Listen to this Post
Introduction:
Command-and-control (C2) beaconing has evolved beyond fixed or jittered intervals. Attackers now use additive recurrence scheduling (e.g., phi-compatible Fibonacci sequences) to generate non-periodic, structurally stealthy traffic that evades traditional regularity-based detectors like RITA and AC-Hunter. Beacon Hunter introduces a two-gate recurrence test to identify this growing family of C2 patterns, giving defenders a mathematical edge against next‑generation beaconing.
Learning Objectives:
– Understand how additive recurrence (Fibonacci‑like) beaconing evades standard detection algorithms.
– Learn to implement a two‑gate recurrence test for detecting non‑periodic C2 patterns using Python and network logs.
– Apply Linux/Windows commands to capture, analyze, and mitigate Fibonacci‑based beaconing in real time.
You Should Know:
1. The Mathematics Behind Additive Recurrence Beaconing
Additive recurrence scheduling defines each inter‑connection interval as approximately the sum of the previous two intervals (Iₙ ≈ Iₙ₋₁ + Iₙ₋₂). This produces a growth factor approaching the golden ratio φ ≈ 1.618 – hence “phi‑compatible”. Unlike constant or random jitter, this sequence is deterministic but non‑periodic, defeating detectors that look for fixed frequencies or variance thresholds.
Step‑by‑step guide to understand and verify the recurrence:
– Take three consecutive beacon intervals: t₁, t₂, t₃.
– Compute ratio t₃ / t₂ and t₂ / t₁ – both should approach φ over time.
– For a perfect Fibonacci sequence (1,1,2,3,5,8,…), each term is exactly the sum of the prior two.
– Attackers implement this as a sleep algorithm: next_sleep = prev_sleep + prev_prev_sleep.
– Use the two‑gate test: check if |(Iₙ – (Iₙ₋₁ + Iₙ₋₂))| < ε (epsilon) for multiple windows.
Example Python snippet to test intervals:
def is_additive_recurrence(intervals, epsilon=0.1): for i in range(2, len(intervals)): predicted = intervals[i-1] + intervals[i-2] if abs(intervals[bash] - predicted) > epsilon: return False return True Example intervals from Fibonacci C2: [120, 195, 315, 510, 825] seconds print(is_additive_recurrence([120, 195, 315, 510, 825])) True
2. Why Traditional Detectors (RITA, AC-Hunter) Fail
RITA (Real Intelligence Threat Analytics) and AC‑Hunter rely on regularity metrics: standard deviation of intervals, periodicity scores, and entropy of timing patterns. Additive recurrence produces increasing intervals that never repeat, so variance remains high and no dominant frequency exists. These tools flag only periodic or near‑periodic beaconing, leaving Fibonacci‑scheduled C2 invisible.
Step‑by‑step breakdown of the detection gap:
– RITA’s `beacon` detection scores require stable mean and low jitter. Additive intervals grow unbounded → mean shifts continuously.
– AC‑Hunter’s auto‑correlation fails because there is no repeating lag.
– Even sliding‑window detectors tuned for gradual change miss the deterministic sum property.
– Beacon Hunter explicitly tests the recurrence relation across three successive intervals – a mathematical invariant that periodicity detectors ignore.
– To see this, generate a simulated C2 log with Fibonacci intervals and run `rita beacon –1o-percentage` – it will report “no significant beaconing”.
Linux command to test with RITA (after converting pcap to zeek logs):
zeek -r sample_traffic.pcap rita import zeek/ beacon_test rita beacon beacon_test | grep -E "Score|Recurrence"
3. Setting Up Beacon Hunter: Installation and Configuration
While Beacon Hunter is currently a research concept (credit: Andre Cordero), you can implement its two‑gate recurrence test using open‑source tools. The following steps build a working detector on Linux.
Step‑by‑step setup:
– Clone the reference repository (conceptual):
git clone https://github.com/example/beacon-hunter (placeholder – use the LinkedIn links provided) cd beacon-hunter
– Install dependencies: `pandas`, `numpy`, `scapy`, `tshark`.
pip install pandas numpy scapy sudo apt install tshark
– Extract connection timestamps from PCAP:
tshark -r capture.pcap -T fields -e frame.time_relative -e ip.src -e ip.dst -Y "tcp.flags.syn==1" > syn_times.txt
– Preprocess into connection intervals per flow.
– Run the two‑gate test Python script:
python3 two_gate_detector.py --input conn_intervals.csv --epsilon 0.15
Configuration parameters:
– `epsilon`: tolerance for sum approximation (default 0.1–0.15 seconds).
– `min_sequence`: minimum number of consecutive intervals to analyze (default 5).
– `window_gap`: maximum allowed gap between flows (default 300 seconds).
4. Two‑Gate Recurrence Test: Practical Code and Commands
The two‑gate test applies two successive recurrence checks to reduce false positives. Gate‑1 tests if Iₙ ≈ Iₙ₋₁ + Iₙ₋₂. Gate‑2 tests if Iₙ₊₁ ≈ Iₙ + Iₙ₋₁. Both must pass within epsilon for a positive detection.
Step‑by‑step guide to implement and use:
– Open a Python environment (Linux or Windows WSL).
