ToolsFebruary 9, 20262 min readby 0xt0pus

RITA

Real Intelligence Threat Analytics framework for detecting C2 beacons and DNS tunneling

#blue-team#dfir#threat-hunting#network-analysis

RITA

Description

RITA (Real Intelligence Threat Analytics) is an open-source framework for detecting C2 communications through traffic analysis. RITA can directly ingest Zeek logs or digest and analyze offline PCAP files after converting them into Zeek format. RITA looks for abnormal behaviors such as long-duration connections, blacklisted IP addresses, and beaconing behavior.

Usage 1: Test RITA Configuration

Verify that the RITA configuration file (/etc/rita/config.yaml) is correctly loaded.

Command:

rita test-config | head -n 10

Usage 2: Show RITA Help and All Parameters

Display all available RITA parameters including show-beacons, show-exploded-dns, and html-report.

Command:

sudo rita

Usage 3: Import Zeek Logs into RITA Database

Import Zeek-generated logs into a RITA database for analysis. First argument is the log directory, second is the database name.

Command:

sudo rita import dnscat2_logs dnscat2

Usage 4: Detect DNS Beaconing (FQDN Analysis)

Show beaconed FQDNs to identify suspicious DNS patterns such as C2 communication over DNS channels.

Command:

sudo rita show-beacons-fqdn dnscat2 -H

Usage 5: Detect DNS Tunneling (Exploded DNS)

Show exploded DNS data to identify massive amounts of DNS queries toward suspicious domains, which may indicate DNS tunneling (e.g., dnscat2 C2).

Command:

sudo rita show-exploded-dns dnscat2 -H | more

Usage 6: Filter Exploded DNS for a Specific Domain

Grep the exploded DNS output for a specific suspicious domain to dig deeper into the DNS tunneling activity.

Command:

sudo rita show-exploded-dns dnscat2 | grep cisco-update.com

Usage 7: Detect Beaconing Traffic (C2 Over HTTPS)

Detect C2 beaconing patterns such as Octopus C2 traffic that uses HTTPS with a fixed communication interval (0% jitter).

Command:

sudo rita show-beacons octopus

Usage 8: Generate HTML Report

Generate a simple HTML report with all findings from the analyzed data.

Command:

rita html-report octopus

Full Workflow: DNS Tunneling Detection

  1. Convert PCAP to Zeek logs:
cd ~/Desktop/CCD/RITA/pcap
mkdir dnscat2_logs
cd dnscat2_logs/
zeek -r ../dnscat2_dns_tunneling_24hr.pcap local
cd ..
  1. Import into RITA:
sudo rita import dnscat2_logs dnscat2
  1. Analyze:
sudo rita show-beacons-fqdn dnscat2 -H
sudo rita show-exploded-dns dnscat2 -H | more

Full Workflow: Beaconing Traffic Detection

  1. Convert PCAP to Zeek logs:
cd ~/Desktop/CCD/RITA/pcap
mkdir octopus_logs && cd octopus_logs
zeek -r ../octopus.pcap local && cd ..
  1. Import into RITA:
sudo rita import octopus_logs octopus
  1. Analyze:
sudo rita show-beacons octopus
  1. Generate report:
rita html-report octopus