This project presents a structured network-based triage case study focused on detecting covert command-and-control (C2) beaconing activity from an internal host. Using a multi-layered approach, the case demonstrates how firewall alerts, NetFlow logs, and log correlation can reveal stealthy outbound traffic indicative of early-stage intrusion, even in the absence of traditional malware artifacts.
An alert was generated by the organization's next-generation firewall (NGFW) for repeated HTTPS connections to an unrecognized external domain. The internal host, located in the engineering subnet, showed beaconing behavior with precise 15-second intervals — a hallmark of automated C2 communication. No active user session was present, and no endpoint detection telemetry was available.
Network-Based Triage Protocol, including:
- Step 1: Nmap Scan Review – to identify unexpected services on the source host.
- Step 2: Windows Event Log Analysis – to cross-check authentication activity, service creation, and process launches.
- Step 3: NetFlow Pattern Inspection – to validate repetitive traffic patterns and correlate with other endpoints.
- Firewall Layer – NGFW provided the first detection.
- NetFlow Collection Layer – revealed periodic beaconing activity.
- Host Visibility Layer – lacked EDR but enabled partial log review.
- Resolution Layer – escalation to host triage confirmed PowerShell-based persistence.
The outbound C2 domain was identified, reputation-checked, and blocked. The affected host was isolated, and a host-level investigation revealed unauthorized service creation and PowerShell script staging. Although no malware was dropped, credential access was attempted.
- NGFW alerts, when paired with NetFlow pattern recognition, are powerful for detecting fileless attacks.
- Early containment depends on correlating logs across systems before endpoint compromise deepens.
- Repetitive outbound connections to low-reputation domains should always trigger escalation.
Steven Tuschman
GitHub: Compcode1