– Use the following production‑ready detector:
import sys
import csv
def detect_additive_beacon(intervals, epsilon=0.12):
alerts = []
for i in range(len(intervals)-2):
sum_val = intervals[bash] + intervals[i+1]
if abs(intervals[i+2] - sum_val) <= epsilon:
Gate 2: check next triplet if available
if i+3 < len(intervals):
sum_next = intervals[i+1] + intervals[i+2]
if abs(intervals[i+3] - sum_next) <= epsilon:
alerts.append((i, intervals[i:i+4]))
else:
alerts.append((i, intervals[i:i+3]))
return alerts
Load intervals from CSV (src_ip,dst_ip,interval_seconds)
with open('intervals.csv', 'r') as f:
reader = csv.reader(f)
intervals = [float(row[bash]) for row in reader]
detections = detect_additive_beacon(intervals)
for d in detections:
print(f"Potential additive recurrence at index {d[bash]}: {d[bash]}")
– On Windows (PowerShell + Python), use same script after exporting intervals via `netsh` or `pktmon`:
pktmon start --capture --pcap Wait for traffic, then stop pktmon stop pktmon pcapng log.etl Convert to pcap then use tshark as above
5. Live Traffic Capture for Beacon Hunting (Linux/Windows)
To feed the two‑gate test, capture live network traffic focusing on outbound connections from a suspected host.
Linux commands:
– Capture all TCP SYN packets from a specific IP:
sudo tcpdump -i eth0 -1n 'tcp[bash] & tcp-syn != 0 and src host 192.168.1.100' -G 300 -W 12 -w beacon_%Y%m%d_%H%M%S.pcap
– Extract intervals directly:
sudo tcpdump -i eth0 -1n 'tcp[bash] & tcp-syn != 0' -e -t | awk '{print $1}' > timestamps.txt
Windows commands (PowerShell as Admin):
– Use `netsh` for packet capture:
netsh trace start capture=yes scenario=InternetClient maxsize=200 filemode=circular tracefile=C:\capture.etl Run for monitoring period, then stop: netsh trace stop
– Convert ETL to PCAP using `etl2pcapng` (Microsoft Message Analyzer legacy) or load into Wireshark.
– Use `tshark` (available with Wireshark) on Windows to export timings:
"C:\Program Files\Wireshark\tshark.exe" -r capture.pcap -T fields -e frame.time_relative -Y "tcp.flags.syn==1" > intervals_raw.txt
6. Simulating Fibonacci C2 Traffic for Testing
To validate Beacon Hunter, generate benign and malicious test traffic with additive recurrence scheduling.
Step‑by‑step simulation using Python (attacker side):
import time import socket import random def fibonacci_beacon(target_ip, target_port, start_intervals=[120, 195], count=20): a, b = start_intervals intervals = [a, b] for _ in range(count-2): a, b = b, a + b intervals.append(b) for delay in intervals: time.sleep(delay) try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect((target_ip, target_port)) sock.send(b"GET /beacon HTTP/1.1\r\nHost: victim\r\n\r\n") sock.close() except: pass
– Run this script on a Linux attacker machine targeting a honeypot.
– On the defender side, capture traffic and apply two‑gate detector.
– Compare detection results against RITA: RITA will miss the pattern; Beacon Hunter will flag it.
Linux command to continuously monitor and alert using custom bash + Python:
sudo tcpdump -i eth0 -G 600 -W 0 -w capture_%H.pcap && python3 two_gate_detector.py --live
(Assuming `–live` reads the latest pcap)
7. Hardening Networks Against Additive Recurrence C2
Blue teams can implement mitigations beyond detection.
Step‑by‑step hardening guide:
– Deploy egress filtering: block unexpected outbound ports (only allow 80/443 to known proxies).
– Use machine learning on connection intervals: train a model on additive recurrence features (e.g., ratio of consecutive intervals) for IDS signatures.
– Implement dynamic alerting based on the two‑gate recurrence test in Zeek:
Zeek script snippet to log additive recurrence events
event connection_state_remove(c: connection)
{
local intervals = c$beacon$intervals; requires custom tracking
if (|intervals| >= 3 && abs(intervals[bash] - (intervals[bash]+intervals[bash])) < 0.1)
print fmt("Possible additive C2: %s", c$id);
}
– Apply rate limiting on outbound SYNs from critical assets using iptables (Linux):
sudo iptables -A OUTPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT sudo iptables -A OUTPUT -p tcp --syn -j DROP
– Conduct purple‑team exercises using Fibonacci beacon generators to tune detection thresholds.
– Integrate the two‑gate test into SIEM (Splunk, Sentinel) as a custom correlation rule.
What Undercode Say:
– Key Takeaway 1: Additive recurrence (Fibonacci‑based) beaconing is mathematically simple yet bypasses all major open‑source C2 detectors – a paradigm shift in stealth tradecraft.
– Key Takeaway 2: Implementing a two‑gate recurrence test requires less than 50 lines of Python and can be deployed on existing Zeek/PCAP infrastructure without retraining models.
Prediction:
+1 Blue teams will soon integrate recurrence‑based detectors into mainstream EDR/XDR, forcing attackers to abandon deterministic sequences in favor of truly random or environment‑derived timing.
-P Red teams will adapt by using hybrid models that combine additive recurrence with external triggers (e.g., user keystrokes) to break the pure sum invariant.
+1 Beacon Hunter’s methodology will inspire a new class of “mathematical invariant” detection for other covert channels, such as DNS tunneling with Fibonacci‑spaced queries.
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [0xfrost Beacon](https://www.linkedin.com/posts/0xfrost_beacon-hunter-detecting-non-periodic-structured-share-7466853661730598913-Ktsg/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
