analyzing-network-traffic-of-malware - SKILL.md Agent Skill

name: analyzing-network-traffic-of-malware description: 'Analyzes network traffic generated by malware during sandbox execution or live incident response to identify C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata. Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based malware detection.

' domain: cybersecurity tags:

malware
network-analysis
PCAP
Wireshark
C2-detection subdomain: malware-analysis version: 1.0.0 author: mahipal license: Apache-2.0 nist_csf:
DE.AE-02
RS.AN-03
ID.RA-01
DE.CM-01

Analyzing Network Traffic Of Malware

Overview

Cybersecurity skill for analyzing network traffic of malware. Follows industry best practices and security standards.

When to Use

Sandbox execution has captured a PCAP file and the network behavior needs detailed analysis
Identifying the C2 protocol structure for writing network detection signatures
Determining what data the malware exfiltrates and to which external infrastructure
Analyzing DNS tunneling, domain generation algorithms (DGA), or fast-flux behavior
Creating Suricata/Snort signatures based on observed malware network patterns

Do not use for host-based analysis of malware behavior; use Cuckoo sandbox reports or Volatility memory analysis for process-level activity.

When NOT to Use

When you lack proper authorization for testing
For production systems without change management
When the task requires legal or compliance expertise beyond technical scope

Prerequisites

Wireshark 4.x installed for interactive PCAP analysis
tshark (Wireshark CLI) for scripted packet extraction
Zeek installed for automated metadata generation from PCAPs
Suricata with ET Open/ET Pro rulesets for signature matching
NetworkMiner for file extraction and credential detection from PCAPs
Python 3.8+ with scapy and dpkt for programmatic packet analysis

Workflow

# Example: IOC detection
import re

IOC_PATTERNS = {
    "ip": r"\b(?:\d{1,3}\.){3}\d{1,3}\b",
    "domain": r"\b[a-z0-9-]+\.[a-z]{2,}\b",
    "hash_md5": r"\b[a-f0-9]{32}\b",
    "hash_sha256": r"\b[a-f0-9]{64}\b",
}

def extract_iocs(text: str) -> dict:
    return {k: re.findall(v, text) for k, v in IOC_PATTERNS.items()}

Scope the Analysis — Define what network traffic of malware artifacts or data sources to examine and the investigation timeline.
Preserve Evidence — Create forensic copies of relevant data. Maintain chain of custody documentation.
Extract Key Indicators — Parse and extract relevant network traffic of malware data points from collected artifacts.
Correlate Findings — Cross-reference extracted data with other sources (threat intel, logs, timelines).
Build Timeline — Construct a chronological sequence of events related to network traffic of malware.
Document Analysis — Write findings report with evidence, conclusions, and recommendations.

Tools

Forensic Toolkit — Evidence collection and analysis
Timeline Tools — Chronological event reconstruction
Log Analysis Platform — Centralized log parsing and search

Verification

All network traffic of malware procedures executed completely and documented
Findings validated against multiple data sources
False positives identified and filtered
Results documented with evidence and timestamps
Recommendations provided with risk-based prioritization

Anti-Rationalization

Rationalization	Reality
"We are too small to be targeted"	Automated attacks target everyone. Size does not matter.
"Security slows us down"	A breach slows you down 100x more. Build security in from the start.
"We will fix it after launch"	Vulnerabilities in production are exploited within hours. Fix before deploy.