analyzing-command-and-control-communication

Featured

Analyzes malware command-and-control (C2) communication protocols to understand beacon patterns, command structures, data encoding, and infrastructure. Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development and threat intelligence. Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse engineering, or command-and-control infrastructure mapping.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Analyzing Command-and-Control Communication ## When to Use - Reverse engineering a malware sample has revealed network communication that needs protocol analysis - Building network-level detection signatures for a specific C2 framework (Cobalt Strike, Metasploit, Sliver) - Mapping C2 infrastructure including primary servers, fallback domains, and dead drops - Analyzing encrypted or encoded C2 traffic to understand the command set and data format - Attributing malware to a threat actor based on C2 infrastructure patterns and tooling **Do not use** for general network anomaly detection; this is specifically for understanding known or suspected C2 protocols from malware analysis. ## Prerequisites - PCAP capture of malware network traffic (from sandbox, network tap, or full packet capture) - Wireshark/tshark for packet-level analysis - Reverse engineering tools (Ghidra, dnSpy) for understanding C2 code in the malware binary - Python 3.8+ with `scapy`, `dpkt`, and `requests` for protocol analysis and replay - Threat intelligence databases for C2 infrastructure correlation (VirusTotal, Shodan, Censys) - JA3/JA3S fingerprint databases for TLS-based C2 identification ## Workflow ### Step 1: Identify the C2 Channel Determine the protocol and transport used for C2 communication: ``` C2 Communication Channels: ━━━━━━━━━━━━━━━━━━━━━━━━━ HTTP/HTTPS: Most common; uses standard web traffic to blend in Indicators: Regular POST/GET requests, specific URI pattern...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

analyzing-network-traffic-of-malware

Analyzes network traffic generated by malware during sandbox execution or live incident response to identify C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata. Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based malware detection.

12,642 Updated today
mukul975
AI & Automation Featured

hunting-for-command-and-control-beaconing

Detect C2 beaconing patterns in network traffic using frequency analysis, jitter detection, and domain reputation to identify compromised endpoints communicating with adversary infrastructure.

12,642 Updated today
mukul975
Data & Documents Solid

ctf-malware

Provides malware analysis and network traffic techniques for CTF challenges. Use when analyzing obfuscated scripts, malicious packages, custom crypto protocols, C2 traffic, PE/.NET binaries, RC4/AES encrypted communications, YARA rules, shellcode analysis, memory forensics for malware (Volatility malfind, process injection detection), anti-analysis techniques (VM/sandbox detection, timing evasion, API hashing, process injection, environment checks), or extracting malware configurations and indicators of compromise.

2,227 Updated 4 weeks ago
ljagiello
AI & Automation Featured

hunting-for-beaconing-with-frequency-analysis

Identify command-and-control beaconing patterns in network traffic by applying statistical frequency analysis, jitter calculation, and coefficient of variation scoring to detect periodic callbacks from compromised endpoints.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-network-covert-channels-in-malware

Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2 and data exfiltration.

12,642 Updated today
mukul975