By the end of this lab, you will be able to:
- Identify characteristics of C2 traffic including beaconing, DNS tunneling, and data exfiltration
- Analyze network traffic patterns to detect C2 communication channels
- Use Wireshark, Zeek, and statistical analysis to identify C2 activity
- Differentiate between legitimate and malicious network traffic
- Extract IOCs from C2 communications
- Create detection rules for C2 traffic
- Generate comprehensive C2 analysis reports
Master advanced techniques for detecting Command and Control (C2) communications through network traffic analysis, pattern recognition, and behavioral analysis of compromised systems.
You are a Senior SOC Analyst at SecureBank Corporation. The Security Operations Center received an alert from the EDR system indicating potential malware execution on a workstation in the finance department. The incident response team has captured network traffic from the affected system over the past 24 hours. Your task is to analyze this traffic to determine if the system is communicating with a C2 server, identify the C2 infrastructure, extract IOCs, and assess the scope of the compromise.
- Wireshark installed and configured
- Basic understanding of network protocols (TCP/IP, DNS, HTTP/HTTPS)
- Familiarity with malware behavior and C2 concepts
- Python (optional, for statistical analysis)
- Zeek/Bro (optional, for advanced analysis)
Approximately 4-5 hours
Command and Control (C2) is the mechanism by which an attacker maintains communication with compromised systems to:
- Send commands to infected hosts
- Receive stolen data
- Update malware
- Coordinate multi-system attacks
- Maintain persistence
| Technique | Description | Detection Difficulty |
|---|---|---|
| HTTP/HTTPS Beaconing | Regular callbacks to C2 server | Medium |
| DNS Tunneling | Data exfiltration via DNS queries | High |
| ICMP Tunneling | Commands/data in ICMP packets | Medium |
| Domain Generation Algorithm (DGA) | Algorithmically generated domains | Medium |
| Fast Flux | Rapidly changing DNS/IP associations | High |
| Encrypted Channels | SSL/TLS encrypted C2 | High |
| Social Media C2 | Commands via Twitter, Telegram, etc. | Very High |
| Cloud Services | Legitimate services (Dropbox, Google Drive) | Very High |
Beaconing Indicators:
- Regular, periodic connections (e.g., every 60 seconds)
- Small, consistent packet sizes
- Connections to same destination repeatedly
- Long-duration connections with minimal data transfer
DNS Tunneling Indicators:
- Unusually long domain names (>50 characters)
- High entropy in subdomain names (random-looking)
- Excessive DNS queries to single domain
- Large TXT or NULL record responses
- Non-existent domain (NXDOMAIN) responses
Data Exfiltration Indicators:
- Large outbound data transfers
- Transfers to unusual destinations
- Encrypted uploads to unknown servers
- Transfers during off-hours
mkdir -p ~/soc-labs/week8-c2
cd ~/soc-labs/week8-c2Download sample C2 traffic:
Option 1: Use provided samples
cp /path/to/soc-training-program/Lab-Resources/Sample-Data/c2-traffic.pcap .Option 2: Download public samples
# Malware Traffic Analysis samples
wget https://www.malware-traffic-analysis.net/2024/01/20/2024-01-20-Emotet-infection-traffic.pcap.zip
# Or use these resources:
# - https://www.netresec.com/?page=PcapFiles
# - https://www.malware-traffic-analysis.net/Open PCAP in Wireshark:
wireshark c2-traffic.pcap &Filter for HTTP traffic:
http
Look for regular patterns:
- Statistics → Conversations → TCP
- Sort by Packets or Duration
- Look for:
- Same source/destination IP pairs
- Similar packet counts
- Long duration connections
Identify beaconing interval:
- Select a suspicious connection
- Right-click → Follow → TCP Stream
