The Corelight C2 Collection helps you find command and control activity with over 50 unique insights and detections. Battle-tested by some of the world’s most sophisticated organizations, this collection covers both known C2 toolkits and MITRE ATT&CK C2 techniques to find novel attacks.
Detect known families of malware that conduct C2 communications over HTTP, such as Powershell Empire and Cobalt Strike
Detect DNS tunneling behavior as well as the presence of specific tunneling tools such as iodine
Detect ICMP tunneling behavior as well as the presence of specific tunneling tools such as ICMP Shell
Domain generation algorithms
Detect C2 traffic based on DNS activity from malware using Domain Generation Algorithms
Detect C2 activity from Metasploit’s Meterpreter shell across HTTP and generic TCP/UDP traffic
Over 50 additional insights and detections