C2 Detection - Command & Carol | Advent of Cyber 2025 - Day 22
This guide contains the answer and steps necessary to get to them for the C2 Detection - Command & Carol room.
Table of contents
Detecting C2 with RITA
-
How many hosts are communicating with malhare.net?
First we need to prepare the logs for
ritato analyze. This will be done usingzeek.We can now verify that the logs have been created.
Now we import these logs into
rita:
And then we can run
ritato analyze the logs.
In the list we can see several hosts that er communicating with 'rabbithole.malhare.net'.
Click for answer
6 -
Which Threat Modifier tells us the number of hosts communicating to a certain destination?
Of these two modifiers, one states when it was first seen.
Click for answer
prevalence -
What is the highest number of connections to rabbithole.malhare.net?
Looking through the entries with destination 'rabbithole.malhare.net', we can see on the right which one has the highest 'connection count'.
Click for answer
40 -
Which search filter would you use to search for all entries that communicate to rabbithole.malhare.net with a beacon score greater than 70% and sorted by connection duration (descending)?
We can use '?' in the search bar (after using '/') to find help if needed. We can simply add another search term with a space after our first one.
To search for something greater than, we must use:
column:>value. And sorting can be done using:sort:column-order.
Click for answer
dst:rabbithole.malhare.net beacon:>70 sort:duration-desc -
Which port did the host 10.0.0.13 use to connect to rabbithole.malhare.net?
We don't need to filter the list as we don't have that many entries, but if we needed to, we could do so with:
The entry shows us the port used in the details pane.
Click for answer
80