Skip to content

Cheat sheet — Dynamic Analysis: Network

Companion to Module 06 — Dynamic Analysis — Network · CC BY 4.0 — print it, pin it, share it.

Last reviewed: 2026-07

Only detonate live malware in an isolated, disposable analysis VM with no route to the real internet — point it at a local sink, never a live C2.

INetSim — the fake internet

inetsim                                # serve DNS, HTTP(S), SMTP… answer every request
# config: /etc/inetsim/inetsim.conf  → set service_bind_address to the analysis subnet
tail -f /var/log/inetsim/service.log   # watch the sample check in
  • The sink answers every protocol request with a plausible response so the sample keeps executing and you observe the full exchange. Point the sample's default gateway/DNS at the sink IP.

tshark — capture and read the beacon

tshark -i eth0 -w capture.pcap                         # capture to disk
tshark -r capture.pcap -Y 'http.request'               # display filter: only HTTP requests
tshark -r capture.pcap -Y 'http.request' \
       -T fields -e http.host -e http.request.uri -e http.user_agent   # the invariants
tshark -r capture.pcap -Y 'dns' -T fields -e dns.qry.name              # DNS C2 hostnames
tshark -r capture.pcap -q -z io,stat,30                # traffic per 30s → spot the beacon interval
tshark -r capture.pcap -Y 'http' -z follow,tcp,ascii,0 # follow a stream
  • Read the request invariants — URI structure, User-Agent, headers, interval — not the reshapeable body. Legit traffic is irregular; a beacon is regular (fixed interval + jitter, synthetic UA, a domain registered last week).

Suricata — the network signature

alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"C2 beacon — synthetic UA + fixed URI";
    flow:established,to_server;
    http.method; content:"GET";
    http.uri; content:"/jquery.min.js"; bsize:14;
    http.user_agent; content:"BeaconUA/1.0";
    classtype:trojan-activity;
    sid:1000001; rev:1;
)
suricata -T -c /etc/suricata/suricata.yaml -S my.rules   # -T: test — validate BEFORE trusting
suricata -r capture.pcap -S my.rules -l ./out/           # run rules over the PCAP
cat ./out/fast.log                                       # see what fired
  • Always gate an AI-drafted rule through suricata -T — a rule that silently fails to compile is worse than no rule, it drops detections quietly.

C2 protocol classes — different detection challenge each

Channel Tell ATT&CK
HTTP URI pattern, synthetic User-Agent, fixed interval T1071.001
HTTPS metadata only (SNI, JA3/JARM, cert) — body is encrypted T1071.001 / T1571
DNS long hostnames, high query rate to one SLD, TXT exfil T1071.004

Gotchas worth remembering

  • The detection lives in the pattern, not the protocol. C2 is ordinary HTTP/DNS/TLS at the protocol level; the beacon's regularity is what a rule keys on.
  • Don't anchor on content the operator can reshape. Cobalt Strike malleable C2 profiles rotate the body/URI/UA with one config line — build on invariants (structural pieces in every beacon), or the rule dies on rotation.
  • HTTPS hides the body — you detect on metadata (SNI, JA3/JARM, cert anomalies, timing), never on request content.
  • The C2 response content rarely matters. What you signature is the shape of the request.
  • Detonate against the sink only. A rule you validate on captured beacon traffic must still stay quiet on benign traffic — the fire-on-beacon-not-benign gate is the whole point.

Comments

Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).