Hunt C2 beaconing with Nexus NDR
Malware that calls home does it on a schedule. Nexus NDR turns that rhythm into a detection — plus port scans and connections to known-bad destinations.
Once an implant lands, it has to phone home — checking for commands, exfiltrating in small chunks, keeping the channel alive. It does this on a timer, and that regularity is its weakness. Network Detection & Response, new in Nexus 2.0, watches connection telemetry for exactly that rhythm.
Beaconing is a rhythm, not a payload
Nexus groups connections by destination and measures the gaps between them. When a host talks to the same external address at a steady interval with low jitter — the same idea behind tools like RITA and Zeek — it raises a high-severity network_threat. You don't need to decrypt the traffic; the timing gives it away.
host 10.0.0.9 -> 185.220.101.45:443
every ~60s, 14 times, jitter 4% => BEACONING (C2)Three detections, one engine
- Beaconing — periodic, low-jitter connections to an external destination.
- Port scan — one host touching many destination ports in a short window.
- Known-bad destination — the connection target matches your Threat Intel IOC store.
Triaging a beacon alert
- Pivot to the host: which process owns the connection? EDR's process tree shows its lineage.
- Check the destination against Threat Intel — a known C2 raises it to critical immediately.
- Contain with SOAR: block the destination IP and isolate the host (dry-run first, then active).
You can encrypt a payload. You can't easily hide a heartbeat.