- Note the timestamps of requests
- Calculate intervals:
Request 1: 10:00:00 Request 2: 10:01:00 (60 seconds) Request 3: 10:02:00 (60 seconds) Request 4: 10:03:00 (60 seconds)
Wireshark filter for specific IP:
ip.addr == 203.0.113.50 && http
Examine HTTP requests:
http.request
Suspicious indicators:
1. Unusual User-Agents:
http.user_agent
Look for:
- Empty User-Agent
- Outdated browsers (IE 6.0)
- Programming languages (Python-urllib, curl)
- Generic strings ("Mozilla/4.0")
2. Suspicious URIs:
http.request.uri
Look for:
- Base64 encoded strings
- Random-looking paths
- Consistent patterns (e.g., /api/check, /update/status)
3. Small, consistent responses:
http.response
C2 beacons often receive small responses (e.g., "OK", "200", commands)
Example suspicious pattern:
GET /api/beacon?id=abc123 HTTP/1.1
Host: malicious-c2.com
User-Agent: Mozilla/4.0
HTTP/1.1 200 OK
Content-Length: 2
OK
Export HTTP conversations to CSV:
- Statistics → Conversations → TCP
- Copy → CSV
- Save as
tcp_conversations.csv
Create Python script for beacon detection:
#!/usr/bin/env python3
"""
Beacon Detection Script
Identifies periodic network connections (beaconing)
"""
import pandas as pd
import numpy as np
from datetime import datetime
def detect_beacons(pcap_file):
"""
Analyze PCAP for beaconing behavior
"""
# This is a simplified example
# In practice, use pyshark or scapy for PCAP parsing
print("Analyzing for beaconing patterns...")
# Example: Analyze time intervals
timestamps = [] # Extract from PCAP
if len(timestamps) < 3:
print("Insufficient data")
return
# Calculate intervals
intervals = []
for i in range(1, len(timestamps)):
interval = timestamps[i] - timestamps[i-1]
intervals.append(interval)
# Calculate statistics
mean_interval = np.mean(intervals)
std_interval = np.std(intervals)
# Beaconing detection criteria
# Low standard deviation indicates regular intervals
if std_interval < (mean_interval * 0.1): # 10% variance
print(f"BEACON DETECTED!")
print(f"Mean Interval: {mean_interval:.2f} seconds")
print(f"Std Deviation: {std_interval:.2f} seconds")
print(f"Regularity: {(1 - std_interval/mean_interval) * 100:.1f}%")
else:
print("No clear beaconing pattern detected")
if __name__ == "__main__":
detect_beacons("c2-traffic.pcap")Save as detect_beacons.py and run:
python3 detect_beacons.pyFilter for SSL/TLS traffic:
ssl || tls
Analyze SSL certificates:
- Expand packet details: Secure Sockets Layer → Handshake Protocol → Certificate
- Check:
- Issuer (self-signed?)
- Subject (matches domain?)
- Validity period (recently issued?)
- Subject Alternative Names
Suspicious SSL indicators:
- Self-signed certificates
- Certificates issued in last 7 days
- Common Name mismatch
- Unusual issuer (not trusted CA)
Extract SSL certificate info:
tls.handshake.certificate
Check JA3 fingerprints (advanced):
# Install ja3
pip3 install pyja3
# Generate JA3 hashes
ja3 c2-traffic.pcap > ja3_hashes.txt
# Check against known malware JA3 signatures
# https://github.com/salesforce/ja3Filter for DNS traffic:
dns
DNS tunneling characteristics:
- Long domain names
- High query frequency
- Unusual record types (TXT, NULL)
- High entropy (randomness) in subdomains
Find long DNS queries:
dns.qry.name && (frame.len > 100)
Example normal DNS:
www.google.com
mail.company.com
Example DNS tunneling:
4a3f2e1d9c8b7a6e5f4d3c2b1a0e9d8c7b6a5f4e3d2c1b0a.malicious-tunnel.com
ZGF0YV90b19leGZpbHRyYXRl.exfil-domain.com (Base64 encoded)
Count DNS queries per domain:
Using tshark (command-line Wireshark):
tshark -r c2-traffic.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name | sort | uniq -c | sort -rn | head -20Expected output:
523 suspicious-domain.com
45 google.com
23 facebook.com
If one domain has significantly more queries than others, investigate further.
