GCIH · Question #709
Tools like RITA use which of the following characteristics to identify C2 traffic?
The correct answer is C. Consistent data packet sizes. RITA detects C2 beaconing by identifying network connections with consistent data packet sizes, a hallmark of automated malware check-ins rather than human-driven traffic.
Question
Tools like RITA use which of the following characteristics to identify C2 traffic?
Options
- ALarge egress file transfers
- BUnpredictable packet intervals
- CConsistent data packet sizes
- DShort connection durations
How the community answered
(41 responses)- A17% (7)
- B7% (3)
- C73% (30)
- D2% (1)
Why each option
RITA detects C2 beaconing by identifying network connections with consistent data packet sizes, a hallmark of automated malware check-ins rather than human-driven traffic.
Large egress file transfers are an indicator of data exfiltration activity, not the repetitive low-volume beaconing pattern that RITA is designed to detect.
RITA specifically looks for highly predictable and consistent timing intervals - not unpredictable ones - as beaconing malware checks in on a regular schedule.
C2 beaconing malware communicates with its controller in a repetitive, automated cycle, resulting in network connections where the bytes sent and received remain uniform over time. RITA analyzes NetFlow or PCAP data and flags this uniformity in data sizes as a strong indicator of automated C2 communication, distinguishing it from the variable sizing of normal human-driven sessions.
Short connection durations are not a primary or reliable indicator of C2 beaconing and are not a core detection heuristic used by RITA.
Concept tested: C2 beaconing detection characteristics with RITA
Source: https://www.activecountermeasures.com/free-tools/rita/
Topics
Community Discussion
No community discussion yet for this question.