Day 22 of Advent of Cyber Focuses on C2 Traffic Detection Using RITA

Day 22 of the Advent of Cyber (TryHackMe) addresses the detection of Command and Control (C2) traffic using the tool RITA (Real Intelligence Threat Analytics). The goal is to analyze network traffic captured in a PCAP file to identify malicious communications related to a Trojan horse (AsyncRAT).

The demonstration shows the conversion of a PCAP into Zeek logs (in ZLOG format), followed by their analysis with RITA. The steps include: importing the logs into RITA, using filters (e.g., dst, beacon, sort duration) to sort suspicious connections, and examining metrics such as the beacon score, prevalence (number of hosts communicating with a destination), and the ports used. The practical exercise identifies 6 hosts communicating with mauhair.net, a beacon score >70, and port 80 as the connection vector.

Key concepts include the detection of C2 beacons, the analysis of connection intervals, and the identification of rare signatures in HTTP headers. Zeek and RITA are presented as open-source tools for network monitoring and threat analysis. https://www.youtube.com/watch?v=_aezrep95mo