← All student work

[ SECURITY LABS ]

PCAP Hunt · Detect a C2 Beacon

Wireshark deep-dive — identified a beaconing C2 channel hidden in DNS traffic and wrote detection rules.

  • PCAP
  • Wireshark

// the_work

Worked from a 2 GB PCAP. Filtered, isolated the DNS exfil pattern, and authored a Suricata rule that survived the cohort's adversary-emulation pass.

// artifacts

FROM THE
PROJECT FILES.

$ terminaltshark · isolate beacon
$ tshark -r capture.pcap \
    -Y 'dns.qry.name contains "ddns.tk"' \
    -T fields -e frame.time_relative -e dns.qry.name | sort -u | head
0.000  ax01.evil.ddns.tk
60.123  ax02.evil.ddns.tk
120.401 ax03.evil.ddns.tk
180.598 ax04.evil.ddns.tk
240.011 ax05.evil.ddns.tk
# 60s ± 0.5s — beaconing pattern
</> codesuricata · detection rule
alert dns any any -> any any (
  msg:"DNS-tunnel · likely C2 beacon (ddns.tk)";
  dns.query; content:"ddns.tk"; nocase;
  threshold: type both, track by_src, count 4, seconds 300;
  classtype:trojan-activity; sid:1000231; rev:1;
)

// more_in_security

More Security Labs.

  • Live SOC Tabletop · Multi-stage Intrusion

    Cohort defended against a multi-stage intrusion in the SOC lab — phishing → credential theft → lateral movement.

    ↗ See the work

// your_work

Want this on your portfolio?