Command and Control (C2)

This section will try and identify signs that could point to a C2 beacon trying to callback to its server

C2 over DNS

Some of the beacons used by C2 frameworks like Cobalt Strike offer the possibility to call back to the server via DNS. The idea is that this kind of traffic is less likely to be considered suspect. We can hunt for it by checking the DNS requests that have a high count of unique subdomains, weird DNS queries and responses, or weird sizes

network.protocol: dns AND NOT dns.question.name: *arpa AND dns.question.registered_domain:whatever.xyz AND host.name: WKSTN-1 

Once the IP is identified we can just zero in on it and check out the traffic and check what processes spawned said traffic, then check out what else the parent process did