← All student work
[ SECURITY LABS ]
PCAP Hunt · Detect a C2 Beacon
Wireshark deep-dive — identified a beaconing C2 channel hidden in DNS traffic and wrote detection rules.
- PCAP
- Wireshark
// the_work
Worked from a 2 GB PCAP. Filtered, isolated the DNS exfil pattern, and authored a Suricata rule that survived the cohort's adversary-emulation pass.
// artifacts
FROM THE
PROJECT FILES.
$ tshark -r capture.pcap \
-Y 'dns.qry.name contains "ddns.tk"' \
-T fields -e frame.time_relative -e dns.qry.name | sort -u | head
0.000 ax01.evil.ddns.tk
60.123 ax02.evil.ddns.tk
120.401 ax03.evil.ddns.tk
180.598 ax04.evil.ddns.tk
240.011 ax05.evil.ddns.tk
# 60s ± 0.5s — beaconing patternalert dns any any -> any any ( msg:"DNS-tunnel · likely C2 beacon (ddns.tk)"; dns.query; content:"ddns.tk"; nocase; threshold: type both, track by_src, count 4, seconds 300; classtype:trojan-activity; sid:1000231; rev:1; )
// more_in_security
More Security Labs.
Live SOC Tabletop · Multi-stage Intrusion
Cohort defended against a multi-stage intrusion in the SOC lab — phishing → credential theft → lateral movement.
↗ See the work
// your_work