Home > Digital Forensics

Identifying C2 Traffic

Identifying command-and-control (C2) traffic is one of the most critical tasks in network forensics. C2 channels allow attackers to remotely control infected systems, exfiltrate data, deploy payloads, and maintain persistence. Detecting C2 traffic early can stop an active intrusion and prevent further damage.

This chapter explains how C2 communication works, the different types of C2 channels, indicators of malicious C2 traffic, and techniques investigators use to detect it in PCAPs and live network monitoring.

What Is C2 Traffic?

C2 (Command-and-Control) traffic is communication between:

  • A compromised system (agent/bot)

  • An attacker-controlled server (C2 server)

Malware uses C2 channels to:

  • Receive commands

  • Send system information

  • Exfiltrate data

  • Download additional payloads

  • Execute remote actions

  • Maintain persistence

C2 communication is often stealthy, encrypted, and designed to blend into normal traffic.

Types of C2 Communication

1. HTTP/HTTPS-Based C2

Most common type. Malware uses:

  • HTTP GET/POST

  • HTTPS encrypted channels

  • User-agent spoofing

Indicators:

  • Unusual domains

  • Encrypted traffic to rare servers

  • Repetitive beaconing intervals

2. DNS-Based C2

Uses DNS queries to send/receive data.

Techniques:

  • DNS tunneling

  • Random subdomains

  • Large TXT records

Indicators:

  • High-volume DNS queries

  • Long hostname strings

  • DNS requests every few seconds

3. TCP/UDP Custom Protocols

Attackers design custom binary protocols to avoid detection.

Indicators:

  • Traffic on unusual ports

  • Packets with repetitive patterns

  • Consistent packet sizes

4. Social Media / API C2

Malware uses:

  • Twitter

  • Telegram

  • Discord

  • GitHub

  • Google Sheets

Indicators:

  • API calls at regular intervals

  • Requests without user interaction

5. Peer-to-Peer (P2P) C2

Used by advanced malware.

Indicators:

  • Multiple outbound connections

  • Rapid peer changes

  • Connections to many random IPs

6. Encrypted or Steganographic C2

  • Hidden data in images, SSL, or legitimate traffic

  • Hardest to detect

Indicators rely on traffic patterns instead of content.

Behavioral Indicators of C2 Traffic

C2 communication often follows predictable patterns.

1. Beaconing

Regular, repeated outbound connections:

Examples:

  • Every 10 seconds

  • Every 30 seconds

  • Every 5 minutes

Malware checks for new commands at fixed intervals.

Look for:

  • Evenly spaced timestamps

  • Identical packet sizes

2. Connections to Rare or Foreign IPs

Indicators:

  • Servers in uncommon countries

  • IPs with no reputation

  • Cloud/VPS hosts (DigitalOcean, Linode, Vultr)

3. Small, Repetitive Packet Sizes

C2 traffic often uses small instructions:

  • 50–200 bytes

  • Identical payload lengths

4. Unusual TLS Traffic

Signs include:

  • Self-signed certificates

  • Mismatched domains vs SNI

  • Missing SNI field

  • Strange certificate issuers

  • Rare JA3 fingerprint

5. DNS Anomalies

Examples:

  • Excessively long domains

  • Random characters (DGA domains)

  • High volume of TXT queries

  • Repeated NXDOMAIN responses

6. Traffic on Suspicious Ports

Common ports:

  • 4444

  • 8081

  • 9001

  • 12345

  • 1337

Many RATs use non-standard ports to avoid detection.

7. Outbound Traffic Without User Interaction

If a system contacts unknown servers when idle, it may be infected.

8. Periodic Failover Servers

If primary C2 is down, malware rotates through backup servers.

How to Identify C2 Traffic in PCAPs

Using Wireshark

Filter for potential C2 traffic:

tcp.port != 80 && tcp.port != 443
dns
tcp.flags.syn == 1

Detect beaconing:

  • Right-click flow → Follow TCP Stream

  • Look for repetitive intervals

Check TLS info:

ssl.handshake.type == 1

Look at certificate details:

  • Self-signed

  • Unknown issuer

Using Zeek (Bro)

Useful logs:

  • conn.log

  • dns.log

  • ssl.log

Flags:

  • Long-lived connections

  • Rare JA3 fingerprints

Using Suricata

Suricata signatures detect:

  • Cobalt Strike

  • Meterpreter

  • TrickBot

  • RAT beacons

PCAP scan:

suricata -r file.pcap -l output/

Examples of C2 Behavior by Malware Families

Cobalt Strike

  • HTTPS C2

  • Sleep intervals

  • Self-signed certificates

Emotet

  • Large number of HTTP POST requests

  • Randomized user-agents

TrickBot

  • Encrypted payloads

  • Multistage DNS communication

Agent Tesla

  • SMTP-based C2

Sliver / Brute Ratel

  • Encrypted traffic disguised as normal HTTPS

Red Flags for C2 Traffic (Checklist)

  • Repeated outbound connections at identical intervals

  • TLS traffic missing SNI or using rare JA3 signatures

  • Suspicious DNS patterns or DGAs

  • Traffic to hosting providers with no legitimate purpose

  • Small repetitive packet sizes

  • Unexplained outbound connections during idle times

  • Long-lived sessions without meaningful data transfer

  • HTTP POST requests with base64 or binary payloads

  • Unknown user-agent strings

  • Responses containing encoded commands

Intel Dump

  • C2 traffic is attacker-controlled communication used to manage infected systems, exfiltrate data, deploy payloads, and remotely execute commands.

  • C2 channels include HTTP(S), DNS tunneling, TCP/UDP custom protocols, P2P, social media APIs, and encrypted/steganographic channels.

  • Indicators include beaconing, rare IP connections, suspicious TLS certificates, abnormal DNS behavior, small repetitive packet sizes, and traffic on uncommon ports.

  • Tools like Wireshark, Zeek, Suricata, and network logs help detect C2 patterns in PCAPs.

  • Consistent timing, encoded payloads, DGAs, and encrypted long-lived connections are strong signs of active C2 activity.

HOME COMMUNITY CAREERS DASHBOARD