Task 26, Day 20 Traffic analysis If you utter so much as one packet…

When a machine is compromised in a C2 situation, a payload is put on the local machine. In addition to executing commands from the C2 server, it will send a beacon packet to the server every few seconds to minutes to let it know it is active and ready for commands.

In Wireshark, can right-click on a packet and select follow stream to see all the requests and responses between a client and server, giving context to the communication.

Instructions from C2 server vary depending on the actor’s configuration, intention, and capabilities, but often fall into one of these categories:

  • Getting system information: Gathering information through commands like whoami to learn about the compromised machine and environment before making next moves.
  • Executing commands: Can send direct commands to do things, but is less stealthy and easily draws attention.
  • Downloading and executing payloads: Sending additional payloads that contain additional functionality or tools.
  • Exfiltrating data: One of the most common objectives. Could involve instructions to steal valuable data like sensitive files, credentials, or personal information.

The Task

Uncover data from the pcap to answer questions.

Wireshark: the Basics, Wireshark: Packet Operations, and Wireshark: Traffic Analysis rooms.

Sidepoint

I hate Ian Coldwater a little bit for making me do the feckin’ song every time I see, hear, or say Wireshark (doo doo doodoo doodoo).