Advent of Cyber Day 20: Command-and-Control (C2) Traffic Analysis with Wireshark
Recently, I worked on analyzing Command-and-Control (C2) traffic using Wireshark as part of an IBM project, where I analyzed PCAP files to identify malicious activity. This task was straightforward and required no additional instructions to find the flag, thanks to my prior experience. When a system is compromised, a C2 server deploys a payload to execute commands, exfiltrate data, and send periodic updates, such as notifications confirming its status and readiness for instructions.
Using TryHackMe’s Definition of a C2 beacon
A typical C2 beacon sends regular status updates from the compromised machine to its C2 server at varying intervals, acting as a heartbeat. For example:
Payload: “I am still alive. Awaiting any instructions. Over.”
C2 Server: “Glad to hear that! Stand by for any further instructions. Over.”
Using Wireshark, a powerful tool for inspecting network traffic, filtering data, and analyzing protocols like HTTP and TCP, I analyzed traffic from the compromised machine. I identified the initial communication through a POST request, followed by reconnaissance via a GET request gathering system information, and finally, data exfiltration with a POST request transferring files to the C2 server.
I also used CyberChef to decrypt beacon messages sent by the compromised system, which highlighted the payload’s periodic updates to the C2 server. This reinforced my understanding of C2 communication and decryption techniques.
My prior project, where I identified a malicious PDF and suspicious IP activity using tools like VirusTotal and protocol analysis, significantly streamlined this task. It reinforced my ability to analyze network traffic and detect malicious activity, showcasing the value of practical skills in cybersecurity and building on prior experience.
