Linux Agent Periodic External Beacon (Seed Rule)
Baseline seed rule to detect AI agent processes making periodic external connections at regular intervals, which is the characteristic pattern of a C2 beacon from a rogue agent maintaining contact with attacker infrastructure.
Updated Jan 10, 2025 · OCI AI Security Team
Problem Statement
A rogue agent that has established persistence will periodically beacon to attacker-controlled infrastructure to receive commands and exfiltrate data. Regular-interval external connections from an agent process are a strong indicator of C2 activity and indicate the agent has been fully compromised and is operating as a remote access tool.
Sample Logs
{"timestamp":"2025-01-10T10:00:00Z","computer_name":"oci-worker-40","user":"agent_svc","image":"/usr/bin/python3","destination_hostname":"c2.attacker.example.com","destination_ip":"198.51.100.100","destination_port":443,"initiated":true}Required Fields
False Positives
- ·Agents that legitimately poll external APIs on regular intervals (metrics collection, health checks)
Tuning Guidance
Apply beaconing detection algorithms that measure connection interval regularity (low standard deviation = high confidence beaconing). Exclude known polling intervals from approved monitoring agents.