Extract all DNS queries:
tshark -r c2-traffic.pcap -Y "dns.flags.response == 0" -T fields -e frame.time -e dns.qry.name > dns_queries.txtCreate entropy calculation script:
#!/usr/bin/env python3
"""
DNS Entropy Calculator
High entropy indicates random/encoded data (potential tunneling)
"""
import math
from collections import Counter
def calculate_entropy(string):
"""
Calculate Shannon entropy of a string
"""
if not string:
return 0
# Count character frequency
counter = Counter(string)
length = len(string)
# Calculate entropy
entropy = 0
for count in counter.values():
probability = count / length
entropy -= probability * math.log2(probability)
return entropy
def analyze_dns_queries(filename):
"""
Analyze DNS queries for high entropy (potential tunneling)
"""
print("Analyzing DNS queries for tunneling indicators...\n")
# Read DNS queries from file
with open(filename, 'r') as f:
queries = [line.strip() for line in f if line.strip()]
suspicious = []
for query in queries:
# Extract subdomain (before first dot)
subdomain = query.split('.')[0]
# Calculate entropy
entropy = calculate_entropy(subdomain)
# High entropy threshold (>3.5 is suspicious)
if entropy > 3.5 and len(subdomain) > 20:
suspicious.append((query, entropy, len(subdomain)))
# Sort by entropy
suspicious.sort(key=lambda x: x[1], reverse=True)
print(f"Found {len(suspicious)} suspicious DNS queries:\n")
print(f"{'Domain':<50} {'Entropy':<10} {'Length'}")
print("-" * 70)
for domain, entropy, length in suspicious[:10]:
print(f"{domain:<50} {entropy:<10.2f} {length}")
if __name__ == "__main__":
# First extract DNS queries with tshark
import subprocess
subprocess.run([
"tshark", "-r", "c2-traffic.pcap",
"-Y", "dns.flags.response == 0",
"-T", "fields", "-e", "dns.qry.name"
], stdout=open("dns_queries_only.txt", "w"))
analyze_dns_queries("dns_queries_only.txt")Save as dns_entropy.py and run:
python3 dns_entropy.pyIf you have Zeek installed:
# Analyze PCAP with Zeek
zeek -r c2-traffic.pcap
# Check dns.log
cat dns.log | zeek-cut query | awk 'length > 50' | sort | uniqLook for:
- Queries longer than 50 characters
- Queries with high frequency
- Queries to uncommon TLDs
Find large outbound connections:
In Wireshark:
- Statistics → Conversations → TCP
- Sort by Bytes (descending)
- Look for:
- Large amounts of data sent FROM internal IPs
- Transfers to unusual external IPs
- Transfers on non-standard ports
Filter for large packets:
ip.len > 1400 && ip.src == 192.168.1.100
Analyze upload patterns:
http.request.method == "POST"
Follow TCP stream for POST requests:
- Right-click on POST request
- Follow → TCP Stream
- Check if sensitive data is being uploaded
Filter for ICMP traffic:
icmp
Normal ICMP:
- Ping requests/replies
- Small payload (usually 32-64 bytes)
- Standard ICMP types (8=echo request, 0=echo reply)
Suspicious ICMP:
- Large payloads (>100 bytes)
- Unusual data in payload
- High frequency
- ICMP to unusual destinations
Check ICMP payload:
icmp && data.len > 100
Examine payload:
- Expand: Internet Control Message Protocol → Data
- Look for:
- ASCII text
- Base64 encoded data
- Encrypted data (high entropy)
DGA characteristics:
- Random-looking domain names
- High entropy
- Multiple failed DNS lookups (NXDOMAIN)
- Domains not in Alexa/Majestic top lists
Filter for NXDOMAIN responses:
dns.flags.rcode == 3
Extract failed DNS queries:
tshark -r c2-traffic.pcap -Y "dns.flags.rcode == 3" -T fields -e dns.qry.name | sort | uniq > nxdomains.txtAnalyze for DGA patterns:
cat nxdomains.txt | head -20Example DGA domains:
xj4k2l9m3n.com
p8q2r5t1w3.net
a9b3c7d2e6.org
Create DGA detection script:
#!/usr/bin/env python3
"""
DGA Domain Detector
Identifies algorithmically generated domains
"""
import re
from collections import Counter
def is_dga(domain):
"""
Heuristic DGA detection
