In CEH v13 Module 04: Enumeration and Module 06: Malware Threats, when investigating Command-and-Control (C2) communication, it is important to determine whether the communication actually occurred and what data was sent.
C. Internet Firewall/Proxy log
Best source to confirm outbound connections to external IPs.
Proxy logs show which internal host made the connection, the timestamp, and sometimes even URL and payload.
Firewalls can indicate port usage, traffic volume, and connection duration.
This data gives a direct view of how severe the incident is, whether data exfiltration occurred, and which internal system is affected.
Why Other Options Are Less Effective Initially:
A. IDS Log: Only tells you that an alert was generated. May be false positive or triggered by a failed connection.
B. Event logs on Domain Controller: Useful for user account behavior, but not for network connections.
D. Event logs on the PC: May lack detail or be tampered with by malware.
[Reference:, Module 06 – Incident Response Triage & Forensics Logs, CEH iLabs: Proxy Log Analysis and Malware C2 Detection, , ]
Submit