advent-of-cyber-2025

Room Link:
https://tryhackme.com/room/detecting-c2-with-rita-aoc2025-m9n2b5v8c1

▶️ Grant Collins – Day 22 Video Walkthrough

Official walkthrough for quick onboarding:

🔗 YouTube Link:
https://youtu.be/_aezrep95mo?si=5EV70b264rx4_Wnp

🎄 Advent of Cyber 2025 — Day 22 Write-Up

🧩 C2 Detection — Command & Carol

📘 Review the Theory from tryhackme

Refer to the theory section of tryhackme before starting the investigation.

theory 1 theory 2 theory 3 theory 4

✅ Challenge Answers

1️⃣ How many hosts are communicating with malhare.net?

hosts communicating

6

2️⃣ Which threat modifier indicates the number of hosts communicating with a destination?

prevalence

3️⃣ What is the highest number of connections to rabbithole.malhare.net?

connections count

40

4️⃣ What query was used to identify high-frequency beaconing behavior?

beacon query

dst:rabbithole.malhare.net beacon:>=70 sort:duration-desc

5️⃣ Which port did host 10.0.0.13 use to connect to rabbithole.malhare.net?

destination port

80