Home > SOC Analysis

Detecting C2 (Command & Control) Traffic

Detecting Command & Control (C2) traffic is one of the most important responsibilities in Network Security Monitoring.
C2 communication is how malware, implants, RATs, and adversaries maintain remote access, issue commands, exfiltrate data, deploy ransomware payloads, and control compromised hosts.
Most modern attacks depend on silent, persistent, encrypted, or obfuscated C2 channels—making detection a critical SOC skill.

This chapter provides a full-length, deep, practical guide to identifying C2 behaviors using Suricata/Snort alerts, PCAP inspection, flow analysis, DNS telemetry, JA3 fingerprints, and behavioral patterns.

What C2 Traffic Looks Like

C2 communication varies depending on:

  • Malware family

  • RAT type

  • Framework (Cobalt Strike, Metasploit, Sliver, Mythic)

  • Protocol used

  • Encryption method

  • Obfuscation technique

But all C2 channels share a common goal:
allow the attacker to control an infected endpoint remotely.

C2 traffic often:

  • Establishes long-lived or periodic outbound connections

  • Contacts suspicious or new domains

  • Connects to VPS/bulletproof hosting

  • Uses high ports or uncommon protocols

  • Hides inside HTTPS or DNS

  • Sends small beacon packets at intervals

  • Uses encoded, encrypted, or random payloads

Types of C2 Channels

Different attacks use different communication models.

1. HTTP/HTTPS C2

Most common.
Beaconing over port 80/443.

Indicators:

  • Unusual user-agent strings

  • Periodic GET/POST requests

  • Random-looking URL paths

  • TLS handshake anomalies

Example pattern:

/jquery-update/status.php
/checkin?id=98213

2. DNS C2

Used by APT groups and stealthy malware.

Indicators:

  • High-frequency DNS queries

  • Subdomain-length anomalies

  • Base32/base64-encoded subdomains

  • Queries to newly registered domains

Example:

ahd738dhsa92jd.domain.net

3. TCP Shell C2

Reverse shells and simple backdoors.

Indicators:

  • Direct TCP connection from victim to attacker

  • Long-lived sessions

  • Non-standard ports (4444, 1337, 9001)

  • Interactive data patterns

4. Peer-to-Peer C2

Used by botnets.

Indicators:

  • Random IP connections

  • No central server

  • Custom protocols

5. Cloud-Based C2

Attackers hide inside cloud services.

Examples:

  • Google Drive

  • Dropbox

  • Telegram

  • Discord

  • Slack

  • GitHub

Indicators:

  • Unexpected API calls

  • Large outbound encrypted payloads

Key Techniques to Detect C2

SOC analysts must combine multiple data sources:
PCAPs, flow data, Suricata alerts, DNS logs, TLS metadata, JA3 fingerprints, and threat feeds.

Below are the core techniques.

Technique 1 — Beaconing Pattern Detection

Malware sends periodic check-ins.

Example:

Every 60 seconds: POST /update/status

To detect:

  • Look for consistent intervals

  • Look for small, repetitive packets

  • Suricata’s flowbits can detect repeated behavior

Example Suricata logic:

flow:to_server; detection of repeated URI

Beaconing is the strongest universal C2 indicator.

Technique 2 — Suspicious Domains & IPs

Indicators:

  • Newly registered domains (< 7 days old)

  • Random or algorithmically generated (DGA) names

  • Domains hosted on low-quality VPS

  • IPs belonging to bulletproof hosting

  • Rare destination IPs with no previous traffic

Check:

  • WHOIS

  • Age

  • ASN

  • Passive DNS

  • Threat feeds

Example:

sync-checkin-update.info → registered yesterday

Technique 3 — Unusual TLS Fingerprints (JA3/JA3S)

Many frameworks produce unique TLS fingerprints:

  • Cobalt Strike

  • Metasploit

  • Sliver

  • Mythic

  • AsyncRAT

  • Nanocore

Suricata can detect JA3 fingerprints:

tls.ja3 == "72a589da586844..."

