Detecting C2 Traffic from Network Telemetry: The Layered Approach

Last updated: April 26, 2026

C2 (Command and Control) traffic detection is the highest-leverage defensive control after initial-access prevention. By the time traffic flows from a compromised host to attacker infrastructure, the breach is happening in real time — and detection cuts dwell time from weeks to hours. This article covers C2 detection from network telemetry: beaconing analysis, JA4+ TLS fingerprinting, DNS analytics, and the layered approach that catches modern C2 across Sliver, Havoc, Mythic, and custom frameworks.

The beaconing pattern

Every C2 implant beacons — periodically connects to attacker infrastructure to receive commands. The pattern has signatures:

• Regular interval (60s, 5min, 30min)
• Small request size (just “hi, anything for me?”)
• Variable response size (commands and tasking)
• Extended duration (hours to days)
• Outbound to non-business destinations

Tools that find beacons:

• RITA (Real Intelligence Threat Analytics) by Active Countermeasures — analyses Zeek logs for beaconing
• Beacon-Hunter — Python tool, Zeek-input
• Microsoft Sentinel beacon analysis — built-in for Azure-hosted SIEM
• Custom Splunk / Elastic queries with timing variance analysis

Splunk pattern for beacon hunting:

index=netflow dst_ip!=internal_ranges
| bin _time span=1m
| stats count by src_ip, dst_ip, _time
| streamstats time_window=1h avg(count) AS avg_per_min stdev(count) AS stdev_per_min by src_ip, dst_ip
| where stdev_per_min < (avg_per_min * 0.2) AND avg_per_min > 0.5
# Hosts connecting to dst_ip with regular cadence (low standard deviation)

JA3 / JA4 TLS fingerprinting

Every TLS implementation has a distinctive handshake — cipher suite ordering, extension list, supported groups. JA3 and JA4 hash these into fingerprints.

• Each C2 framework has known JA3/JA4 fingerprints (community-maintained lists)
• Modern attackers customise TLS to mimic legitimate clients (Cobalt Strike “malleable C2 profiles”, Sliver custom profiles)
• JA4+ extends JA3 with HTTP-layer features, harder to evade

Deployment: Zeek with JA4 plugin, Suricata with JA3 logging, commercial NDR products. Alert when client JA4 matches known C2 fingerprints, or when JA4 changes for a known endpoint.

DNS analytics

C2 often uses DNS for one of:

• DGA (Domain Generation Algorithm) — implant computes domain to query at intervals; high-entropy random-looking subdomains
• DNS tunneling — small data packets exfiltrated as TXT or A record queries
• Beaconing via DNS — quick A queries to attacker domains

Detection signals:

• DNS queries to high-entropy subdomains (unlikely to be legitimate)
• Unusual TXT record query volume from a single host
• Long DNS labels (255-character maximum being approached)
• Queries to recently-registered domains (CTI feed match)

HTTP / HTTPS traffic anomalies

• User-Agent strings matching known C2 frameworks
• Unusual URL paths (long base64-looking strings)
• Cookies with high entropy and no Set-Cookie response
• HTTP method patterns (GET-heavy or POST-heavy unusually for the destination)
• POST request body sizes matching typical C2 implant footprint

Outbound destination intelligence

• Block / alert on connections to known-malicious IPs (CTI feeds: AlienVault OTX, ThreatFox, abuse.ch)
• Block / alert on DNS queries to known-malicious domains
• Geo-fencing — connections to countries you don’t operate in are anomalous
• Newly-registered domain alerts (domains under 30 days old being contacted)

Putting it together — the SOC playbook

1. Layer 1: signature detection — known IPs, domains, JA3/JA4 fingerprints. Cheap, high-precision when it fires.
2. Layer 2: behavioural detection — beaconing analysis, DGA detection, DNS tunneling alerts. Catches unknown-tool C2.
3. Layer 3: anomaly detection — long-running connections, geographic anomalies, new-domain contacts. Flags candidates for human triage.
4. Layer 4: threat hunting — proactive hunts on a weekly cadence. Specific hunts for ransomware-affiliate C2, APT-attributed infrastructure.

Compliance angle

• SEBI CSCRF — explicit requirement for C2 detection (MITRE T1071)
• RBI Cyber Framework — SOC capabilities including network telemetry analysis
• DPDP §8(5) — failure to detect active C2 is a defensible-security gap

The takeaway

C2 detection is layered. Signatures catch known tools; behavioural analysis catches unknown ones; anomaly detection flags the long tail. Mature SOCs have all three layers. The single highest-leverage detection investment for an organisation that hasn’t yet built it: deploy Zeek + RITA + a CTI feed. The combination catches roughly 80% of common-case C2 within 24 hours of compromise.