"""
# Remove TLD
name = domain.split('.')[0]
# Check length
if len(name) < 8:
return False
# Calculate vowel ratio
vowels = sum(1 for c in name.lower() if c in 'aeiou')
vowel_ratio = vowels / len(name)
# DGA domains often have low vowel ratio
if vowel_ratio < 0.2:
return True
# Check for digit ratio
digits = sum(1 for c in name if c.isdigit())
digit_ratio = digits / len(name)
if digit_ratio > 0.3:
return True
# Check for consecutive consonants
consonant_runs = re.findall(r'[^aeiou]{4,}', name.lower())
if consonant_runs:
return True
return False
def analyze_domains(filename):
"""
Analyze domains for DGA patterns
"""
with open(filename, 'r') as f:
domains = [line.strip() for line in f if line.strip()]
dga_domains = [d for d in domains if is_dga(d)]
print(f"Analyzed {len(domains)} domains")
print(f"Found {len(dga_domains)} potential DGA domains:\n")
for domain in dga_domains[:20]:
print(f" {domain}")
if __name__ == "__main__":
analyze_domains("nxdomains.txt")Create timeline of suspicious activity:
- First C2 connection
- Beaconing established
- Data exfiltration
- Additional malware downloads
Use Wireshark IO Graph:
- Statistics → I/O Graph
- Add filters for:
- HTTP traffic:
http - DNS traffic:
dns - Suspicious IP:
ip.addr == 203.0.113.50
- HTTP traffic:
- Analyze patterns over time
Create comprehensive IOC list:
IP Addresses:
tshark -r c2-traffic.pcap -Y "ip.dst != 192.168.0.0/16" -T fields -e ip.dst | sort -u > iocs_ips.txtDomains:
tshark -r c2-traffic.pcap -Y "dns" -T fields -e dns.qry.name | sort -u > iocs_domains.txtURLs:
tshark -r c2-traffic.pcap -Y "http.request" -T fields -e http.host -e http.request.uri | awk '{print $1$2}' | sort -u > iocs_urls.txtUser-Agents:
tshark -r c2-traffic.pcap -Y "http" -T fields -e http.user_agent | sort -u > iocs_user_agents.txtHTTP Beaconing Rule:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible C2 Beaconing Detected"; flow:established,to_server; content:"GET"; http_method; content:"/api/beacon"; http_uri; threshold:type both, track by_src, count 10, seconds 600; classtype:trojan-activity; sid:1000001; rev:1;)
DNS Tunneling Rule:
alert dns $HOME_NET any -> any 53 (msg:"Possible DNS Tunneling - Long Query"; dns_query; content:"."; pcre:"/^.{50,}/"; classtype:trojan-activity; sid:1000002; rev:1;)
Suspicious User-Agent Rule:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Suspicious User-Agent - Python"; flow:established,to_server; content:"Python"; http_user_agent; classtype:trojan-activity; sid:1000003; rev:1;)
If using Splunk:
Beaconing Detection:
index=network sourcetype=pcap
| stats count by src_ip, dst_ip, dst_port
| where count > 100
| table src_ip, dst_ip, dst_port, count
DNS Tunneling Detection:
index=network sourcetype=dns
| eval query_length=len(query)
| where query_length > 50
| table _time, src_ip, query, query_length
Submit the following:
- C2-Detection-Report.md - Comprehensive C2 analysis report
- Screenshots/ - Directory containing:
- Beaconing patterns in Wireshark
- DNS tunneling evidence
- Data exfiltration analysis
- Statistical analysis results
- IOCs/ - Directory containing:
iocs_ips.txt- Malicious IP addressesiocs_domains.txt- Malicious domainsiocs_urls.txt- Malicious URLsiocs_user_agents.txt- Suspicious User-Agents
- Scripts/ - Directory containing:
detect_beacons.py- Beacon detection scriptdns_entropy.py- DNS tunneling detectiondga_detector.py- DGA domain detection
- Rules/ - Directory containing:
- Suricata/Snort rules
- Splunk detection queries
# C2 Traffic Detection Report
**Analyst:** [Your Name]
**Date:** [Date]
**PCAP File:** c2-traffic.pcap
**Analysis Duration:** [Hours]
---
## Executive Summary
[2-3 sentence summary of C2 activity detected]
**Key Findings:**
- C2 Server Identified: [IP/Domain]
- C2 Technique: [Beaconing/DNS Tunneling/etc.]
