FIND DGA, DNS, AND ICMP TUNNELING
Is an attacker remotely controlling assets on your network? Corelight’s C2 Collection has the answers with over 50 unique insights and detections that illuminate command and control activity. Battle-tested by some of the world’s most sophisticated organizations, this collection covers known C2 toolkits and MITRE ATT&CK® C2 techniques to find novel attacks. Read about how to detect the Manjusaka C2 framework.
Corelight Collections are detection sets included with your Corelight subscription and can be activated depending on your needs.
Detect known families of malware that conduct C2 communications over HTTP, such as Empire, Metasploit, and Cobalt Strike.
Detect DNS tunneling behavior as well as the presence of specific tunneling tools such as Iodine.
Detect ICMP tunneling behavior as well as the presence of specific tunneling tools such as ICMP Shell.
Domain generation algorithms (DGAs)
Detect C2 traffic based on DNS activity from malware using domain generation algorithms.
Detect C2 activity from Metasploit’s Meterpreter shell across HTTP and generic TCP/UDP traffic.
Over 50 additional insights and detections.
How it works
The C2 Collection offers over 50 insights and detections into HTTP C2 communications including tunneling and domain generation algorithms. It employs Zeek® to analyze behavioral characteristics of network traffic, and integrates the results into Corelight’s comprehensive suite of evidence and analytics.
Collections are targeted categories of detections, inferences, and data transformation that provide deeper visibility into adversary activity. They cover encrypted traffic, command and control activity, entity activity, ICS/OT visibility, and more. Detections are viewable through Corelight Investigator, or via a SIEM, XDR, or other analytics platform.