文章总结： 本文介绍开源网络流量分析工具RITA，利用Zeek日志检测C2信标、长连接及DNS隧道。通过实战演示解析PCAP文件，展示如何识别恶意域名通信主机、高危信标活动及特定端口连接。文章详细讲解了ThreatModifiers指标在评估威胁严重性中的应用，为分析网络隐蔽通道提供了具体操作指南。 综合评分： 85 文章分类： 安全工具,威胁情报,恶意软件,网络安全

C2 Detection – Command & Carol

原创

漫路修行

微痕鉴远

2025年12月24日 14:23 广东

网络流量分析：

https://github.com/activecm/rita

RITA is an open source framework for network traffic analysis.

The framework ingests Zeek Logs in TSV or JSON format, and currently supports the following major features:

• Beaconing Detection

  : Search for signs of beaconing behavior in and out of your network

• Long Connection Detection

  : Easily see connections that have communicated for long periods of time

• DNS Tunneling Detection

  : Search for signs of DNS based covert channels

• Threat Intel Feed Checking

  : Query threat intel feeds to search for suspicious domains and hosts

使用rita工具解析zeek的log来进行分析

zeek readpcap ~/pcaps/rita_challenge.pcap zeek_logs/rita_challenge
rita import --logs ~/zeek_logs/rita_challenge/ --database rita_challenge
rita view rita_challenge

How many hosts are communicating with malhare.net?

6

Which Threat Modifier tells us the number of hosts communicating to a certain destination?

Details pane Apart from the Source and Destination, we have two information categories: Threat Modifiers and Connection info. Let’s have a closer look at these categories:

Threat Modifiers These are criteria to determine the severity and likelihood of a potential threat. The following modifiers are available:

• MIME type/URI mismatch:

  Flags connections where the MIME type reported in the HTTP header doesn’t match the URI. This can indicate an attacker is trying to trick the browser or a security tool.

• Rare signature:

  Points to unusual patterns that attackers might overlook, such as a unique user agent string that is not seen in any other connections on the network.

• Prevalence:

  Analyzes the number of internal hosts communicating with a specific external host. A low percentage of internal hosts communicating with an external one can be suspicious.

• First Seen:

  Checks the date an external host was first observed on the network. A new host on the network is more likely to be a potential threat.

• Missing host header:

  Identifies HTTP connections that are missing the host header, which is often an oversight by attackers or a sign of a misconfigured system.

• Large amount of outgoing data

  : Flags connections that send a very large amount of data out from the network.

• No direct connections:

  Flags connections that don’t have any direct connections, which can be a sign of a more complex or hidden command and control communication.

• Connection count: Shows the number of connections initiated between the source and destination. A very high number can be an indicator of C2 beacon activity.

• Total bytes sent: Displays the total amount of bytes sent from source to destination. If this is a very high number, it could be an indication of data exfiltration.

• Port number – Protocol – Service: If the port number is non-standard, it warrants further investigation. The lack of SSL in the Service info could also be an indicator that warrants further investigation.

prevalence 这个是受感染终端数量指标

What is the highest number of connections to rabbithole.malhare.net?

40

Which search filter would you use to search for all entries that communicate to rabbithole.malhare.net with a beacon score greater than 70% and sorted by connection duration (descending)?

dst:rabbithole.malhare.net beacon:>=70 sort:duration-desc

根据Result Panel的字段：

• Severity

  : A score calculated based on the results of threat modifiers (discussed below)

• Source and destination

  IP/FQDN

• Beacon

  likelihood

• Duration

  of the connection: Long connections can be indicators of compromise. Most application layer protocols are stateless and close the connection quickly after exchanging data (exceptions are SSH, RDP, and VNC).

• Subdomains

  : Connections to subdomains with the same domain name. If there are many subdomains, it could indicate the use of a C2 beacon or other techniques for data exfiltration.

• Threat intel

  : lists any matches on threat intel feeds

Beacon是工具评判的一个可能性指标。

Which port did the host 10.0.0.13 use to connect to rabbithole.malhare.net?

80

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：微痕鉴远 漫路修行《C2 Detection – Command & Carol》