- Compromised Host: [IP Address]
- Data Exfiltrated: [Amount/Type]
---
## 1. Compromised Host Identification
**Host IP:** 192.168.1.100
**MAC Address:** [MAC]
**First Suspicious Activity:** [Timestamp]
**Last Suspicious Activity:** [Timestamp]
---
## 2. C2 Infrastructure
### C2 Server
**IP Address:** 203.0.113.50
**Domain:** malicious-c2.com
**Geolocation:** [Country]
**ISP:** [ISP Name]
**Reputation:** Malicious (VirusTotal: 45/70)
### C2 Communication Method
- [X] HTTP/HTTPS Beaconing
- [ ] DNS Tunneling
- [ ] ICMP Tunneling
- [ ] Other: __________
---
## 3. Beaconing Analysis
### Pattern Detected
- **Beacon Interval:** 60 seconds
- **Regularity:** 95% (very consistent)
- **Protocol:** HTTP
- **URI Pattern:** /api/beacon?id=[random]
### Evidence
**Screenshot:**
**Wireshark Filter Used:**ip.addr == 192.168.1.100 && ip.addr == 203.0.113.50 && http
---
## 4. Data Exfiltration
### Exfiltration Detected
- **Method:** HTTP POST
- **Volume:** 2.5 MB
- **Destination:** 203.0.113.50:443
- **Timeframe:** [Start] to [End]
### Exfiltrated Data Type
[Documents / Credentials / Database / Unknown]
---
## 5. IOCs Identified
### IP Addresses
203.0.113.50 (C2 Server) 198.51.100.25 (Secondary C2)
### Domains
malicious-c2.com backup-c2.net
### URLs
http://malicious-c2.com/api/beacon https://malicious-c2.com/upload
### User-Agents
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Python-urllib/3.8
---
## 6. Attack Timeline
| Time | Event |
|------|-------|
| 08:15:23 | Initial malware execution |
| 08:16:00 | First C2 beacon |
| 08:20:00 | Beaconing established (60s interval) |
| 10:30:00 | Data exfiltration begins |
| 12:45:00 | Exfiltration complete |
---
## 7. Recommendations
### Immediate Actions
1. **Isolate compromised host** (192.168.1.100)
2. **Block C2 infrastructure:**
- IP: 203.0.113.50
- Domain: malicious-c2.com
3. **Scan all systems** for same malware
4. **Reset credentials** for affected user
### Detection Rules
[Include Suricata/Snort rules]
### Long-term Improvements
1. Deploy IDS/IPS with C2 detection rules
2. Implement DNS filtering/monitoring
3. Deploy EDR on all endpoints
4. Enhance network segmentation
---
## Appendix
### Tools Used
- Wireshark
- tshark
- Python (custom scripts)
- Zeek (optional)
### References
- [MITRE ATT&CK: C2](https://attack.mitre.org/tactics/TA0011/)
- [Malware Traffic Analysis](https://www.malware-traffic-analysis.net/)
- C2 Detection: Successfully identified C2 communication
- Analysis Depth: Thorough investigation of traffic patterns
- IOC Extraction: Comprehensive list of indicators
- Detection Rules: Effective rules for future detection
- Documentation: Professional, detailed report
- MITRE ATT&CK: Command and Control
- Palo Alto Networks: C2 Detection
- SANS: Detecting DNS Tunneling
- Malware Traffic Analysis
Lab Completion Time: [Record your time]
Difficulty Level: Advanced