Skip to content

Module 12 — Threat Hunting: Network

Type 6 · Reconstruct — hunt for C2 beaconing and other anomalies in Zeek logs from real malicious traffic, using RITA and your own analysis; you commit the hunt findings and the reasoning that separated beacon from noise. (Secondary: Eval Harness — a small precision check so CDN/benign periodicity doesn't flood the result.) Go to the hands-on lab →

Last reviewed: 2026-06

Defensive OperationsC2 hides in plain sight; beaconing is how you find it.

Difficulty: Intermediate  ·  Estimated time: ~5–7 hrs (study + lab)  ·  Prerequisites: Foundations

In 60 seconds

The network-side counterpart to endpoint hunting rests on one fact: machines are rhythmic and humans aren't. An attacker can blend C2 content into normal web traffic, but the implant still calls home on a schedule — beaconing — with a tell-tale interval no human browsing produces. So network hunting looks for statistical tells (beacons, abnormally long-lived connections, rare destinations) rather than signatures. RITA automates the maths over Zeek's conn.log. The skill is separating mechanical-benign (a CDN that also polls) from mechanical-malicious — which needs your environment's baseline.

Why this matters

Attackers blend C2 into normal web traffic, but the rhythm gives them away — regular, repeated callbacks (beaconing) that no human browsing produces. Network threat hunting looks for these statistical tells across connection logs. RITA, working on Zeek logs, automates beacon and long-connection analysis, and you can hunt real C2 in real malware traffic for free.

Objective

Hunt for C2 beaconing and other anomalies in Zeek logs from real malicious traffic, using RITA and your own analysis.

The core idea

This is the network-side counterpart to endpoint hunting, and it rests on one beautiful fact: machines are rhythmic and humans aren't. An attacker can blend C2 content into normal-looking web traffic, but the implant still calls home on a schedule — beaconing — producing regular, repeated connections with a tell-tale interval (even with jitter) that no human browsing ever generates. So network hunting looks for statistical tells across connection logs rather than matching signatures. RITA, running over Zeek's conn.log, automates the beacon, long-connection, and rare-destination maths.

The mental model

For the network engineer this is the familiar habit of reading flow data for "who talks to whom," sharpened into "how regularly does this internal host talk to that external one — and is that rhythm human or mechanical?" Beaconing, abnormally long-lived connections, and rare destinations are the three classic shapes; DNS gets its own attention because it's so often allowed straight out, which makes it a favourite tunnelling and exfil channel.

The gotcha

This is statistical, not signature — and statistics without a baseline lie. The textbook false positive is a CDN, NTP source, or telemetry agent that also polls on a fixed interval; RITA will surface it and a model will gladly label it "C2." The actual skill is separating mechanical-benign from mechanical-malicious, which needs your environment's context — verify every candidate against the data and the known-bad write-up.

AI caveat

A model explains a suspicious connection pattern and drafts analysis of Zeek logs — but beaconing detection is statistical, and the model can't see your baseline; it'll call a CDN's regular polling "C2." Verify candidates against the data and the known-bad write-up.

Learn (~4 hrs)

The method & tool - Detecting Malware Beacons with Zeek and RITA (video) — beacon hunting end to end. - RITA (Real Intelligence Threat Analytics) — OSS network-hunt tool: beacons, long connections, rare destinations.

Concepts - MITRE ATT&CK — Command and Control (TA0011) — what you're hunting and how it manifests on the wire.

Key concepts

  • Beaconing: regularity as a signal (interval + jitter)
  • Long connections and rare destinations
  • Hunting in connection logs (Zeek conn.log) at scale
  • Statistical vs signature approaches
  • DNS-based C2 and exfil

AI acceleration

A model explains a suspicious connection pattern and drafts analysis of Zeek logs — but beaconing detection is statistical, and the model can't see your baseline; it'll call a CDN's regular polling "C2." Verify candidates against the data and the known-bad write-up.

Check yourself

  • Why does beaconing show up even when the C2 channel is fully encrypted?
  • A host calls one external destination every 60 seconds, all day — what benign explanations must you rule out before calling it C2?
  • Why is "statistical, not signature" both the strength and the weakness of this kind of hunting?

Comments

Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).