Advent of Cyber 2025 - Day 22

Detecting Command & Control Traffic Using RITA

Advent of Cyber – TryHackMe Walkthrough

Introduction

After recent attacks by King Malhare’s underlings, the Threat Bounty Force Council (TBFC) remains on high alert. Network traffic is suspicious, but analyzing it manually can be overwhelming.

Enter Sir Elfo and his tool of choice: RITA – Real Intelligence Threat Analytics.

With RITA, PCAP files can be converted into Zeek logs, analyzed, and suspicious Command and Control (C2) activity quickly detected. This guide walks you through the full process.

---

Learning Objectives

By following this walkthrough, you will learn to:

• Convert PCAP files into Zeek logs

• Import and analyze Zeek logs using RITA

• Interpret RITA output to detect C2 indicators

---

What Is RITA?

RITA is an open-source framework by Active Countermeasures. It detects C2 communications and other suspicious network behaviors.

Key Features

• C2 beacon detection

• DNS tunneling identification

• Long-lived connection detection

• Data exfiltration alerts

• Threat intelligence feed correlation

• Severity scoring and host prevalence analysis

• First-seen timestamps for external hosts

RITA works by correlating IPs, ports, timestamps, and durations to detect suspicious patterns.

---

Why Zeek?

RITA requires Zeek logs as input.

Zeek is an open-source Network Security Monitoring (NSM) tool that:

• Passively analyzes network traffic

• Converts traffic into structured logs (HTTP, DNS, SSL, files, certificates)

• Does not block traffic like a firewall or IDS

---

Converting PCAP to Zeek Logs

1. Open a terminal in your VM.

2. Verify directories:

ls
# You should see:
# pcaps – contains malware traffic captures
# zeek_logs – stores Zeek logs

3. Convert the PCAP file:

zeek readpcap pcaps/AsyncRAT.pcap zeek_logs/asyncrat

4. Check the generated logs:

cd ~/zeek_logs/asyncrat
ls
# Example output:
# conn.log, dns.log, http.log, ssl.log, x509.log, files.log

These logs are ready for RITA analysis.

---

Importing Zeek Logs into RITA

rita import --logs ~/zeek_logs/asyncrat/ --database asyncrat

RITA parses the logs, applies analytics, and checks threat intelligence feeds.

---

Viewing RITA Results

rita view asyncrat

The terminal interface includes:

• Search bar

• Results pane

• Details pane

Results Pane Columns

• Severity – Overall threat score

• Source → Destination – IP/FQDN communication

• Beacon Likelihood – Chance of beacon behavior

• Connection Duration – Long connections are suspicious

• Subdomains Count – Possible data exfiltration

• Threat Intel Hits – Known malicious indicators

Example Findings

• sunshine-bizrate-inc-software[.]trycloudflare[.]com

• 91[.]134[.]150[.]150

Both flagged as malicious via VirusTotal.

---

Threat Modifiers Explained

RITA assigns severity using Threat Modifiers, such as:

• MIME/URI mismatch

• Rare signature

• Prevalence (number of hosts communicating with a destination)

• First Seen

• Missing host header

• Large outbound data

• No direct connections

These help identify stealthy C2 traffic.

---

Connection Information

Additional metadata includes:

• Number of connections

• Total bytes sent

• Port, protocol, and service

• Use of non-standard ports

This information is essential for validating suspicious behavior.

---

Hands-On Challenge

Using rita_challenge.pcap, these findings were confirmed:

• Hosts communicating with malhare.net: 6

• Threat Modifier showing number of hosts: prevalence

• Highest connections to rabbithole.malhare.net: 40

RITA search filter example:

dst:rabbithole.malhare.net beacon:>=70 sort:duration-desc

• Port used by host 10.0.0.13: 80

---

Conclusion

RITA simplifies C2 detection by focusing on behavioral analytics rather than signatures.

Even without known IoCs, its correlation and threat modifiers provide actionable insights for threat hunting.

Combining Zeek and RITA gives defenders a powerful toolkit to uncover hidden adversary communications.

🛡️ Happy hunting!