analyzing-command-and-control-communicationlisted

# Analyzing Command-and-Control Communication ## When to Use - Reverse engineering a malware sample has revealed network communication that needs protocol analysis - Building network-level detection signatures for a specific C2 framework (Cobalt Strike, Metasploit, Sliver) - Mapping C2 infrastructure including primary servers, fallback domains, and dead drops - Analyzing encrypted or encoded C2 traffic to understand the command set and data format - Attributing malware to a threat actor based on C2 infrastructure patterns and tooling **Do not use** for general network anomaly detection; this is specifically for understanding known or suspected C2 protocols from malware analysis. ## Prerequisites - PCAP capture of malware network traffic (from sandbox, network tap, or full packet capture) - Wireshark/tshark for packet-level analysis - Reverse engineering tools (Ghidra, dnSpy) for understanding C2 code in the malware binary - Python 3.8+ with `scapy`, `dpkt`, and `requests` for protocol analysis and replay - Threat intelligence databases for C2 infrastructure correlation (VirusTotal, Shodan, Censys) - JA3/JA3S fingerprint databases for TLS-based C2 identification ## Workflow ### Step 1: Identify the C2 Channel Determine the protocol and transport used for C2 communication: ``` C2 Communication Channels: ━━━━━━━━━━━━━━━━━━━━━━━━━ HTTP/HTTPS: Most common; uses standard web traffic to blend in Indicators: Regular POST/GET requests, specific URI pattern