Cheat sheet — Dynamic Analysis: Network¶
Companion to Module 06 — Dynamic Analysis — Network · CC BY 4.0 — print it, pin it, share it.
Last reviewed: 2026-07
Only detonate live malware in an isolated, disposable analysis VM with no route to the real internet — point it at a local sink, never a live C2.
INetSim — the fake internet¶
inetsim # serve DNS, HTTP(S), SMTP… answer every request
# config: /etc/inetsim/inetsim.conf → set service_bind_address to the analysis subnet
tail -f /var/log/inetsim/service.log # watch the sample check in
- The sink answers every protocol request with a plausible response so the sample keeps executing and you observe the full exchange. Point the sample's default gateway/DNS at the sink IP.
tshark — capture and read the beacon¶
tshark -i eth0 -w capture.pcap # capture to disk
tshark -r capture.pcap -Y 'http.request' # display filter: only HTTP requests
tshark -r capture.pcap -Y 'http.request' \
-T fields -e http.host -e http.request.uri -e http.user_agent # the invariants
tshark -r capture.pcap -Y 'dns' -T fields -e dns.qry.name # DNS C2 hostnames
tshark -r capture.pcap -q -z io,stat,30 # traffic per 30s → spot the beacon interval
tshark -r capture.pcap -Y 'http' -z follow,tcp,ascii,0 # follow a stream
- Read the request invariants — URI structure, User-Agent, headers, interval — not the reshapeable body. Legit traffic is irregular; a beacon is regular (fixed interval + jitter, synthetic UA, a domain registered last week).
Suricata — the network signature¶
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"C2 beacon — synthetic UA + fixed URI";
flow:established,to_server;
http.method; content:"GET";
http.uri; content:"/jquery.min.js"; bsize:14;
http.user_agent; content:"BeaconUA/1.0";
classtype:trojan-activity;
sid:1000001; rev:1;
)
suricata -T -c /etc/suricata/suricata.yaml -S my.rules # -T: test — validate BEFORE trusting
suricata -r capture.pcap -S my.rules -l ./out/ # run rules over the PCAP
cat ./out/fast.log # see what fired
- Always gate an AI-drafted rule through
suricata -T— a rule that silently fails to compile is worse than no rule, it drops detections quietly.
C2 protocol classes — different detection challenge each¶
| Channel | Tell | ATT&CK |
|---|---|---|
| HTTP | URI pattern, synthetic User-Agent, fixed interval | T1071.001 |
| HTTPS | metadata only (SNI, JA3/JARM, cert) — body is encrypted | T1071.001 / T1571 |
| DNS | long hostnames, high query rate to one SLD, TXT exfil | T1071.004 |
Gotchas worth remembering¶
- The detection lives in the pattern, not the protocol. C2 is ordinary HTTP/DNS/TLS at the protocol level; the beacon's regularity is what a rule keys on.
- Don't anchor on content the operator can reshape. Cobalt Strike malleable C2 profiles rotate the body/URI/UA with one config line — build on invariants (structural pieces in every beacon), or the rule dies on rotation.
- HTTPS hides the body — you detect on metadata (SNI, JA3/JARM, cert anomalies, timing), never on request content.
- The C2 response content rarely matters. What you signature is the shape of the request.
- Detonate against the sink only. A rule you validate on captured beacon traffic must still stay quiet on benign traffic — the fire-on-beacon-not-benign gate is the whole point.
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).