Research
Detecting Low-and-Slow Beaconing in Endpoint Telemetry

Detecting Low-and-Slow Beaconing in Endpoint Telemetry

XENOPS Research XENOPS Research Dec 06, 2025

A repeatable method for surfacing beacon patterns that evade simple interval checks.

Why interval checks fail

Beaconing that randomizes jitter within narrow bounds blends into normal task scheduling. We focus on sequence stability instead of strict timing.

Signal construction

We build a rolling ratio between event spacing and host-level background noise, then evaluate rank stability.

# Example: aggregate process launch intervals per host
cat telemetry.jsonl | jq -r '.host,.ts' | python tools/intervals.py

Build per-host baselines before clustering. A pooled baseline hides localized automation.

Results

The approach flags scheduled callbacks with a variance band that would otherwise clear a fixed threshold.

Defensive follow-up

Pair the signal with outbound destination entropy for the same process lineage. This removes most benign updaters.

Table of contents