connections to the same external endpoint over days, the consistency of small bidirectional flows, the temporal distribution across extended timeframes all form a structural signature that indicates command and control.
Attackers can configure jitter to eliminate timing patterns. They can use cloud hosting to evade blocklists. They can keep payloads tiny. But they cannot make the timeline structure normal while maintaining functional C2 communication.
The foundation model creates embeddings of flow sequences between endpoints. These embeddings capture structural patterns that distinguish operational intent from attacker intent. A legitimate application that polls for updates has a different behavioral timeline structure than a C2 beacon. The polling behavioral timeline shows update checks, data transfers, and version synchronization patterns. The C2 behavioral timeline shows small bidirectional flows maintaining connectivity with minimal data transfer until commands are issued.
This explains why LogLM achieved 100% detection on C2 flows that evaded traditional rules. The foundation model evaluates timeline structure rather than matching predefined patterns.
What this means for defenders
Modern C2 frameworks have democratized evasion. Cracked Cobalt Strike costs $100-500. Sliver is open-source. Brute Ratel licenses can be obtained through fake companies.
Rule-based detection was designed for malware using fixed intervals and known malicious infrastructure. When attackers configure jitter, cloud hosting, and standard ports, these rules lose visibility. Detection engineers can lower thresholds or add correlation logic, but this generates false positives and requires more compute resources.
Foundation models that learn structural signatures of C2 behavioral timelines provide an alternative. Instead of writing rules for known evasion techniques, the model learns what C2 timeline structures look like. This works against techniques defenders have not anticipated because it evaluates behavioral timeline structure rather than matching predefined patterns.
I did a related demo that can be found here.
Get in touch to run a 30 day risk-free assessment in your environment. DeepTempo will analyze your existing data to identify threats that are active. Catch threats that your existing NDRs and SIEMs might be missing!
