C2

MetaDefender NDR has the ability to monitor outbound packets to known command and control (C2) IP addresses and DNS resolutions to known command and control hosts. C2 activity can be monitored by clicking Analysis > C2. Outbound packets to C2 addresses and resolutions for known C2 hosts can be viewed and searched in C2 in the IP and DNS tabs respectively. The interface provides both Quick Search and Advanced Search features for both tabs on the left pane. Advanced search criteria for both C2 IP addresses and DNS lookups provide the capability to perform historic searches for corresponding IP and DNS resolutions within a specific timeframe.

IP ADDRESSES

Columns available in the Advanced Search menu for the IP tab in the C2 page are:

  • Source IP
  • Destination IP

Select the column(s) and specify their criteria. You can also specify the session time from the Time Interval drop-down menu or select a date range from the built-in calendars by clicking the From/To option. Click Search. Results appear on the right pane displaying the known source and destination IP addresses with their number of connections with date and time, and a link to view these connections.

Viewing IP Address Connections

To view all the IP connections and their respective details in a tabular form, click View connections corresponding to a session with source and destination IP.

DOMAIN NAME SYSTEMS

Columns available in the Advanced Search menu for the DNS tab in the C2 page are:

  • Domain
  • Source IP
  • Destination IP

Select the column(s) and specify their criteria. You can also specify the session time from the Time Interval drop-down menu or select a date range from the built-in calendars by clicking the From/To option. Click Search. Results appear on the right pane displaying the known source and destination IP addresses with their DNS resolutions, date and time, number of DNS lookups and and a link to view these lookups.

Viewing DNS Lookups

To view all the DNS lookups and their details in a tabular form, click View lookups corresponding to a session with the domain name.
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Malware Events
On This Page
C2IP ADDRESSESViewing IP Address ConnectionsDOMAIN NAME SYSTEMSViewing DNS Lookups