Skip to content

Analysis Overview

AC-Hunter analyzes network traffic logs from Zeek sensors to identify potential security threats and command-and-control (C2) activity in your environment. The system performs multiple types of behavioral analysis and assigns threat scores to help prioritize investigations.

Threat Detection Types

AC-Hunter identifies five primary threat types:

Beacon Detection

Beacons are periodic connections between an internal host and an external destination that exhibit consistent timing patterns, a common indicator of C2 communication. The system analyzes connection timestamps, data sizes, durations, and connection frequency distributions to detect beaconing behavior.

Scoring: Beacon scores range from 0-100% and are calculated using a weighted combination of:

  • Timestamp consistency (25%): How regular the connection intervals are
  • Data size consistency (25%): How uniform the data transfer amounts are
  • Duration consistency (25%): How consistent connection durations remain over time
  • Histogram analysis (25%): Detection of multiple flat sections in connection patterns

Connections must have at least 4 unique connections to qualify for beacon analysis.

Strobe Detection

Strobes are connections that occur very frequently, essentially rapid-fire beacons. These are automatically classified as high-severity threats because they indicate aggressive C2 activity.

Long Connection Detection

Long connections are persistent network sessions that remain open for extended periods. These can indicate data exfiltration, persistent backdoors, or other suspicious activity.

Scoring: Based on connection duration thresholds:

  • Base: 1 hour
  • Low: 4 hours
  • Medium: 8 hours
  • High: 12+ hours

C2 Over DNS Detection

This detection identifies command-and-control communication hidden within DNS queries. The system analyzes DNS query patterns, particularly looking for:

  • Multiple unique subdomains queried for the same domain
  • DNS queries without corresponding direct connections to resolved IPs

Scoring: Based on the number of unique subdomains queried:

  • Base: 100 subdomains
  • Low: 500 subdomains
  • Medium: 800 subdomains
  • High: 1000+ subdomains

Threat Intelligence

Connections to known malicious IPs, domains, or indicators from threat intelligence feeds are flagged and automatically assigned high-severity ratings.

Scoring System

Each connection receives a final score that combines multiple factors:

Base Score

The base score is the highest individual threat score (beacon, strobe, long connection, C2 over DNS, or threat intel).

Threat Modifiers

Additional factors that adjust the final score:

  • Prevalence: How common this connection pattern is across your network (rare patterns increase score)
  • First Seen: Whether this is a new connection or has been observed historically (newer connections increase score)
  • Missing Host Header: HTTP connections without proper host headers (increases score)
  • MIME/URI Mismatch: When file types don't match their URIs (increases score)
  • Rare Signature: Uncommon TLS/SSL signatures (increases score)
  • Threat Intel Data Size: Large data transfers to threat intel-matched destinations (increases score)
  • C2 Over DNS - No Direct Connections: DNS queries without corresponding direct connections (increases score)

Final Score Calculation

Final Score = Base Score + Threat Modifiers + Prevalence Score + First Seen Score + Missing Host Header Score + Threat Intel Data Size Score + C2 Over DNS Direct Connection Score

Severity Categories

Final scores are mapped to severity categories:

  • Critical: Highest threat scores
  • High: Significant threat indicators
  • Medium: Moderate concern
  • Low: Minor anomalies

Analysis Workflow

  1. Data Import: Zeek logs are imported and processed in 24-hour increments
  2. Connection Analysis: The system analyzes connection patterns, timing, and metadata
  3. Threat Scoring: Each connection receives threat scores based on detected behaviors
  4. Filtering: Only connections meeting minimum threat thresholds are displayed
  5. Prioritization: Results are sorted by final score, with highest threats appearing first

Key Features

  • Behavioral Analysis: Focuses on network behavior patterns rather than signature-based detection
  • False Positive Reduction: Safelisting capabilities allow you to exclude known-good connections
  • Historical Context: Tracks connections over time to identify new vs. established patterns
  • Multi-Threat Detection: Connections can have multiple threat types simultaneously
  • Configurable Thresholds: Scoring thresholds can be adjusted to match your environment's risk tolerance

What Gets Analyzed

AC-Hunter analyzes:

  • Connection timing and frequency patterns
  • Data transfer sizes and consistency
  • Connection durations
  • DNS query patterns and subdomain usage
  • TLS/SSL handshake signatures
  • HTTP headers and protocol metadata
  • Threat intelligence matches
  • Network prevalence and historical patterns

The system is designed to surface suspicious activity that might otherwise be missed in high-volume network traffic, helping security teams focus their investigation efforts on the most significant threats.