Mystery C2

Challenge:

Our threat intel team detected some malicious Command-and-Control traffic in our network. Can you identify what C2 framework the threat actor is using?

You only have 5 attempts for this one.

Solution:

I began this challenge like all others involving a PCAP, with Zeek in combination with a custom CTF-centric script:

$ zeek -Cr c2.pcapng ~/Tools/ctf_pcaps.zeek

I reviewed the logs (conn, ssl, dns, and ntp) produced by Zeek’s analysis and was surprised by the very minimal amount of traffic captured in the PCAP. The only notable session in the connection log was an SSL connection to one of Google’s DNS servers:

10.0.2.15	57850	8.8.4.4	443	tcp	ssl

I verified the session by viewing the SSL log, which contained a single session:

10.0.2.15	57850	8.8.4.4	443	TLSv13	TLS_AES_128_GCM_SHA256	x25519	dns.google.com

From that session, in the context of the challenge, it would appear that the client was utilizing Google’s DNS over HTTPS service which would be similar to a standard DNS Tunneling C2 but I was not yet familiar with a DoH implementation so I turned to Google.

The first result from a Google search of dns over https C2 was for a GitHub project named GoDoH, a proof-of-concept written in GoLang for implementing a C2 channel using DNS over HTTPS, hence the name GoDoH. I tried this as as the challenge flag and it was accepted.