NullSec BeaconHunt

C2 Beacon Detector

A command and control beacon detection tool written in Elixir, demonstrating functional programming and pattern matching for network traffic analysis.

🎯 Overview

NullSec BeaconHunt analyzes network connections to identify command and control (C2) beacon patterns. It detects regular communication intervals, DNS tunneling, and covert channels with confidence scoring.

✨ Features

• Beacon Pattern Detection - Identify regular callback intervals
• Jitter Analysis - Measure timing variations
• DNS Tunneling - Detect DNS-based C2
• Protocol Classification - HTTP, HTTPS, DNS, ICMP
• Confidence Scoring - Probabilistic detection
• MITRE ATT&CK - Technique mapping

🔍 Detection Capabilities

Beacon Type	Protocol	MITRE	Description
HTTP Beacon	TCP/80	T1071.001	Web-based C2
HTTPS Beacon	TCP/443	T1071.001	Encrypted web C2
DNS Beacon	UDP/53	T1071.004	DNS tunneling
ICMP Beacon	ICMP	T1095	Ping-based covert channel
Custom	Various	T1095	Non-standard protocols

📦 Installation

# Clone the repository
git clone https://github.com/bad-antics/nullsec-beaconhunt
cd nullsec-beaconhunt

# Run with Elixir
elixir beaconhunt.exs

# Or compile with Mix
mix escript.build
./beaconhunt

🚀 Usage

# Analyze PCAP file
elixir beaconhunt.exs capture.pcap

# Live capture
elixir beaconhunt.exs -i eth0

# Set confidence threshold
elixir beaconhunt.exs -t 0.7 traffic.pcap

# JSON output
elixir beaconhunt.exs -j capture.pcap

# Run demo
elixir beaconhunt.exs

💻 Example Output

╔══════════════════════════════════════════════════════════════════╗
║             NullSec BeaconHunt - C2 Beacon Detector              ║
╚══════════════════════════════════════════════════════════════════╝

[Demo Mode]

Analyzing sample network connections...

  [CRITICAL] BEACON_HTTPS_001
    Destination: 185.220.101.1
    Type:        https
    Connections: 16
    Avg Interval: 60.0s
    Jitter:      0.0s
    Confidence:  90.0%
    MITRE:       T1071.001
    Description: Possible C2 beacon detected to 185.220.101.1

  [HIGH] BEACON_DNS_001
    Destination: 23.129.64.100
    Type:        dns
    Connections: 21
    Avg Interval: 30.0s
    Jitter:      0.0s
    Confidence:  80.0%
    MITRE:       T1071.004
    Description: Possible C2 beacon detected to 23.129.64.100

═══════════════════════════════════════════

  Summary:
    Connections Analyzed: 42
    Beacons Detected:     2
    Critical/High: 2

🏗️ Architecture

┌─────────────────────────────────────────────────────────────┐
│                   Connection Parser                          │
│              PCAP | Live Capture | Zeek Logs                │
└─────────────────────────────────────────────────────────────┘
                           │
                           ▼
┌─────────────────────────────────────────────────────────────┐
│              Group by Destination IP                         │
│            Enum.group_by(& &1.dst_ip)                       │
└─────────────────────────────────────────────────────────────┘
                           │
                           ▼
┌─────────────────────────────────────────────────────────────┐
│               Interval Analysis                              │
│    calculate_intervals | calculate_jitter | confidence      │
└─────────────────────────────────────────────────────────────┘
                           │
                           ▼
┌─────────────────────────────────────────────────────────────┐
│                 Alert Generation                             │
│    BeaconPattern → Alert with severity and MITRE            │
└─────────────────────────────────────────────────────────────┘

💜 Elixir Features Demonstrated

• Pattern Matching - Function head matching for different cases
• Pipe Operator - |> for data transformation chains
• Comprehensions - for expressions for list generation
• Structs - %Connection{}, %BeaconPattern{}, %Alert{}
• Modules - Namespaced with defmodule
• Guards - when length(timestamps) < 2
• Enum Functions - group_by, map, filter, sort_by
• Anonymous Functions - & &1.dst_ip capture syntax

🔧 Data Structures

defmodule BeaconPattern do
  defstruct [
    :dst_ip,
    :intervals,
    :avg_interval,
    :jitter,
    :connection_count,
    :bytes_pattern,
    :beacon_type,
    :confidence
  ]
end

defmodule Alert do
  defstruct [
    :severity,
    :beacon_pattern,
    :rule_name,
    :description,
    :mitre,
    :iocs
  ]
end

📊 Confidence Scoring

Factor	Weight	Condition
Regular Intervals	+30%	>3 intervals, jitter < 5s
Many Connections	+20%	>10 connections
Known Malicious IP	+40%	In threat intel list
Low Relative Jitter	+20%	jitter/avg < 10%

🛡️ Security Use Cases

• Threat Hunting - Proactively search for C2
• Incident Response - Identify active beacons
• Network Forensics - Analyze historical traffic
• SOC Operations - Real-time beacon detection
• Malware Analysis - Understand C2 behavior

⚠️ Legal Disclaimer

This tool is intended for:

• ✅ Authorized network monitoring
• ✅ Security operations
• ✅ Incident response
• ✅ Research and education

Only analyze network traffic you're authorized to inspect.

🔗 Links

• Portal: bad-antics.github.io
• Discord: discord.gg/killers
• GitHub: github.com/bad-antics

📄 License

MIT License - See LICENSE file for details.

🏷️ Version History

• v1.0.0 - Initial release with beacon detection and jitter analysis

---

Part of the NullSec Security Toolkit