Octopus is an open source, pre-operation C2 server. It is based in Python and typically uses a powershell agent on the target server which it communicates with on HTTPS.
Octopus 24hr pcap sample.
Applied Zeek tool to process pcap file and parse file into Zeek log data. (conn.log, ssl.log, packet_filter.log, x509.log)
Searching for connection persistency. Looking at originating IP, responding IP as well as the duration of each connection.
The Pcap sample exhibits persistency on TCP port 443 and is using SSL Service. It also shows that the byte size of the connection traffic is relatively small compared to normal network traffic operating on the same port and service.
Real Intelligence Threa Analytics(RITA) tool, is open source and is designed to identify malicious activity within network traffic.
Analyzing the pcap sample with RITA produces a perfect beaconing score . Rita provides confirmation that this connection is beaconing and is worth further investigation.
