sinkhole - it's easier than you think
The longer I do this the more I come around to using simpler and simpler tools. Yes, learning GOLANG, kurbernetes, docker, AI, Blockchain, and all the other buzzword coolness is vital for maintaining your viability in Corporate IT Security but when it comes down to getting the job done, sometimes it's the simplest old school tricks that work the best.
It happened again, you have that weird C2 beacon, and with your architecture or design you just can't figure out who is behind the NAT. Visibility is poor and you got to hit your target. Forensicating 253 different endpoints behind a class C is just not an option. Fortunately for you, your IT staff has a simple procedure to create DNS records with a simple ticket.
You know the system is beaconning out every hour to a site you know is malicious. In fact it's a C2 node for some type of malware. The first thing is to make sure you have a Linux system that is reachable by that system. Also, as a sub-note on every network you protect, you should have at least one windows system on the domain and Linux system. There are WAAYYY too many use cases not to. So do that now,... Then put a ticket in to your DNS team to create a DNS record for that malicious domain to your Linux system. Now you just want to know who is connecting to it. One could simply just ensure connection logs are enabled in iptables, however I want to know what traffic is connecting to it. So write a super simple script on it to see what may be sent.
Oh the SEC504 and SEC503 gods have been good to me, netcat and tcpdump. What else is a better way to just gather data? You can look at the files created when you come into work in the morning and BANG there's your culprit, and hopefully with an interesting web request with some information information.
Maybe we will actually look at the packets next time ;) - it is called packetaddict after all.