This fingerprint often matches Cobalt Strike.

Technique 4 — Abnormal User-Agent Strings

Malware often uses:

  • Fake browser strings

  • Outdated user-agents

  • Misspellings

  • Empty user-agents

Examples:

Mozilla/5.0 (NULL)
Microsoft Office Protocol Discovery
Python-urllib/3.8
CobaltStrike

Suricata can match these via HTTP signatures.

Technique 5 — Encoded or Random URL Paths

C2 paths often contain:

  • Base64

  • Random numbers

  • Non-standard folder names

Examples:

/api/v2/checkin
/update.php?uid=83920
/AJD82hd8hda90/

If the URL path never appears in normal traffic → suspicious.

Technique 6 — DNS Exfiltration Patterns

DNS queries may contain:

  • Encoded data chunks

  • Very long subdomains

  • High query frequency

  • Random subdomain names

Example:

aGFja2VkZGF0YQ.example.com

Detect through:

  • Query length

  • Frequency

  • Entropy

Technique 7 — Long-Lived Connections

Normal web traffic is brief.
C2 channels maintain long, persistent sessions.

Indicators:

  • TCP session open > 5–10 minutes

  • Low amount of transferred data

  • Regular keepalive packets

  • Unusual destination ports

Technique 8 — Protocol Mismatch

Traffic claims to be one protocol but behaves like another.

Examples:

  • TLS handshake but non-TLS behavior

  • HTTP header inconsistencies

  • ICMP frames carrying random data

This suggests covert channels or tunneling.

Technique 9 — EDR + Network Correlation

Combine EDR telemetry with network traffic:

  • Suspicious parent process

  • Suspicious PowerShell

  • Process making outbound connections

Example:

powershell.exe → random HTTPS host → beacon every 60s

This confirms C2.

Using Suricata/Snort to Detect C2

Suricata/Snort rules can detect:

  • Cobalt Strike HTTP patterns

  • JA3 fingerprints

  • Suspicious domains

  • DNS tunneling

  • HTTP structure anomalies

  • Malicious user-agents

Example Suricata rule (simplified):

alert http any any -> any any (
    msg:"Suspicious C2 Beaconing";
    flow:to_server;
    content:"/checkin"; http_uri;
    detection_filter:track by_src, count 3, seconds 180;
)

Triggers when host repeatedly hits /checkin.

Detecting C2 in PCAPs (Practical Steps)

Step 1 — Load PCAP into Wireshark

Analyze:

  • Flows

  • TLS handshakes

  • DNS queries

  • Application payloads

Step 2 — Identify repeated outbound connections

Filter:

tcp.stream eq X

Step 3 — Look for abnormal TLS patterns

Filter:

tls.handshake

Step 4 — Inspect DNS queries

Filter:

dns

Look for:

  • High-frequency queries

  • Weird subdomains

Step 5 — Analyze user-agent strings

Filter:

http.user_agent

Real SOC Examples

Example 1 — Cobalt Strike Beacon

Every 60 seconds → small POST request
User-agent: Mozilla/5.0 (Windows NT)
JA3 fingerprint matches known CS pattern

Example 2 — DNS Tunneling

Over 1000 DNS queries/hour
Long encoded subdomains

Example 3 — AsyncRAT

TLS outbound traffic to VPS
JA3 fingerprint match
Encoded payloads

Example 4 — Metasploit Reverse Shell

Long-lived TCP connection
Random payload bytes
Port 4444

Intel Dump

  • C2 traffic enables remote attacker control, data theft, and ransomware deployment.

  • Key detection methods include beaconing analysis, DNS anomaly detection, TLS fingerprinting, suspicious domain checks, and user-agent inspection.

  • Suricata/Snort detect C2 through signatures, JA3 matches, and behavior-based rules.

  • PCAP analysis reveals periodic connections, abnormal ports, long-lived sessions, and encoded payloads.

  • C2 detection requires combining network telemetry, SIEM, EDR, and threat intel for accurate identification.

HOME LEARN COMMUNITY DASHBOARD