In the last chapter, we saw how malware analysis works in the context of network forensics. Let's study some advanced and popularly-used Command and Control (C2) tools to learn about their behavior on the wire and try to develop strategies to recognize them. The most popular tools for C2 are Metasploit and Empire, which are both used in red-teaming exercises and professional penetration tests. However, an easy-to-use choice can sometimes lure cyber criminals to use it as well. While many detection tools detect Metasploit usage, it is recommended that we go through a manual investigation of events as well.

In this chapter, we will look at the following topics:

• Decoding the Metasploit shell
• Case study – decrypting the Metasploit Reverse HTTPS Shellcode
• Empire C2 analysis
• Case study – CERT.SE's major fraud and hacking criminal case, B 8322-16

Let's first investigate the basic reverse TCP shell used in Metasploit. We will examine the meterpreter_basic.pcap file for this exercise.